certutil
certutil is a command-line utility that is installed with Windows and used for managing certificates, certificate stores, and certificate revocation lists (CRLs). It provides a broad set of features for troubleshooting and administration of Public Key Infrastructure (PKI) components.
Getting Started
Open a Command Prompt with administrative privileges and run:
certutil -?
This displays the full list of commands and options.
Common Commands
| Command | Description |
|---|---|
certutil -store | Displays certificates in a specified store. |
certutil -addstore | Adds a certificate to a store. |
certutil -delstore | Deletes a certificate from a store. |
certutil -dump | Shows detailed information about a certificate file. |
certutil -repairstore | Attempts to repair corrupted certificates in a store. |
certutil -verify | Validates a certificate chain. |
certutil -urlcache | Manages the URL cache used for retrieving CRLs and OCSP responses. |
Example: Viewing the Local Machine Trusted Root Store
certutil -store -user Root
Output sample:
CertUtil: -store command completed successfully.
Serial Number: 6f1d2a34b5c...
Issuer: CN=Microsoft Root Certificate Authority, O=Microsoft Corporation, C=US
Subject: CN=Microsoft Root Certificate Authority, O=Microsoft Corporation, C=US
...
Example: Adding a Certificate to the Trusted Publishers Store
certutil -addstore "TrustedPublisher" C:\Certs\mypublisher.cer
Result:
CertUtil: -addstore command completed successfully.
Advanced: Exporting a Certificate with Private Key
certutil -exportPFX -p "MyPassword" MyStore MyCert > MyCert.pfx
This command exports MyCert from MyStore into a PFX file protected by the password MyPassword.