There are multiple ways to accomplish this. You can either: 1) Attach the cert as a download and use ‘certutil’ commands to import. 2) Use powershell commands to import. 3) Create a GPO that applies to this machine and add Trusted roots in a PKI policy.
The GPO approach is the most efficient if you need to apply the same trusted root to a large number of machines that are domain joined.
Yes @JonL, We can do it using Powershell (ByPass Policy) or GRP Push as well.
I’ve done it using batch file scripting and implemented into BigFix Action Script.
Action works well for Import/Revoke certificate into MMC:
Batch File Script: For Import @echo off
certutil.exe -addstore -f “TrustedPublisher” "C:\Users\19639\Desktop\RestAPI.cer"
certutil.exe -addstore -f -enterprise -user root "C:\Users\19639\Desktop\RestAPI.cer" Comment- /Import in Trusted Root Certification Authorities/
Is ‘RestAPI.cer’ in your example a signing certificate of some sort or an actual certificate authority certificate?
Typically in an enterprise PKI, the root and issuing CAs’ public keys are trusted (ideally AD GPO if the machines are domain joined or via a certutil or powershell script). The ‘working’ certificate (likely RestAPI.cer in this case) is then issued and/or signed by the trusted issuing CA. If the machines properly trust the CA hierarchy, they will by default trust the certificate issued by them.