Hi,

Windows has a builtin tool for dealing with x509 certificates, certificate stores and much more.

In my opinion the usage is not very intuitive.

Here are some useful examples

Show content of the ntauth store

PS D:\> certutil -store -enterprise ntauth

Import a pfx/pkcs12 key and certificate to the users store and set the “no export” and protecthigh (open the protect dialog to password protect the key) properties. The -p option is the pfx file password.

PS D:\> certutil -user -p ImportPW -importpfx "C:\Users\michael\Documents\myKeyCert.pfx" "NoExport,ProtectHigh"

Import a root certificate to the machines “trusted root certification authority” store. Possible options: -Enterprise (Company store) -user (only to the users store)

PS D:\> certutil -addstore root "C:\Users\michael\Documents\rootCA\CAcerts\ca.cer"

Import a intermediate certificate to the machines “intermediate certification authority” store.

PS D:\> certutil -addstore CA C:\Users\michael\Documents\intCAAuth\CAcerts\intermediatecaauth.cer

Create pfx/pkcs12 file from key and certificate
Give key and cert the same basename, eg. mycert and the key the extension.key and the certifcate .cer. The must not be password protected!

mycert.key
mycert.cer

PS D:\> certutil -mergepfx mycert.cer mycert.pfx

Create a selfsign certificate with keyusage and extended keyusage

to be continued….

Michael