In my post Smooth root certificate deployment for mobile devices I explained how to distribute your root certificates as .cab files for mobile devices. This post will go through how we distribute root certificates as .exe files for external users and computers. 
We start by creating a folder. We call it cer_as_exe and here we put our root certificate that we want to distribute and a small installation script.
Our installation script is not that big. 
@echo off
certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer > NUL
del /F %tmp%\root_ca.cer > NUL
del /F %tmp%\install.bat > NUL
This is a very small script that installs a root certificate from a file to the root certificate container in the certificate store for the computer and the user. Then it does a quick cleanup by removing the original root certificate file and installation script that is unpacked in to the %tmp% folder by our installer. Now we need to pack everything as an .exe file that will install our root certificate automatically.
We choose to add our files to archive (using WinRAR).
We select to create a self extracting archive.
We put the following options for the installer under the comment tab.
Path=%tmp%
SavePath
Setup=%tmp%\install.bat
Silent=1
Overwrite=1
We basically tell the installer to extract the files to the users temp path (and overwrite existing files if necessary) and then execute our installation script that does the import as silent as possible. If we want to do modifications such as using a custom icon, etc, we can specify this in “SFX options” under the Advanced tab.
Press OK and now we have a small .exe file that will do the import completely unattended.
Please remember that since the script does not only add the root certificate to our user, but also to our computers certificate store (a system wide change), administrative privileges are required to be able to run this file. You don’t want to add the certificate to the computer store? Then just remove the –enterprise switch from the installation script and it will import the root certificate only the the users certificate store without the need for any elevation at all.
// Fredrik “DXter” Jonsson
No related posts.
RT @walle75: [Blog] by DXter, How to distribute root certificate as a exe file http://bit.ly/5RYwMw <=cool
RT @walle75: [Blog] by DXter, How to distribute root certificate as a exe file http://bit.ly/5RYwMw
[Blog] by DXter, How to distribute root certificate as a exe file http://bit.ly/5RYwMw
RT @walle75: [Blog] by DXter, How to distribute root certificate as a exe file http://bit.ly/5RYwMw
after following the above steps and install the exe generated i am not able to see it in internet explorer—->internet options—->contents—–>certificates
Are you running the .exe file as administrator?
Internet Explorer is reading root certificates from the current users certificate store (no, it does not have its own certificate store). Check certmgr.msc and verify your certificate trust.
Works great after adding a checkbox in “Request administrative access” under SFX Options.
regards,
JockeE
Has this been tested in Windows 7. I’m getting a message that the executable may not run correctly on a Windows 7 operating system.
Becky