Microsoft "certutil -store..." - Certificate File Format

Q

What is the file format of the certificate file exported by the Microsoft "certutil -store" command? It is DER (Distinguished Encoding Rules), PEM (Privacy Enhanced Mail), or PKCS12 (Public-Key Cryptography Standards #12)?

✍: FYIcenter.com

A

The file format of certificate files exported from certificate stores by the Microsoft "certutil -store" command is DER (Distinguished Encoding Rules) format. See the tutorial below:

1. Generate and insert a new self-signed certificate into "-user TestStore" certificate store:

C:\fyicenter>
  "\Program Files\Microsoft Visual Studio 8\sdk\v2.0\bin\makecert.exe"
  -n "CN=FYIcenter Root CA" -r -ss TestStore
Succeeded

2. Export the new certificate into a certificate file "fyi.crt":

C:\fyicenter>\windows\system32\certutil -store -user TestStore
   "FYIcenter Root CA" FYIcenter.crt

TestStore
================ Certificate 0 ================
Serial Number: b3f33360411e2b8045cd75cf9588a23d
Issuer: CN=FYIcenter Root CA
 NotBefore: 7/1/2012 10:34 PM
 NotAfter: 12/31/2039 6:59 PM
Subject: CN=FYIcenter Root CA
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 32 c6 b7 33 0f 30 64 41 f9 16 95 0d d5 65 a7 30 9c 50 b9 c2
  Key Container = JoeSoft
  Unique container name: 7b90a71bfc56f2582e916a51aed6df9a_e4c0ab3c-2930-4330-b97
9-2488d6d8e2d2
  Provider = Microsoft Strong Cryptographic Provider
Private key is NOT exportable
Signature test passed
CertUtil: -store command completed successfully.

3. Look at the certificate file as HEX number. We can assume that the certificate file exported by the Microsoft "certutil -store" command is a binary data file and most likely in DER (Distinguished Encoding Rules) format.

30 82 02 0e 30 82 01 77 a0 03 02 01 02 02 10 b3 ...

⇒ Microsoft "certutil -viewstore" Command Options

⇐ Microsoft "certutil -store CA 0 first.crt" - Export Certificate

⇑ Microsoft "certutil" Commands on Certificate Stores

⇑⇑ Microsoft "certutil" - Certificate Management Tool

2013-04-24, 5596👍, 0💬

💬 2016-01-29 FYIcenter.com: @D Keetch, yes, we can provide more examples. But do you have a specific use case that needs some help?

💬 2016-01-25 D Keetch: one example is not enough to illustrate the usage

Microsoft "certutil -encode..." - Converte DER file to PEM
How to convert a certificate file in DER (Distinguished Encoding Rules) format to PEM (Privacy Enhanced Mail) format? I know that PEM file format uses printable characters only and is safe to be included emails. If you want to convert a certificate from DER format to PEM format, you can use the Micr... 2020-01-12, 38920👍, 1💬

💬 2020-01-12 Y: Thank you!!!!

Microsoft "certutil -viewstore" Command Options
How can I use Microsoft "certutil -viewstore" command? What are command options supported by "certutil -viewstore"? The document says "Dump certificate store". Microsoft "certutil -viewstore" command can be used to view certificates from a certificate store in an pop-up window. Here are options supp... 2013-04-26, 34525👍, 0💬

Microsoft "certutil -delstore" Command Options
How can I use Microsoft "certutil -delstore" command? What are command options supported by "certutil -delstore"? The document says "Delete certificate from store". Microsoft "certutil -delstore" command can be used to delete a certificate from a certificate store on the local computer. Here are opt... 2013-03-05, 27383👍, 0💬

Microsoft "certutil -addstore -f -user publisher ..." - Create a Store
How to import a certificate from a certificate file into a new certificate store with Microsoft "certutil" tool? If you want to import a certificate from a certificate file into a new certificate store, you can use the Microsoft "certutil -addstore -f storename file_name" command as shown in this tu... 2013-03-05, 25749👍, 0💬

Microsoft "certutil -hashfile..." - Certificate Hash Value
How to get the hash value (or thumbprint value) of a certificate? I have the certificate stored in DER (Distinguished Encoding Rules) format. If you have a certificate saved in a certificate file in DER (binary) format, you can get the SHA1 hash value of the certificate using you can use the Microso... 2013-04-25, 19729👍, 0💬

Microsoft "certutil -encode..." - Converte PEM file to DER
How to convert a certificate file in PEM (Privacy Enhanced Mail) format to DER (Distinguished Encoding Rules) format? If you want to convert a certificate from PEM format to DER format, you can use the Microsoft "certutil -decode input_file output_file" command as shown in this tutorial: C:\fyicente... 2013-04-25, 17209👍, 0💬

Microsoft "certutil -addstore -user my ..." - Import Certificate
How to import a certificate from a certificate file into a certificate store with Microsoft "certutil" tool? If you want to import a certificate from a certificate file into a certificate store, you can use the Microsoft "certutil -addstore storename file_name" command as shown in this tutorial: C:\... 2013-03-01, 16153👍, 0💬

Microsoft "certutil -encode" Command Options
How can I use Microsoft "certutil -encode" command? What are command options supported by "certutil -encode"? The document says "Encode file to Base64". Microsoft "certutil -encode" command can be used to convert a certificate file from binary format to Base64 (PEM - Privacy Enhanced Mail) format. H... 2013-03-06, 15441👍, 0💬

Microsoft "certutil -viewstore -user ca..." - View Certificate
How to view a certificate from a certificate store with Microsoft "certutil" tool? If you want to view a certificate from a certificate store, you can use the Microsoft "certutil -viewstore store_name certificat_id" command as shown in this tutorial: C:\fyicenter>\windows\s ystem32\certutil-v... 2013-04-26, 7436👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.