Certutil Commands
Windows Certificate Utility Commands
The certutil command-line utility in Windows is a powerful tool for managing certificates, certificate services, and performing various file operations like encoding, decoding, and hashing. This guide provides a comprehensive overview of commonly used certutil commands for system administrators and developers.
Certificate Management with Certutil
Effectively manage your digital certificates using certutil. You can list certificates stored in different certificate stores, add new certificates, and remove existing ones. Understanding certificate stores like MY (Personal), ROOT (Trusted Root Certification Authorities), and CA (Intermediate Certification Authorities) is crucial for proper management.
File Operations: Encoding, Decoding, and Hashing
Beyond certificate management, certutil offers robust file manipulation capabilities. It can be used to encode binary files into text formats (like Base64) and decode them back, which is useful for transferring or embedding binary data in text-based configurations. Additionally, certutil can compute cryptographic hashes of files, such as SHA256, ensuring file integrity and authenticity.
Certutil Command Reference
| Command | Description |
|---|---|
certutil -store MY |
List personal certificates in the MY store. |
certutil -store ROOT |
List trusted root certificates in the ROOT store. |
certutil -store CA |
List intermediate certificates in the CA store. |
certutil -addstore -f "ROOT" new-root-certificate.crt |
Add a new root certificate to the ROOT store. The -f flag forces the operation. |
certutil -delstore "ROOT" serial-number-hex |
Remove a root certificate from the ROOT store using its hexadecimal serial number. |
certutil -addstore -f "CA" new-intermediate-certificate.crt |
Add a new intermediate certificate to the CA store. |
certutil -delstore "CA" serial-number-hex |
Remove an intermediate certificate from the CA store. |
certutil -addstore -f "MY" new-personal-certificate.pfx |
Add a new personal certificate (often in PFX format) to the MY store. |
certutil -delstore "MY" serial-number-hex |
Remove a personal certificate from the MY store. |
certutil -dump certificate.crt |
Display detailed information about a certificate file. |
certutil -encode certificate.crt encoded-certificate.txt |
Encode a certificate file into a text file (e.g., Base64). |
certutil -decode encoded-certificate.txt decoded-certificate.crt |
Decode a text file back into a certificate file. |
certutil -hashfile file.txt SHA256 |
Calculate the SHA256 hash of a specified file. |