When working with certificates in Windows, you'll frequently encounter certificate stores - logical containers that group certificates by purpose or trust level. The certutil.exe utility is a powerful command-line tool for managing these stores, but finding the correct store names can be tricky.
The easiest way to list all valid store names is using certutil itself:
certutil -store -silent
This command displays all certificates along with their store locations. The store names appear in the output like this:
================ Certificate 0 ================
Serial Number: 33000001f273bd4364efa36b5a0000000001f2
Issuer: CN=Microsoft Root Certificate Authority
NotBefore: 5/11/2011 7:58 PM
NotAfter: 5/12/2036 7:58 PM
Subject: CN=Microsoft Root Certificate Authority
Store: RootHere are some frequently used store names that work with certutil:
Root- Trusted Root Certification AuthoritiesCA- Intermediate Certification AuthoritiesMy- Personal certificatesTrustedPublisher- Trusted publishersAuthRoot- Third-party root CAsDisallowed- Untrusted certificates
To programmatically install a certificate to a specific store, use:
certutil -addstore -enterprise CA certfile.cer
The -enterprise flag makes the certificate available to all users on the machine. For user-specific installation, omit this flag.
Be aware that some stores have multiple valid names:
certutil -addstore CA certfile.cer # Same as "Intermediate Certification Authorities"
certutil -addstore "Intermediate Certification Authorities" certfile.cerThe full store names (with spaces) must be quoted when used in command-line operations.
To confirm your certificate was installed correctly:
certutil -viewstore CA | findstr "YourCertSubject"
Or to see all certificates in a store:
certutil -viewstore CA
For scripting purposes, you can use PowerShell to list all available stores:
Get-ChildItem Cert:\ -Recurse | Select-Object PSParentPath | Sort-Object -Unique
Or through C# code:
using System.Security.Cryptography.X509Certificates;
foreach (StoreName storeName in Enum.GetValues(typeof(StoreName)))
{
Console.WriteLine(storeName.ToString());
}
If you encounter "The system cannot find the file specified" errors:
- Ensure the store name is spelled correctly
- Try both short (CA) and long ("Intermediate Certification Authorities") names
- Verify you have sufficient permissions (run as Administrator)
html
When working with Windows certificate management through certutil, one common challenge is determining the valid store names for the -addstore command. Unlike some commands where you can simply list available options, store names require specific knowledge of Windows certificate store architecture.
The most reliable way to list available certificate stores is through PowerShell:
Get-ChildItem Cert:\ -Recurse | Select-Object -Unique PSParentPath | Format-ListThis will output all available certificate store locations, including:
- CurrentUser\My
- LocalMachine\Root
- CurrentUser\TrustedPeople
- LocalMachine\CA
Another approach is to examine the Certificate Manager GUI (certmgr.msc) which visually displays all store names:
certmgr.msc (for current user stores)
certlm.msc (for local machine stores)The folder names you see in the GUI map directly to valid store names for certutil.
Here are some frequently used store names:
Root # Trusted Root Certification Authorities
CA # Intermediate Certification Authorities
My # Personal certificates
TrustedPeople # Trusted People store
Disallowed # Untrusted certificatesHere's how to install a certificate to the Enterprise CA store using certutil:
certutil -addstore -enterprise CA certfile.cerAnd to verify the installation:
certutil -store -enterprise CAFor scripting purposes, you can use PowerShell to get store names dynamically:
$storeNames = (Get-ChildItem Cert:\LocalMachine | Select-Object -ExpandProperty Name)
foreach ($store in $storeNames) {
Write-Host "Available store: $store"
}- CurrentUser vs LocalMachine stores require different permissions
- The "-enterprise" flag indicates the enterprise certificate store
- Store names are case-insensitive in most Windows versions