how to find out the valid store names for certutil

Question

I'm trying to find a way to script installing a certificate.

Going "right-click->install certificate" works, and shows the certificate under 'subordinate certification authorities' in IE's certificate view

If found the certutil.exe command,

certutil.exe -addstore -enterprise <storename>

My question is how do you list/find out the valid storenames?

Answer 1

Found a site with the valid store names which are:

ca -> Specifies certificates in the Intermediate Certification Authorities store
my -> Specifies certificates issued to the current user
root -> Specifies certificates in the Trusted Root Certification Authorities store
spc -> Specifies software publisher certificates
user_created_store -> Specifies the name of a user-created certificate store

Answer 2

You can quickly get the list in Powershell:

PS> ls Cert:\LocalMachine

Name : TrustedPublisher
Name : ClientAuthIssuer
Name : Remote Desktop
Name : Root
Name : TrustedDevices
Name : WebHosting
Name : CA
Name : REQUEST
Name : AuthRoot
Name : TrustedPeople
Name : My
Name : SmartCardRoot
Name : Trust
Name : Disallowed

Answer 3

also:

• AddressBook -> specifies "Other People" store
• Trust -> specifies "Enterprise Trust" store
• TrustedPublisher -> specifies "Trusted Publishers" store

by the way, "spc" is not working for me

I think the list is here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename.aspx

or here http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.x509.x509certificatestore_members.aspx

"root" and "trust" are not valid in the user context (when using -user switch)

Answer 4

This will enumerate all certificate stores:

certutil -enumstore

certutil -enumstore output

Check this answer for naming discrepancies: Certutil naming mismatch