{"id":9768,"date":"2024-07-14T22:06:15","date_gmt":"2024-07-14T20:06:15","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=9768"},"modified":"2024-11-15T15:16:58","modified_gmt":"2024-11-15T14:16:58","slug":"windows-certutil-command-line-examples","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-certutil-command-line-examples\/","title":{"rendered":"Windows: certutil command line examples"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_9768 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_9768')){$('.twoclick_social_bookmarks_post_9768').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20certutil%20command%20line%20examples\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0AWindows%20has%20a%20builtin%20tool%20for%20dealing%20with%20x509%20certificates%2C%20certificate%20stores%20and%20much%20more.%20%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-certutil-command-line-examples\\\/\",\"post_id\":9768,\"post_title_referrer_track\":\"Windows%3A+certutil+command+line+examples\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>Windows has a builtin tool for dealing with x509 certificates, certificate stores and much more.<br \/>\n<!--more--><\/p>\n<p>In my opinion the usage is not very intuitive. <\/p>\n<p>Here are some useful examples<\/p>\n<p>Show content of the ntauth store<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; certutil -store -enterprise ntauth\r\n<\/pre>\n<p>Import a pfx\/pkcs12 key and certificate to the users store and set the &#8220;no export&#8221; and protecthigh (open the protect dialog to password protect the key) properties. The -p option is the pfx file password.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; certutil -user -p ImportPW -importpfx &quot;C:\\Users\\michael\\Documents\\myKeyCert.pfx&quot; &quot;NoExport,ProtectHigh&quot;\r\n<\/pre>\n<p>Import a root certificate to the machines &#8220;trusted root certification authority&#8221; store. Possible options:  -Enterprise (Company store)  -user  (only to the users store)<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; certutil -addstore root &quot;C:\\Users\\michael\\Documents\\rootCA\\CAcerts\\ca.cer&quot;\r\n<\/pre>\n<p>Import a intermediate certificate to the machines &#8220;intermediate certification authority&#8221; store.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; certutil -addstore CA C:\\Users\\michael\\Documents\\intCAAuth\\CAcerts\\intermediatecaauth.cer\r\n<\/pre>\n<p>Create pfx\/pkcs12 file from key and certificate<br \/>\nGive key and cert the same basename, eg. mycert and the key the extension.key and the certifcate .cer. The must not be password protected!<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nmycert.key\r\nmycert.cer\r\n<\/pre>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; certutil -mergepfx mycert.cer mycert.pfx\r\n<\/pre>\n<p>Create a selfsign certificate with keyusage and extended keyusage<\/p>\n<p><!--[shell]\nPS D:\\&gt; certutil -f -g 2048 -r -a -n &quot;CN=myServer.myDomain.org&quot; -b 12\/31\/2023 -e 12\/31\/2024 -eku 1.3.6.1.5.5.7.3.1 -ku 0x20,0x10 -sv myServer.key myServer.cer\n[\/shell]--><\/p>\n<p>to be continued&#8230;.<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, Windows has a builtin tool for dealing with x509 certificates, certificate stores and much more.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[1069,515,20],"class_list":["post-9768","post","type-post","status-publish","format-standard","hentry","category-windowsknowhow","tag-certutil","tag-examples","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9768","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=9768"}],"version-history":[{"count":8,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9768\/revisions"}],"predecessor-version":[{"id":9934,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9768\/revisions\/9934"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=9768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=9768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=9768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}