14

I use a few secure websites that require me to install a PFX certificate to access them. I have multiple computers I do this from, and I need a quick way of determining which ones in which I still need to install the certificate.

Is there a way I can list all the certificates in the Personal store using batch commands? I can run the command remotely, but I'm not aware of any method to list them.

"How can I get a list of installed certificates on Windows?" is a similar question but I'm looking for a solution specific to command line. The answers there all involve using the GUI or Powershell.

enter image description here

Improve this question
9
  • What OS are you using?
    – EBGreen
    Commented Dec 19, 2013 at 18:43
  • I'm using Windows 7
    – user201262
    Commented Dec 19, 2013 at 18:57
  • 3
    @Moses What's your particular aversion to PowerShell? It's not like you're looking to do this on XP or Server 2003, where PowerShell isn't built-in on a standard install. Also, PowerShell allows you to run some commands remotely (if the systems are properly configured for it) which would allow you to easily gather all data on all your systems from across the network in one script.
    – Iszi
    Commented Dec 19, 2013 at 20:40
  • 1
    @Iszi In fact, for a large number of systems, using PowerShell to do the entire task (determine whether the cert needs to be installed, and then install it if not) is entirely plausible -- assuming they're all on the same LAN, you could sit at your own workstation and do this for ALL the PCs under your purview using the remote feature of PS. I would rather think he'd be trying to implement his solution in PS, rather than avoiding it!
    – allquixotic
    Commented Dec 19, 2013 at 20:55
  • 1
    @allquixotic I will confess though, that more than once I asked a question like this myself. It was perhaps almost as much out of fear of adapting to PowerShell (vs. writing the batch scripts I understood) as it was a need to support XP/2003. I've learned a bit since then, though. Now I can't stand being limited to batch.
    – Iszi
    Commented Dec 19, 2013 at 20:58

2 Answers 2

Reset to default
20

Here's how to do it from a cmd.exe shell on Windows 7, without first starting PowerShell:

C:\> powershell -Command Get-ChildItem -Recurse Cert:

You can then pipe the output to other commands (which commands? well, your question isn't about that, so I won't go into detail) or to a file. From there you can isolate whether the specific cert you're looking for is installed.

Since you said you're on Windows 7, I assume that PowerShell is installed. To not have PowerShell, it would explicitly have to be uninstalled, and you didn't mention in your question that PowerShell was uninstalled or not available, or that the solution has to work on pre-Vista Windows where PowerShell didn't exist.

Improve this answer
2
  • I know how to pipe the output, so that shouldn't be an issue. My main reason for avoiding Powershell is that I use a couple different management applications that work really well with batch. This will work fine, though. Thanks
    – user201262
    Commented Dec 20, 2013 at 17:28
  • Looks like the Personal -> Certificates of interest to you show up under the Name : My section from the powershell output.
    – jxramos
    Commented Feb 9, 2017 at 20:35
8

No Powershell necessary.

Also the proposed solution dumps raw data not just the Personal store requested by the OP.

N.B. The following was run in an Administrator command prompt shell

C:\windows\system32>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

OS Name:                   Microsoft Windows 7 Enterprise

OS Version:                6.1.7601 Service Pack 1 Build 7601

C:\windows\system32>certutil -store My

My   <<< Certificate Store Name

================ Certificate 0 ================

Serial Number: ****************************  *<<< asterisks = mask for post. You will see cert info*

Issuer: ****************************

NotBefore: ****************************

NotAfter: ****************************

Subject: CN=****************************

Non-root Certificate

Template: ****************************

Cert Hash(sha1): ****************************

Simple container name: ****************************

  Provider = Microsoft RSA SChannel Cryptographic Provider

Private key is NOT exportable

Encryption test passed
Improve this answer
2
  • 1
    Most answers recommend certutil -store My, but I'm getting blank output on Windows 10 Pro. certutil -store Root works just fine. Am I the only one with this problem?
    – tresf
    Commented Sep 21, 2019 at 14:27
  • Ok, I found it. My is the "Personal" section. In my case, I needed the Trusted Root Certification Authorities section for the current user. The command is certutil -store -user Root. The -user differentiates between Computer and User. Without it, it'll return the Computer certificates.
    – tresf
    Commented Sep 21, 2019 at 14:32

You must log in to answer this question.