How to distribute root certificates as exe files

In my post Smooth root certificate deployment for mobile devices I explained how to distribute your root certificates as .cab files for mobile devices. This post will go through how we distribute root certificates as .exe files for external users and computers. 🙂


We start by creating a folder. We call it cer_as_exe and here we put our root certificate that we want to distribute and a small installation script.




Our installation script is not that big. 😉



@echo off
certutil -addstore -f -enterprise -user root %tmp%root_ca.cer > NUL
del /F %tmp%root_ca.cer > NUL
del /F %tmp%install.bat > NUL


This is a very small script that installs a root certificate from a file to the root certificate container in the certificate store for the computer and the user. Then it does a quick cleanup by removing the original root certificate file and installation script that is unpacked in to the %tmp% folder by our installer. Now we need to pack everything as an .exe file that will install our root certificate automatically. 😉


We choose to add our files to archive (using WinRAR).




We select to create a self extracting archive.




We put the following options for the installer under the comment tab.





We basically tell the installer to extract the files to the users temp path (and overwrite existing files if necessary) and then execute our installation script that does the import as silent as possible. If we want to do modifications such as using a custom icon, etc, we can specify this in “SFX options” under the Advanced tab.


Press OK and now we have a small .exe file that will do the import completely unattended. 😉



Please remember that since the script does not only add the root certificate to our user, but also to our computers certificate store (a system wide change), administrative privileges are required to be able to run this file. You don’t want to add the certificate to the computer store? Then just remove the –enterprise switch from the installation script and it will import the root certificate only the the users certificate store without the need for any elevation at all. 😉


// Fredrik “DXter” Jonsson

11 thoughts on “How to distribute root certificates as exe files

  • April 8, 2011 at 9:40 am

    after following the above steps and install the exe generated i am not able to see it in internet explorer—->internet options—->contents—–>certificates

    • April 8, 2011 at 9:55 am

      Are you running the .exe file as administrator?

      Internet Explorer is reading root certificates from the current users certificate store (no, it does not have its own certificate store). Check certmgr.msc and verify your certificate trust. 🙂

  • September 9, 2011 at 9:45 am

    Works great after adding a checkbox in “Request administrative access” under SFX Options.


  • December 8, 2011 at 5:28 pm

    Has this been tested in Windows 7. I’m getting a message that the executable may not run correctly on a Windows 7 operating system.


  • August 23, 2013 at 5:17 pm

    Thanks for the write up, it worked flawlessly on Windows 7. I created a new package for XP with the certadm.dll and certutil.exe files contained within adminpak.msi found in the resolution of I changed the certutil.exe command to %tmp%certutil.exe to call the certutil package included in the SFX. Then it tested perfectly on Windows XP as well. Thanks again!

    • August 23, 2013 at 5:23 pm

      Also, forgot to mention, I know you pretty much covered it, but for the ones out there that want it to be obvious… If on Windows 7 UAC is enabled, ensure you right-click “Run As Administrator” to make sure the -enterprise option works without issue.

  • Pingback: How to distribute root certificates as exe files - Bots!

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: