Using Inno Setup, how to import a certificate .cer file?

Question

Can I use Inno Setup to import a .cer file (a certificate)?

How can I do it?

I need to create a certificate installer for Windows XP, Windows Vista and Windows 7.

I was thinking about using a command line with Certmgr.exe utility. Would it work with all windows system? — Guilherme de Jesus Santos, Oct 05 '12 at 21:32
Certmgr.exe is not part of Windows, so you have to bundle it in your installer. I think it should work with all Windows releases, as it is part of Windows SDK. — Lex Li, Oct 06 '12 at 00:58

score 17 · Answer 1 · edited Oct 21 '16 at 11:49

17

Actually the CertMgr.exe is not available on all PCs and furthermore it does not appear to be redistributable (as hinted by @TLama); and besides you don't even need it.

CertUtil is available on every Windows machine (that I have tested) and works perfectly:

[Run]
Filename: "certutil.exe"; Parameters: "-addstore ""TrustedPublisher"" {app}\MyCert.cer"; \
    StatusMsg: "Adding trusted publisher..."

edited Oct 21 '16 at 11:49

Martin Prikryl

188,800
56
490
992

answered Oct 21 '16 at 10:13

SlowLearner

3,086
24
54

@MartinPrikryl Admittedly I could have done more testing. I only discovered this yesterday and so have not tested exhaustively; so far only on Win 10 machines. But one is VM on Azure, 2 are regular PCs without visual studio, dotNets etc. (so no CertMgr.exe available), and then there is my DevPC which has CertMgr but CertUtil also works on it. – SlowLearner Oct 21 '16 at 12:28
3

It is stated [here](https://social.technet.microsoft.com/Forums/en-US/09fb7a70-69c2-4cc0-ad82-173c06774261/availbility-of-certutil-on-different-windows-versions?forum=winserversecurity) that certutil.exe is shipped with Windows 7 and later. For earlier versions download it from [Microsoft download](http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en) ([ref](https://social.technet.microsoft.com/Forums/exchange/en-US/dde3925d-0376-4615-ac5e-61fae88f3da2/where-cound-i-download-certutilexe-and-certreqexe65311?forum=winservergen)) – Christian Holm Jørgensen Sep 18 '19 at 09:00
Nice solution. It's worth noting that calling certutil requires elevated privileges so this won't work for user profile installers. – Jamie Garroch - MVP Apr 12 '22 at 19:07

score 2 · Accepted Answer · answered Aug 01 '13 at 10:16

2

Add Certmgr.exe and yourcertificate.cer into setup:

[Files]
Source: CertMgr.exe; DestDir: {app}; Flags: deleteafterinstall
Source: yourcertificate.cer; DestDir: {app}; Flags: deleteafterinstall

And in [Run] section, write something like this:

Filename: {app}\CertMgr.exe; Parameters: "-add -all -c yourcertificate.cer -s -r localmachine trustedpublisher"; Flags: waituntilterminated runhidden;

answered Aug 01 '13 at 10:16

SimaWB

9,246
2
41
46

2

In my case its self-signed certificate. so that line localmachine ended with root – Apr 11 '16 at 15:01

user228435 · Answer 3 · 2023-02-20T17:28:41.963

1

The reply by SlowLearner and Martin Prikryl is correct. However, a comment states the command requires elevated privileges. If you use the -user command it will access the user store therefore not requiring elevation:

[Run]
Filename: "certutil.exe"; Parameters: "-user -addstore ""Root"" {app}\MyCert.cer"; \
StatusMsg: "Adding root certificate..."

edited Feb 20 '23 at 17:28

answered Feb 20 '23 at 17:24

user228435

11
2

Using Inno Setup, how to import a certificate .cer file?

3 Answers3