Managing certificates on Windows is really painful. There is no easy way to do it. The general way to install a certificate to a Windows Server 2008 machine is as follows:

  • Open the Certificates snap-in for a user, computer, or service.
  • In the console tree, click the logical store where you want to import the certificate.
  • On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
  • Type the file name containing the certificate to be imported.
  • If you want to specify where the certificate is stored, select Place all certificates in the following store, click Browse, and choose the certificate store to use. OR
  • If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.

The first time I ran this process, I felt as though this was just wrong to not be able to automate. The goal of our team is to automate everything we are currently doing manually. PowerShell is a better option for this import process as it allows you to write code to do it. As we all know, code is better for a number of reasons, I won’t go into the infrastructure as code argument in this post (but it is coming soon….). Using PowerShell, I can write a simple function as follows:

function Import-PfxCertificate($certName, $CertLocaton, $certRootStore, $certStore) {    
     $pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2    

     $pfxPass = convertto-securestring $CertPassword -asplaintext -force

     $certPath = $CertLocaton + "\" + $certName   
     $pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet")    

     $store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)    
     $store.open("MaxAllowed")    
     $store.add($pfx)    
     $store.close()    
}

This makes certificate management easier. To manage certificates in this way, I just need to invoke a script similar to this:

.\import-certificate.ps1 -CertificateName "mycert.pfx" -CertLocation "c:\ssl\mycerts"

Much simpler! You can download a gist of this script should you wish to use it. Please note that the license that this script is available under can be read from our github repository.