6

On Windows, you can use certutil.exe to manage certificates. But it really has lots of options, and the command help (as much as Google) doesn't help clearly understanding it.

What is the exact meaning of these commands, all of which should be able to import a certificate into the local machine store?

certutil -addstore my <filename>
certutil -installcert <filename>
certutil -importcert <filename>
certutil -importpfx <filename>

I can guess the last one is for importing certificates from .pfx files; but shouldn't (some of) the other ones be able to do the same, too? And, what are the differences between the first three ones?

Massimo
  • 70,200
  • 57
  • 200
  • 323

2 Answers2

4

Try commands with -?. You can get detailed informations about commands:

For example:

C:\>certutil -addstore -?

Usage:
  CertUtil [Options] -addstore CertificateStoreName InFile
  Add certificate to store
    CertificateStoreName -- Certificate store name.  See -store.
    InFile -- Certificate or CRL file to add to store.

Options:
  -f                -- Force overwrite
  -enterprise       -- Use local machine Enterprise registry certificate store
  -user             -- Use HKEY_CURRENT_USER keys or certificate store
  -GroupPolicy      -- Use Group Policy certificate store
  -gmt              -- Display times as GMT
  -seconds          -- Display times with seconds and milliseconds
  -v                -- Verbose operation
  -privatekey       -- Display password and private key data
  -dc DCName                -- Target a specific Domain Controller

CertUtil -?              -- Display a verb list (command list)
CertUtil -addstore -?    -- Display help text for the "addstore" verb
CertUtil -v -?           -- Display all help text for all verbs
enteomitiok
  • 41
  • 2
2

The first thing to distinguish is the difference between a certificate store and a certificate database.

From MSDN - Public Key Infrastructure

Certificate Database

Saves certificate requests and issued and revoked certificates and certificate requests on the CA or RA.

Certificate Store

Saves issued certificates and pending or rejected certificate requests on the local computer.

This means -addstore is used when you want to add a certificate to the local store.

Next is the difference between -installcert and -importcert. The key is to distinguish the difference between an install and an import.

The file used for -importcert must be a single certificate.

The file used for -installcert can be a certificate chain (PKCS #7 or X.509 v3) or a single certificate.

Finally this means -installpfx will install a single PFX (PKCS #12) certificate or a certificate chain.

Tao Zhyn
  • 187
  • 1
  • 7