Search code examples
windowspowershellcertificatepem

Add Mozilla root certs to Windows without admin


I want to add Mozilla's root certs to Windows 7 without admin privileges.

Is there a straight forward way to add the root certificates into the current user's certificate store? I'd prefer to use Windows' native tools, without relying on something I'd have to download.

Some resources that looked promising.


Solution

  • I ended making a powershell script to do it.

    VERIFY THIS CODE BEFORE RUNNING IT. It's adding all of the certificate authorities from http://curl.haxx.se/ca/cacert.pem to the current user's TRUSTED ROOT certificate store.

    To run it in a single command, paste the following into a command prompt:

    @powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://raw.github.com/jschaf/install-mozilla-certs/master/install-mozilla-cert.ps1'))"
    

    Here's the Github link: https://github.com/jschaf/install-mozilla-certs

    And the source:

    # Variables
    $url = "http://curl.haxx.se/ca/cacert.pem"
    
    # Download the certificates
    Write-Host "Downloading Mozilla certificates from $url."
    $downloader = New-Object System.Net.WebClient
    $rawcerts = $downloader.DownloadString("http://curl.haxx.se/ca/cacert.pem")
    
    # Remove headers and begin/end delimiters and convert into a byte
    # stream
    $header = "-----BEGIN CERTIFICATE-----`n"
    $footer = "`n-----END CERTIFICATE-----"
    $match_string = "(?s)$header(.*?)$footer"
    $certs_matches = Select-String $match_string -input $rawcerts -AllMatches
    $certs_base64 = $certs_matches.matches | %{ $_.Groups[1].Value }
    $certs_bytes = $certs_base64 | %{ ,[System.Text.Encoding]::UTF8.GetBytes($_) }
    
    # Install the certificates
    $user_root_cert_store = Get-Item Cert:\CurrentUser\Root
    $user_root_cert_store.Open("ReadWrite")
    foreach ($c in $certs_bytes) {
        $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2(,$c)
        $user_root_cert_store.Add($cert)
    }
    $user_root_cert_store.Close()
    Write-Host "Finished installing all certificates."
    

    One annoying thing is that Windows will prompt for yes/no for every certificate. Since it's installing 158 certificates this gets old quick. If anyone knows how to prevent confirmation let me know or drop a pull request.