Microsoft "certutil -store..." - Certificate File Format

Q

What is the file format of the certificate file exported by the Microsoft "certutil -store" command? It is DER (Distinguished Encoding Rules), PEM (Privacy Enhanced Mail), or PKCS12 (Public-Key Cryptography Standards #12)?

✍: FYIcenter.com

A

The file format of certificate files exported from certificate stores by the Microsoft "certutil -store" command is DER (Distinguished Encoding Rules) format. See the tutorial below:

1. Generate and insert a new self-signed certificate into "-user TestStore" certificate store:

C:\fyicenter>
  "\Program Files\Microsoft Visual Studio 8\sdk\v2.0\bin\makecert.exe"
  -n "CN=FYIcenter Root CA" -r -ss TestStore
Succeeded

2. Export the new certificate into a certificate file "fyi.crt":

C:\fyicenter>\windows\system32\certutil -store -user TestStore 
   "FYIcenter Root CA" FYIcenter.crt

TestStore
================ Certificate 0 ================
Serial Number: b3f33360411e2b8045cd75cf9588a23d
Issuer: CN=FYIcenter Root CA
 NotBefore: 7/1/2012 10:34 PM
 NotAfter: 12/31/2039 6:59 PM
Subject: CN=FYIcenter Root CA
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 32 c6 b7 33 0f 30 64 41 f9 16 95 0d d5 65 a7 30 9c 50 b9 c2
  Key Container = JoeSoft
  Unique container name: 7b90a71bfc56f2582e916a51aed6df9a_e4c0ab3c-2930-4330-b97
9-2488d6d8e2d2
  Provider = Microsoft Strong Cryptographic Provider
Private key is NOT exportable
Signature test passed
CertUtil: -store command completed successfully.

3. Look at the certificate file as HEX number. We can assume that the certificate file exported by the Microsoft "certutil -store" command is a binary data file and most likely in DER (Distinguished Encoding Rules) format.

30 82 02 0e 30 82 01 77 a0 03 02 01 02 02 10 b3 ...

2013-04-24, 2918👍, 0💬