I'm writing a script that automates adding the latest GlobalSign certificates as found here:
I was able to successfully import the following using
certutil -addstore root:
clientauthrootr45.crt codesigningrootr45.crt docsignrootr45.crt iotrootr60.crt Root-R1.crt Root-R3.crt rootr46.crt root-r6.crt smimerootr45.crt timestamprootr45.crt
But these certificates failed to import:
clientauthroote45.crt codesigningroote45.crt docsignroote45.crt iotroote60.crt roote46.crt Root-R5.crt smimeroote45.crt
The error reported was:
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version Signature does not match Public key: 80090008 313.2389.0: 0x80090008 (-2146893816) Cannot add a non-root certificate to the root store 313.2398.0: 0x8007000d (WIN32: 13) 313.2668.0: 0x8007000d (WIN32: 13) 313.2830.0: 0x8007000d (WIN32: 13) CertUtil: -addstore command FAILED: 0x8007000d (WIN32: 13) CertUtil: The data is invalid. 301.3160.0: 0x8007000d (WIN32: 13)
How are these certificates different and can they be imported from the command line?
The website points out the difference:
RSA Root Certificates
ECC Root Certificates
Root-R5.crt and all the files that look like "*e##.crt"
Windows XP, a 19 year old OS, does not have support for Elliptic Curve Cryptography (ECC). That means that the signature in the cert can't be verified, and then a cascade of errors occurs.
User contributions licensed under CC BY-SA 3.0