Microsoft "certutil" Certificate Store Locations

Q

How can I specify the search location of certificate stores for Microsoft "certutil" command? The document says that by default "certutil" searches for certificate stores at the local machine level.

✍: FYIcenter.com

A

Microsoft "certutil" command allows you search certificate stores at 5 locations:

1. Local Machine (no option) - This is the default option. Local machine certificate stores are recorded in Windows registry at "HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates". Predefined certificate store names are: AuthRoot, CA, MY, Root, UserDS, ... For example, "certutil -store root" command dumps all certificates from the "Root" certificate store at the local machine location.

2. Current User ("-user" option) - Current user certificate stores are recorded in Windows registry at "HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates". Predefined certificate store names are: AuthRoot, CA, MY, Root, ... For example, "certutil -user -store my" command dumps all certificates from the "MY" certificate store at the current user location.

3. Machine Enterprise ("-enterprise" option) - Machine enterprise certificate stores are recorded in Windows registry at "HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates". Predefined certificate store names are: AuthRoot, CA, NTAuth, Root, ... For example, "certutil -enterprise -store ntauth" command dumps all certificates from the "NTAuth" certificate store at the machine enterprise location.

4. Machine Service ("-service" option) - Machine service certificate stores are recorded in Windows registry at "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services \ServiceName\SystemCertificates". Predefined certificate store names are: MY, CA, Trust, Root, ... For example, "certutil -service -store MOM\My" command dumps all certificates from the "MY" certificate store of the "MOM" service at the machine service location.

5. Machine Group Policy ("-grouppolicy" option) - Machine service certificate stores are recorded in Windows registry at "HKEY_LOCAL_MACHINE\Software\Policy\Microsoft\SystemCertificates". Predefined certificate store names are: AuthRoot, CA, Trust, ... For example, "certutil -grouppolicy -store ca" command dumps all certificates from the "CA" certificate store at the machine group policy location.

If you want to see certificate store names defined in Windows registry, you can use the "regedit" command view the registry key of the certificate store location.

 

What Is Microsoft CertUtil

Introduction to Microsoft "certutil" Commands

Introduction to Microsoft "certutil" Commands

⇑⇑ Microsoft "certutil" - Certificate Management Tool

2016-08-01, 102517🔥, 1💬