We start by creating a folder. We call it cer_as_exe and here we put our root certificate that we want to distribute and a small installation script.
Our installation script is not that big.
certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer > NUL
del /F %tmp%\root_ca.cer > NUL
del /F %tmp%\install.bat > NUL
This is a very small script that installs a root certificate from a file to the root certificate container in the certificate store for the computer and the user. Then it does a quick cleanup by removing the original root certificate file and installation script that is unpacked in to the %tmp% folder by our installer. Now we need to pack everything as an .exe file that will install our root certificate automatically.
We choose to add our files to archive (using WinRAR).
We select to create a self extracting archive.
We put the following options for the installer under the comment tab.
We basically tell the installer to extract the files to the users temp path (and overwrite existing files if necessary) and then execute our installation script that does the import as silent as possible. If we want to do modifications such as using a custom icon, etc, we can specify this in “SFX options” under the Advanced tab.
Press OK and now we have a small .exe file that will do the import completely unattended.
Please remember that since the script does not only add the root certificate to our user, but also to our computers certificate store (a system wide change), administrative privileges are required to be able to run this file. You don’t want to add the certificate to the computer store? Then just remove the –enterprise switch from the installation script and it will import the root certificate only the the users certificate store without the need for any elevation at all.
Works great after adding a checkbox in “Request administrative access” under SFX Options.