Hello All First I would like to say that I am not really a scripting person. I am currently on a XP SP2 desktop deployment project which migrate the users profile to the new XP image. We are utilizing SCCM OSD with USMT 3.0 tool for the project. There are machines in the clients environment that has web certificates on the users profile. The certificates that are on the user profile are not actually issued by the client but by external parties. These external parties are from banking institution, payroll, etc. For example, an employee works in the payroll department which requires special access to a banks website. To obtain access, the user is authorized by the client and bank to receive a web certificate (which the bank issues out to the user) that once it is downloaded and installed in IE will give the user access to the banks website. So the client does not have CA in their infrastructure. So basically I want to move/export the current certificates on the current user profile and import the same certificates with private onto the new OS. I was told to go into the direction of credential roaming but this was not going to work because credential roaming requires all current machine in the environment to be XP SP2 and later but there are currently many Windows 2000 machine. Since that option would not help they suggested the certutil.exe from the server 2003 admin tools pack exporting all web certificates to a new machine/user profile. I am trying to figure out if there is a way to automate/create a script that exports all the digital certificates with private key that is stored within IE under the Personal store. I was able to create the following command lines to export and import a single digital certificate: Export a single certificate: certutil -f -p Password123 -user -exportpfx 123456789010a0d0e0a0123 c:\testexport.pfx Note: certificate ID = 123456789010a0d0e0a0123 Import the certificate: certutil -user -importpfx c:\testexport.pfx I was wondering if there is a way to actually export all the digital certificates within the personal store without knowing the actually individual certificate ID? If this is possible then how would I go about changing the name of the exported certificate (maybe append a suffix 01, 02, 03, etc) since I do now ThanksBinh

Hello, To export certificate with private key, you may use CAPICOM API. Sample code: ============= Const CAPICOM_EXPORT_DEFAULT = 0Const CAPICOM_STORE_SAVE_AS_PFX = 2Const CAPICOM_CURRENT_USER_STORE = 2Const CAPICOM_STORE_OPEN_EXISTING_ONLY = 128Dim StoreDim CertificatesSet Store = CreateObject("CAPICOM.Store")Store.Open CAPICOM_CURRENT_USER_STORE, My, CAPICOM_STORE_OPEN_EXISTING_ONLYSet Certificates = Store.CertificatesCertificates.Save CertFile.pfx, Password, CAPICOM_STORE_SAVE_AS_PFX, CAPICOM_EXPORT_DEFAULT ============= Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures. Microsoft support professionals can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific needs. If you have limited programming experience, you may want to contact a Microsoft Certified Partner or the Microsoft fee-based consulting line at (800) 936-5200. For more information about Microsoft Certified Partners, please visit the following Microsoft Web site: http://www.microsoft.com/partner/referral/ As you know, Technet is primarily for break-fix situations. The issues include custom coding/programming, scripting, design/implementation type of issues would best be addressed in the MSDN forum. If you have any questions or concerns, please do not hesitate to let me know.