Some examples on listing certificates in the following stores:
certutil -store My
certutil -store Root
certutil -store CA
certutil -store -enterprise Root
Delete certificate from a specific store
certutil -delstore -enterprise Root
e.g. certutil -delstore -enterprise Root InternalSVR-CA
Get all the info:
certutil -V -? | more
Main relevant part:
CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]
Dump certificate store
CertificateStoreName — Certificate store name. Examples:
“My”, “CA” (default), “Root”,
“ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configura
te?one?objectClass=certificationAuthority” (View Root Certificates)
“ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN
ACertificate?base?objectClass=certificationAuthority” (Modify Root Certificates)
“ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Config
ateRevocationList?base?objectClass=cRLDistributionPoint” (View CRLs)
“ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC
?objectClass=certificationAuthority” (Enterprise CA Certificates)
ldap: (AD machine object certificates)
-user ldap: (AD user object certificates)
CertId — Certificate or CRL match token. This can be a serial number,
an SHA-1 certificate, CRL, CTL or public key hash,
a numeric cert index (0, 1, etc.),
a numeric CRL index (.0, .1, etc.),
a numeric CTL index (..0, ..1, etc.),
a public key, signature or extension ObjectId,
a certificate subject Common Name,
an e-mail address, UPN or DNS name,
a key container name or CSP name,
a template name or ObjectId,
an EKU or Application Policies ObjectId,
or a CRL issuer Common Name.
Many of the above may result in multiple matches.
OutputFile — file to save matching cert
Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.
Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11
[-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]
CertUtil [Options] -addstore CertificateStoreName InFile
Add certificate to store
CertificateStoreName — Certificate store name. See -store.
InFile — Certificate or CRL file to add to store.
[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]
CertUtil [Options] -delstore CertificateStoreName CertId
Delete certificate from store
CertificateStoreName — Certificate store name. See -store.
CertId — Certificate or CRL match token. See -store.
[-enterprise] [-user] [-GroupPolicy] [-dc DCName]
Want to install a cert automatically with VMware Horizon Client?
@echo off
echo This window will close once the installation process is finished.
echo Installing now, please wait…
certutil -addstore -f -enterprise -user root %tmp%\Root64.cer > NUL
%tmp%\viewclient32.exe /s /v”/qn REBOOT=ReallySuppress VDM_SERVER=externalvdi.domain.com ADDLOCAL=Core,TSSO,USB”
del /F %tmp%\viewclient32.exe > NUL
del /F %tmp%\Root64.cer > NUL
del /F %tmp%\setup.bat > NUL
Recent Comments