See Also
 Important: |
|---|
| This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
The CertInstaller command line tool (CertInstaller.exe) enables applications to script certificate installation operations.
 Note: |
|---|
| Do not use the CertInstaller tool for standard certificate installation. Instead, click the certificates in the file explorer, as described in the Certificate Installer. |
The CertInstaller tool (CertInstaller.exe) enables installation of certificates via various file formats:
- .PFX/.P12 – Public-Key Cryptography Standards #12 (PKCS #12)
format files that include personal certificates with private keys
as well as certificates that install into the intermediate and root
certificate stores.
- .CER – Base64-encoded or DER-encoded X.509 certificates that
install into the intermediate and root certificate stores.
- .P7B - Public-Key Cryptography Standards #7 (PKCS #7) format
files that install multiple certificates to certificate stores on
the device.
The primary use of the CertInstaller tool is to enable certificate deployment to devices in an environment that utilizes third party vendor PKI/enrollment. The CertInstaller tool installs certificates into the HKCU (Current user) “CA” and “ROOT” certificate stores while still running under SECROLE_USER_AUTH.
Syntax
certinstaller.exe [-p Password] [-silent] [-csp Provider] <CertFile> |
Parameters
- -p Password
-
The password to open the .PFX file.
Note:If you do not specify a password, the user will need to enter it in the Password UI. If the password has a space around it, enclose the password in double quotes. If the password contains double quotes or backslashes those must be escaped with a backslash. For example,
My password -> “My password”
My\password -> My\\Password
My”Password -> My\”Password
The best practice is to always double-quote the password, but it is only required when there is a space.
MyPassword -> “MyPassword”.
- -silent
-
No UI will be shown from CertInstaller. However, if a root certificate is being added to the ROOT store, the user will receive a prompt to install the certificate.
- -csp Provider
-
Specifies the Cryptographic Service Provider to use.
Note:If you do not specify the Provider, the default provider in the registry will be used. If none is in the registry, the default provider, determined by CAPI, will be used.
- CertFile
-
Specifies the location and filename of the .PFX, .P12, .P7B or .CER file to import.
Remarks
The CertInstaller tool is required mostly for the following cases:
- Adding an S/MIME decryption certificate to the device that is
used across multiple machines that all access the same e-mail
account
- Deployments that cannot leverage Windows Mobile Certificate
Enroll because they do not use a Windows Certificate Server
- Some high security organizations that generate all private keys
on a special key generation server
PKCS12 files include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.