To Import a Digital Certificate

Once you make a digital certificate or create a Personal Information Exchange (PFX) file, it must be imported into the Windows Certificate Store before it can be used to sign an AutoLISP or verify a digitally signed binary file. You import a digital certificate or PFX file from the Windows user interface with the Certificate Manager (CertMgr.msc) from the Control Panel or at the Windows Command prompt with the Certification Utility (CertUtil.exe) tool.

The Certification Utility (CertUtil.exe) tool is part of the Windows operating system. You can learn more about the CertUtil.exe tool from Microsoft's website (http://technet.microsoft.com/en-us/library/cc732443.aspx).

Note: A digital certificate can also be imported using the Certificates dialog box from the Internet Options dialog box in Internet Explorer.

Import a Digital Certificate from the Certificate Manager

  1. Make a digital certificate or use an existing PFX file that was previously made with the Pvk2Pfx.exe tool. See the "To Create A Personal Information Exchange (PFX) File" topic for a basic understanding of how to use the Pvk2Pfx.exe tool.
  2. Do one of the following to display the Windows Command prompt:
    • Windows 7: Click the Windows Start button Run.
    • Windows 8: On the Windows Start screen, right-click (or use the swipe up gesture from the bottom edge of the screen) and click All Apps. Scroll to the Windows System section, and click Run.
    • Windows 8.1: On the Windows Start screen, click the All Apps button located near the lower-left corner of the screen (or use the swipe up gesture from the bottom edge of the screen). Scroll to the Windows System section, and click Run.
    Tip: On Windows 8/Windows 8.1, on the Start screen, type run and click Run in the Search pane.
  3. In the Run dialog box, type certmgr.msc and press Enter.
  4. In the Certificate Manager, select Personal and right-click. Click All-Tasks Import.
  5. In the Certificate Import Wizard, click Next.
  6. On the File to Import page, click Browse.
  7. In the Open dialog box, click the Files of Type drop-down list and select Personal Information Exchange (*.pfx; *.p12).
  8. Browse to and select the PFX file you want to import. Click Open.

    You can also select other certificate types in the Open dialog box, such as CER, SPC, and SST.

  9. In the Certificate Import Wizard, on the File to Import page, click Next.
  10. On the Password page, type the password assigned to the PFX file and click Next.
  11. On the Certificate Store page, click Place All Certificates in the Following Store and click Next.

    You can click Browse to specify a different store. The store that is listed is the same one you choose in the Certificates manager.

  12. On the Completing the Certificate Import Wizard page, click Finish.
  13. In the Importing a New Private Signature Key dialog box, click OK.
  14. On the Certificate Import Wizard message box, click OK.
Note: When signing AutoLISP files, the PFX file should be added to the Personal (My) store. The PFX file must be added to the Trusted Root (Root) store to validate digitally signed binary files.

Import a Digital Certificate from the Command Prompt

When deploying binary files that have been signed with your certificate, you can import your certificate using a custom action in a MSI installer or with a batch (BAT) file using Group Policies.

The following is an example of importing a CER file into the Trusted Publishers store with the CertUtil.exe tool. The CER file that is in this example was made with the example in the "To Make a Digital Certificate" topic:

certutil.exe -addstore Root MyCert.cer
  1. certutil.exe - Specifies the location of the CertUtil.exe tool. In most cases, no path should be required since the tool is located in the Windows System32 folder.
  2. -addstore - Indicates that the provided certificate should be added to the specified store.
  3. TrustedPublisher - Specifies the store in which the certificate should be added. In this example, the store is named Root.

    The My store is used for personal certificates and the TrustedPublisher store is used for trusted publisher certificates. There are other stores that can be specified: AddressBook, AuthRoot, CertificateAuthority, Disallowed, and TrustedPeople.

  4. MyCert.cer - Specifies the file that contains the certificate being added to the store.

The following shows how to import the PFX file into the Trusted Root store:

certutil.exe -p MyPassword -importpfx MyCert.pfx 

The following shows how to import the PFX file into the Personal store:

certutil.exe -p MyPassword -user -importpfx MyCert.pfx 

To import a CER file with the Certification Utility (CertUtil.exe) tool, do the following:

  1. Make a digital certificate or use an existing CER file that was previously made with the MakeCert.exe tool. See the "To Make a Digital Certificate" topic for a basic understanding of how to use the MakeCert.exe tool.
  2. Do one of the following to display the Windows Command prompt:
    • Windows 7: Click the Windows Start button All Programs Accessories Command prompt.
    • Windows 8: On the Windows Start screen, right-click (or use the swipe up gesture from the bottom edge of the screen) and click All Apps. Scroll to the Windows System section, and click Command Prompt.
    • Windows 8.1: On the Windows Start screen, click the All Apps button located near the lower-left corner of the screen (or use the swipe up gesture from the bottom edge of the screen). Scroll to the Windows System section, and click Command Prompt.
    Tip: On Windows 8/Windows 8.1, on the Start screen, type command and click Command Prompt in the Search pane.
  3. In the Windows Command Prompt window, type cd %userprofile%\Documents and press Enter to set the Documents folder as the current working folder. If you are using a different working folder, specify that location instead.
    Note: You don't need to change to the working directory if you specify the full path CER file that will be used by the CertUtil.exe tool.
  4. Type certutil.exe and the arguments that should be executed.

    The CER file should be successfully imported into the specified store.

Note: When signing AutoLISP files, the PFX file should be added to the Personal (My) store. The CER or PFX file must be added to the Trusted Root (Root) store to validate digitally signed binary files.