5

We have an application which runs a batch script which installs an OCA and certificates signed by that OCA to a set of Windows machines.

Unfortunately the OCA certificate has expired, and certutil produces errors when we run the script, because the new OCA certificate has the same name as the old one.

How can we use certutil to replace or remove the existing certificate by name before adding the new one?

Please see below for the command I'm using and the result: 'Certificate "x" already in store.' The certificate present in the store with the same name is expired.

image

The commands are:

certutil -addstore "Root" "file.crt"
certutil -addstore "Ca" "file.crt"

From an elevated command prompt.

Greg Askew
  • 39,132
Thomas
  • 153

1 Answers1

7

In the screenshot it was a bit hard to see. Unfortunately there is no option to overwrite / replace certificates already in the store, so you need to delete the certificate and then add it. The certutil commands would look like this

certutil -delstore "Root" "OldCertificateCommonName"
certutil -addstore "Root" "path_to_new_certificate"

In the first command you need to replace OldCertificateCommonName with the common name of the certificate.

By the way, are you sure this certificate needs to be in CA authority store? That gives it an insane power and it can act as a certificate authority. Be careful with that from a security perspective.

Turdie
  • 2,945