Microsoft "certutil -store..." - Certificate File Format


What is the file format of the certificate file exported by the Microsoft "certutil -store" command? It is DER (Distinguished Encoding Rules), PEM (Privacy Enhanced Mail), or PKCS12 (Public-Key Cryptography Standards #12)?



The file format of certificate files exported from certificate stores by the Microsoft "certutil -store" command is DER (Distinguished Encoding Rules) format. See the tutorial below:

1. Generate and insert a new self-signed certificate into "-user TestStore" certificate store:

  "\Program Files\Microsoft Visual Studio 8\sdk\v2.0\bin\makecert.exe"
  -n "CN=FYIcenter Root CA" -r -ss TestStore

2. Export the new certificate into a certificate file "fyi.crt":

C:\fyicenter>\windows\system32\certutil -store -user TestStore
   "FYIcenter Root CA" FYIcenter.crt

================ Certificate 0 ================
Serial Number: b3f33360411e2b8045cd75cf9588a23d
Issuer: CN=FYIcenter Root CA
 NotBefore: 7/1/2012 10:34 PM
 NotAfter: 12/31/2039 6:59 PM
Subject: CN=FYIcenter Root CA
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 32 c6 b7 33 0f 30 64 41 f9 16 95 0d d5 65 a7 30 9c 50 b9 c2
  Key Container = JoeSoft
  Unique container name: 7b90a71bfc56f2582e916a51aed6df9a_e4c0ab3c-2930-4330-b97
  Provider = Microsoft Strong Cryptographic Provider
Private key is NOT exportable
Signature test passed
CertUtil: -store command completed successfully.

3. Look at the certificate file as HEX number. We can assume that the certificate file exported by the Microsoft "certutil -store" command is a binary data file and most likely in DER (Distinguished Encoding Rules) format.

30 82 02 0e 30 82 01 77 a0 03 02 01 02 02 10 b3 ...


Microsoft "certutil -viewstore" Command Options

Microsoft "certutil -store CA 0 first.crt" - Export Certificate

Microsoft "certutil" Commands on Certificate Stores

⇑⇑ Microsoft "certutil" - Certificate Management Tool

2013-04-24, 5308👍, 0💬