Deploy ONE Certificate to MANY user’s personal cert store


Using Group Policies, you can import Certificates of Root Authorities or other Trusted Certificates. It’s also possible to use auto enrollment to deploy Certificates to Users, if an internal enterprise CA is used to handle the requests. But you cannot deploy one single standalone Certificate with private key to many users.


This can only be done using a script, ran using GPO’s or in an existing login script – if there’s still one in place.


Use this command to import a PKCS#12 file (*.pfx or *.p12) into user’s Personal Certificate store.

certutil -importpfx -f -user -p "test" test.p12 NoRoot

Put your private key’s passwort after Parameter “-p”; in my example, the password was “test” and the PKCS#12 file is called test.p12.

Split private key from exported pfx file

Split private key from exported pfx file

During setup of some applications, you need specify a certificate and the private key separately. To get the key, you can use OpenSSLto split it out:

pkcs12 -in c:\temp\mmcsecuresite.p12 -out bla.key -nodes -nocerts

Now you have the key and only need to export the certificate without the private key to save it as a Certificate.