Windows CertUtil – List Certificate Stores
I needed a way to list all of the Windows certificate stores…
Google failed me, so here it is:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>certutil -enumstore
(CurrentUser: -user)
LocalMachine
(CurrentService: -service)
(Services: -service -service)
(Users: -user -user)
(CurrentUserGroupPolicy: -user -grouppolicy)
(LocalMachineGroupPolicy: -grouppolicy)
(LocalMachineEnterprise: -enterprise)
My
Root
Trust
CA
TrustedPublisher
Disallowed
AuthRoot
TrustedPeople
Homegroup Machine Certificates
SmartCardRoot
SPC
TrustedDevices
Windows Live ID Token Issuer
CertUtil: -enumstore command completed successfully.
If you’re looking for the store names listed in MMC, they are listed with a completely different name, because… Microsoft:
CertUtil Storename | In “Certificates” MMC | Purpose |
My | Personal | Certificates assigned to this user or machine |
Root | Trusted Root Certification Authorities | Root CAs trusted by this machine – typically this isn’t used very often |
Trust | Enterprise Trust | Active Directory and other CAs related to management and authentication |
CA | Intermediate Certification Authorities | Intermediate CAs trusted by this machine – typically this is not used. The server should serve out an intermediate that is downloaded on the fly, and must chain to a root CA in “Third-Party Root Certification Authorities” |
AuthRoot | Third-Party Root Certification Authorities | Public trust providers such as DigiCert / GeoTrust or Thawte |
To list all of the certificates within a store:
C:\Windows\system32>certutil -store authroot authroot ================ Certificate 0 ================ Serial Number: 7777062726a9b17c Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US NotBefore: 1/29/2010 8:06 AM NotAfter: 12/31/2030 8:06 AM Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): f9 b5 b6 32 45 5f 9c be ec 57 5f 80 dc e9 6e 2c c7 b2 78 b7 No key provider information Cannot find the certificate and private key for decryption. ================ Certificate 1 ================ Serial Number: 600197b746a7eab4b49ad64b2ff790fb Issuer: CN=thawte Primary Root CA - G3, OU=(c) 2008 thawte, Inc. - For authorized use only, OU=Certification Services Division, O=thawte, Inc., C=US NotBefore: 4/1/2008 6:00 PM NotAfter: 12/1/2037 5:59 PM Subject: CN=thawte Primary Root CA - G3, OU=(c) 2008 thawte, Inc. - For authorized use only, OU=Certification Services Division, O=thawte, Inc., C=US Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): f1 8b 53 8d 1b e9 03 b6 a6 f0 56 43 5b 17 15 89 ca f3 6b f2 No key provider information Cannot find the certificate and private key for decryption. . . . . . ================ Certificate 52 ================ Serial Number: 01 Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE NotBefore: 5/30/2000 4:48 AM NotAfter: 5/30/2020 4:48 AM Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): 02 fa f3 e2 91 43 54 68 60 78 57 69 4d f5 e4 5b 68 85 18 68 No key provider information Cannot find the certificate and private key for decryption. CertUtil: -store command completed successfully.
And there you go, kids… always remember to use your powers for good and not evil.