Why are these GlobalSign root certificates different and how to import them from the command line?

0

I'm writing a script that automates adding the latest GlobalSign certificates as found here:

https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates

I was able to successfully import the following using certutil -addstore root:

clientauthrootr45.crt
codesigningrootr45.crt
docsignrootr45.crt
iotrootr60.crt
Root-R1.crt
Root-R3.crt
rootr46.crt
root-r6.crt
smimerootr45.crt
timestamprootr45.crt

But these certificates failed to import:

clientauthroote45.crt
codesigningroote45.crt
docsignroote45.crt
iotroote60.crt
roote46.crt
Root-R5.crt
smimeroote45.crt

The error reported was:

402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Signature does not match Public key: 80090008
313.2389.0: 0x80090008 (-2146893816)
Cannot add a non-root certificate to the root store
313.2398.0: 0x8007000d (WIN32: 13)
313.2668.0: 0x8007000d (WIN32: 13)
313.2830.0: 0x8007000d (WIN32: 13)
CertUtil: -addstore command FAILED: 0x8007000d (WIN32: 13)
CertUtil: The data is invalid.
301.3160.0: 0x8007000d (WIN32: 13)

How are these certificates different and can they be imported from the command line?

windows
command-line
certificate
trusted-root-certificates
asked on Super User Mar 24, 2021 by Zhro

1 Answer

1

The website points out the difference:

RSA Root Certificates

Root-R1.crt (etc)

ECC Root Certificates

Root-R5.crt and all the files that look like "*e##.crt"

...

Windows XP, a 19 year old OS, does not have support for Elliptic Curve Cryptography (ECC). That means that the signature in the cert can't be verified, and then a cascade of errors occurs.

answered on Super User Mar 24, 2021 by bartonjs

User contributions licensed under CC BY-SA 3.0