Using inetmgr, I made a pfx file containing the public and private keys for a certificate. Now I'm trying to install the pfx into another machine from the command prompt with

certutil -p <password> -importpfx root <path_to_pfxfile>

Unfortunately, this is only importing the public key. If I use the certmgr snap-in I can import both keys, but I need to be able to automate this. Can anybody help?


The Import-PfxCertificate PowerShell command will probably do what you want. .

This would import the certificate(s) and keys stored in my.pfx file into the Trusted Root Certificate Authorities certificate store for the local machine.

Import-PfxCertificate –FilePath C:\mypfx.pfx cert:\localMachine\Root -Password $password

You may need to experiment a bit to find the name used for the certificate store of interest. I did this by copying the thumbprint of a certificate in the relevent store from the UI, removing spaces and then running

ls|where {$_.Thumbprint -eq "<thumprint value here, with spaces removed>"}

Which gave me this as part of the output.

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

    This answer was a life saver for me. Tip about finding available cert stores: From Powershell: PS> ls cert:\ will show list of top level dirs, e.g., CurrentUser and LocalMachine. Any user can write to cert:\CurrentUser but cert:\LocalMachine requires special permissions. Include arg -Exportable if you need to access private key later. For password, try: -Password (ConvertTo-SecureString "your-password-here" -AsPlainText -Force)
    – kevinarpe
    Commented Jan 5, 2023 at 13:13

certutil does not import the private key. You'll have to use another tool such as pk12util.

  • I should have been more specific. The other machine is really a windows azure web role, and I need the certificate imported when the role starts up. So using open-ssl tools are not an option. Commented Sep 12, 2015 at 5:18

