Windows – Add Certificate to Stores

email me

CERTUTIL -addstore -enterprise -f -v root “Certificate.cer”
CERTUTIL -addstore -f CA “Certificate.cer”
CERTUTIL -addstore -enterprise -f -v TrustedPublisher “Certificate.cer”

 

Notes

View CA Configuration

If you want to view the configuration settings for the CA, which includes the type of information that is set by the CAPolicy.inf or afterward installation by running post configuration scripts, you can issue the following commands:

certutil -dump
certutil -getreg
certutil -getreg CA

 
Publish expired certificates in the CRL

If you want to maintain a revoked certificate in the CRL beyond the certificate’s expiration date, you can enable the publication of expired certificates to the CRL by running the following command at a command-line prompt and then restarting Certificate Services.

certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CR

 
Dump certificate templates and settings from the CA

certutil -v -template

Variations of that command

certutil -v -template > templatelist.txt
certutil -v -template clientauth > clientauthsettings.txt

 
Copy a CRL to a file

If you want to copy a certificate revocation list and name it corprootca.crl to removable media (like a floppy drive of a:), then you can run the following command:

certutil -getcrl a:\corprootca.crl

 
View Certificate Templates

If you want to dump a list of certificate templates and their settings to a text file (MyTemplates.txt), you can run the following command:

certutil -v -template > MyTemplates.txt

 
View AIA container

To view the contents of the AIA container in Active Directory Domain Services (AD DS) for a domain named contoso.com, run the following command:

certutil -viewstore “ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?
cACertificate?base?objectclass=certificationAuthority”

 
View Intermediate CA certificate store

To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore CA

 
View NTAuth Container

To view the content of the NTAuth container in AD DS for a domain named Corp.contoso.com, you would type the following command on a single line and press ENTER:

certutil -viewstore “ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com”

 
View Trusted Root CAs

To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore Root

 

Purge policy cache

When you are working with Certificate Enrollment Policy Web Services servers, there is a cache located on the local computer of cached policies. You may want to clear when the resulting certificate policies are not what you expect. You can clear this certificate policy cache by running the following command:

certutil -f -policyserver * -policycache delete

 
Check the certificate revocation chain

certutil -verify -urlfetch
certutil -URL