Once you make a digital certificate or create a Personal Information Exchange (PFX) file, it must be imported into the Windows Certificate Store before it can be used to sign an AutoLISP or verify a digitally signed binary file. You import a digital certificate or PFX file from the Windows user interface with the Certificate Manager (CertMgr.msc) from the Control Panel or at the Windows Command prompt with the Certification Utility (CertUtil.exe) tool.
The Certification Utility (CertUtil.exe) tool is part of the Windows operating system. You can learn more about the
CertUtil.exe tool from Microsoft's website (https://technet.microsoft.com/en-us/library/cc732443.aspx).
Note: A digital certificate can also be imported using the Certificates dialog box from the Internet Options dialog box in Internet Explorer.
Import a Digital Certificate from the Certificate Manager
- Make a digital certificate or use an existing PFX file that was previously made with the
Pvk2Pfx.exe tool. See the "To Create A Personal Information Exchange (PFX) File" topic for a basic understanding of how to use the
Pvk2Pfx.exe tool.
- Click the Windows Start button Windows System Run to display the Run dialog box.
- In the Run dialog box, type
certmgr.msc and press Enter.
- In the Certificate Manager, select Personal and right-click. Click All-Tasks Import.
- In the Certificate Import Wizard, click Next.
- On the File to Import page, click Browse.
- In the Open dialog box, click the Files of Type drop-down list and select Personal Information Exchange (*.pfx; *.p12).
- Browse to and select the PFX file you want to import. Click Open.
You can also select other certificate types in the Open dialog box, such as CER, SPC, and SST.
- In the Certificate Import Wizard, on the File to Import page, click Next.
- On the Password page, type the password assigned to the PFX file and click Next.
- On the Certificate Store page, click Place All Certificates in the Following Store and click Next.
You can click Browse to specify a different store. The store that is listed is the same one you choose in the Certificates manager.
- On the Completing the Certificate Import Wizard page, click Finish.
- In the Importing a New Private Signature Key dialog box, click OK.
- On the Certificate Import Wizard message box, click OK.
Note: When signing AutoLISP files, the PFX file should be added to the Personal (My) store. The PFX file must be added to the Trusted Root (Root) store to validate digitally signed binary files.
Import a Digital Certificate from the Command Prompt
When deploying binary files that have been signed with your certificate, you can import your certificate using a custom action in a MSI installer or with a batch (BAT) file using Group Policies.
The following is an example of importing a CER file into the Trusted Publishers store with the
CertUtil.exe tool. The CER file that is in this example was made with the example in the "To Make a Digital Certificate" topic:
certutil.exe -addstore Root MyCert.cer
- certutil.exe - Specifies the location of the
CertUtil.exe tool. In most cases, no path should be required since the tool is located in the Windows System32 folder.
- -addstore - Indicates that the provided certificate should be added to the specified store.
- TrustedPublisher - Specifies the store in which the certificate should be added. In this example, the store is named
Root.
The
My store is used for personal certificates and the
TrustedPublisher store is used for trusted publisher certificates. There are other stores that can be specified:
AddressBook,
AuthRoot,
CertificateAuthority,
Disallowed, and
TrustedPeople.
- MyCert.cer - Specifies the file that contains the certificate being added to the store.
The following shows how to import the PFX file into the Trusted Root store:
certutil.exe -p MyPassword -importpfx MyCert.pfx
The following shows how to import the PFX file into the Personal store:
certutil.exe -p MyPassword -user -importpfx MyCert.pfx
To import a CER file with the Certification Utility (CertUtil.exe) tool, do the following:
- Make a digital certificate or use an existing CER file that was previously made with the
MakeCert.exe tool. See the "To Make a Digital Certificate" topic for a basic understanding of how to use the
MakeCert.exe tool.
- Click the Windows Start button Windows System Command Prompt to display the Windows Command prompt.
- In the Windows Command Prompt window, type
cd %userprofile%\Documents and press Enter to set the
Documents folder as the current working folder. If you are using a different working folder, specify that location instead.
Note: You don't need to change to the working directory if you specify the full path CER file that will be used by the
CertUtil.exe tool.
- Type
certutil.exe and the arguments that should be executed.
The CER file should be successfully imported into the specified store.
Note: When signing AutoLISP files, the PFX file should be added to the Personal (My) store. The CER or PFX file must be added to the Trusted Root (Root) store to validate digitally signed binary files.