param(
  [Parameter(Mandatory = $true)]
  [string]$CertPath
)
if (-not (Test-Path -Path $CertPath)) {
  throw "Cert file not found: $CertPath"
}
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath)
$thumbprint = $cert.Thumbprint
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root","LocalMachine")
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$existing = $store.Certificates | Where-Object { $_.Thumbprint -eq $thumbprint }
if ($existing.Count -eq 0) {
  $store.Add($cert)
  Write-Host "Installed root CA: $thumbprint"
} else {
  Write-Host "Root CA already installed: $thumbprint"
}
$store.Close()