Certutil.exe: What It is and All Its Functions

Certutil.exe is a powerful command-line tool that is an integral part of the Windows operating system. It offers a wide range of functions and capabilities related to certificate management and manipulation.

In this article, we will explore what Certutil.exe is, investigate its various functions, and understand how it contributes to the security and administration of digital certificates in Windows environments.

What is a Certutil exe used for?

Certutil.exe, a command-line program that comes bundled with Certificate Services. It lets users view certification authority (CA) configuration information and configure Certificate Services. It also allows the backup and restoration of CA components and verify certificates, key pairs, and certificate chains.

With its flexible options and capabilities, certutil.exe is a valuable tool for administrators and users. It enables them to efficiently manage and maintain the integrity of certificates within their Windows environments.

Where is Certutil exe located in Windows?

In Windows operating systems, Certutil.exe is in the System32 folder. The specific path is as follows:

C:\Windows\System32\certutil.exe

The System32 folder is a standard system directory that stores essential system files and executables. Other executables found in it include CameraSettingsUIHost.exe, Bootsect.exe, etc. Note that the actual location of Certutil.exe may vary slightly depending on the Windows version and any system modifications.

How do I run Certutil command?

1. Press the Windows + S keys together, enter prompt in the search field.
2. While holding CTRL and Shift keys down, press ENTER to start Command Prompt with admin privileges.
   
3. When you receive a prompt, click Yes.
4. Then, use the cd command followed by the path to the directory to navigate to the correct directory.
   cd C:\Windows\System32\ (For example)
5. Once you are in the correct directory, execute the Certutil command.
6. The syntax for using Certutil varies depending on the specific operation you want to perform. Here are a few examples:
   • To display information about a certificate file:
     certutil -dump <certificate-file>
     
   • To verify a certificate chain:
     certutil -verify <certificate-file>
     
   • To export a certificate to a file:
     certutil -export <certificate-serial-number> <export-file>
     
7. Replace <certificate-file>, <store-name>, <certificate-serial-number>, and <export-file> with the appropriate values for your specific use case.
8. To install a certificate from a file:
   certutil -addstore <store-name> <certificate-file>
9. Finally, after executing the Certutil command, review the output in the Command Prompt window. It will display the results of the operation you performed.

Remember to either refer to the Certutil documentation or consult specific command syntax for detailed information on each operation’s available options and parameters.

How do I remove a certificate from Certutil exe?

1. Press the Windows + S keys together, enter prompt in the search field.
2. While holding CTRL and Shift keys down, press ENTER to start Command Prompt with admin privileges.
   
3. When you receive a prompt, click Yes.
4. Then, enter the following command to view the certificates stored in the certificate store and click Enter:
   certutil -store <storename>
   Replace <storename> with the appropriate certificate store name. Common store names include Root, My, CA, Trust, etc.
5. For example, to view certificates in the personal certificate store, you would use:
   certutil -store My
   
6. The above command will display a list of certificates along with their index numbers.
7. When the certificates are displayed, identify the index number of the certificate you want to remove from the list.
8. To remove the certificate, use the following command:
   certutil -delstore <storename> <index>
9. Replace <storename> with the appropriate certificate store name and <index> with the index number of the certificate you want to remove.
10. For example:
    certutil -delstore My 123
    
11. The above command will delete the certificate with index number 123 from the personal certificate store.
12. Confirm the deletion when prompted.

Be cautious when removing certificates, as it can have implications for applications and services that rely on those certificates. Make sure you remove the correct certificate and have a backup or a way to restore the certificate if needed.

Additionally, depending on the specific scenario and use case, it may be necessary to remove the certificate from other certificate stores or revoke the certificate if a certificate authority issues it.

What does Certutil dump?

The certutil dump command displays detailed information about a certificate or certificate file. When you use certutil dump, it retrieves and presents various properties and attributes associated with the certificate.

Here are some of the information that “certutil dump” can display:

• Certificate details.
•  Public key information.
•  Certificate extensions.
•  Certificate chain.
•  Revocation status.

In conclusion, Certutil.exe is a versatile and indispensable tool for certificate management in Windows environments. Its wide range of functions enables administrators and users to perform various certificate management, validation, conversion, and other related tasks.

Whether checking the validity of certificates, creating certificate request files, or managing certificate stores, Certutil.exe provides a comprehensive set of command-line options to facilitate these operations. Remember to scan any file you doubt with trusted antivirus software.