How to copy trusted root certificates to another machine

I have created a VM from an image with a very clamp down security setup. In particular, it had a very limited set of trusted root CAs. It would not even trust https://www.microsoft.com. So, I decided to copy the list of root CAs from my machine to that machine.

Exporting root CAs is easy: go to Control Panel, Administrative Tools, Manage Computer Certificates, select “Trusted Root Certificates” from the tree, go to Trusted Root Certification Authorities and then Certificates. Select all items Ctrl+A), right click, All Tasks, Export. I chose the .sst format and got myself a nice .sst file.

Importing that file into the VM proved to be more difficult. After some googling I found this article that contains a Powershell snippet that does the job:

[reflection.assembly]::LoadWithPartialName("System.Security")
$certs = new-object system.security.cryptography.x509certificates.x509certificate2collection
$certs.import("certificates.sst")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "AuthRoot", LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.AddRange($certs)

I copied this snippet into a file named import.ps1 and then executed it from PowerShell (“./import.ps1”). It worked great. I am not sure why Microsoft provides Export UI and leaves us to hunt for the import UI, but that’s a different question.

2 Comments


  1. Thanks, but you can actually import the .sst by right-click import.

    Reply

    1. You mean, right click on the MMC snap in -> All Tasks -> Import?

      Yes, I found it, thanks for the tip! It looks like it appears only if I click “in the empty field” with no files selected, which, frankly, is not the best design for discoverability. Not sure if it was available at the time of writing though. It was some old version of Windows Server.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *