14

I use a few secure websites that require me to install a PFX certificate to access them. I have multiple computers I do this from, and I need a quick way of determining which ones in which I still need to install the certificate.

Is there a way I can list all the certificates in the Personal store using batch commands? I can run the command remotely, but I'm not aware of any method to list them.

"How can I get a list of installed certificates on Windows?" is a similar question but I'm looking for a solution specific to command line. The answers there all involve using the GUI or Powershell.

enter image description here

  • What OS are you using? – EBGreen Dec 19 '13 at 18:43
  • I'm using Windows 7 –  Dec 19 '13 at 18:57
  • possible duplicate of [How can I get a list of installed certificates on Windows?](http://superuser.com/questions/137500/how-can-i-get-a-list-of-installed-certificates-on-windows) – SeanC Dec 19 '13 at 19:17
  • @SeanCheshire That's a more generalized way of asking this question, I'm looking for a solution specific to command line. The answers there all involve using the GUI or powershell. –  Dec 19 '13 at 19:40
  • It isn't an exact dupe I feel since it specifies command line, but the second answer does answer this question. – EBGreen Dec 19 '13 at 19:41
  • Can't you just start PowerShell from `cmd.exe` and pass it the little scriptlet in [this answer](http://superuser.com/a/137545/144607)? – allquixotic Dec 19 '13 at 20:23
  • 3
    @Moses What's your particular aversion to PowerShell? It's not like you're looking to do this on XP or Server 2003, where PowerShell isn't built-in on a standard install. Also, PowerShell allows you to run some commands remotely (if the systems are properly configured for it) which would allow you to easily gather all data on all your systems from across the network in one script. – Iszi Dec 19 '13 at 20:40
  • 1
    @Iszi In fact, for a large number of systems, *using* PowerShell to do the entire task (determine whether the cert needs to be installed, and then install it if not) is entirely plausible -- assuming they're all on the same LAN, you could sit at your own workstation and do this for ALL the PCs under your purview using the remote feature of PS. I would rather think he'd be trying to *implement* his solution in PS, rather than avoiding it! – allquixotic Dec 19 '13 at 20:55
  • 1
    @allquixotic I will confess though, that more than once I asked a question like this myself. It was perhaps almost as much out of fear of adapting to PowerShell (vs. writing the batch scripts I understood) as it was a need to support XP/2003. I've learned a bit since then, though. Now I can't stand being limited to batch. – Iszi Dec 19 '13 at 20:58

2 Answers2

20

Here's how to do it from a cmd.exe shell on Windows 7, without first starting PowerShell:

C:\> powershell -Command Get-ChildItem -Recurse Cert:

You can then pipe the output to other commands (which commands? well, your question isn't about that, so I won't go into detail) or to a file. From there you can isolate whether the specific cert you're looking for is installed.

Since you said you're on Windows 7, I assume that PowerShell is installed. To not have PowerShell, it would explicitly have to be uninstalled, and you didn't mention in your question that PowerShell was uninstalled or not available, or that the solution has to work on pre-Vista Windows where PowerShell didn't exist.

allquixotic
  • 34,215
  • 7
  • 113
  • 145
  • I know how to pipe the output, so that shouldn't be an issue. My main reason for avoiding Powershell is that I use a couple different management applications that work really well with batch. This will work fine, though. Thanks –  Dec 20 '13 at 17:28
  • Looks like the `Personal -> Certificates` of interest to you show up under the `Name : My` section from the powershell output. – jxramos Feb 09 '17 at 20:35
8

No Powershell necessary.

Also the proposed solution dumps raw data not just the Personal store requested by the OP.

N.B. The following was run in an Administrator command prompt shell

C:\windows\system32>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

OS Name:                   Microsoft Windows 7 Enterprise

OS Version:                6.1.7601 Service Pack 1 Build 7601

C:\windows\system32>certutil -store My

My   <<< Certificate Store Name

================ Certificate 0 ================

Serial Number: ****************************  *<<< asterisks = mask for post. You will see cert info*

Issuer: ****************************

NotBefore: ****************************

NotAfter: ****************************

Subject: CN=****************************

Non-root Certificate

Template: ****************************

Cert Hash(sha1): ****************************

Simple container name: ****************************

  Provider = Microsoft RSA SChannel Cryptographic Provider

Private key is NOT exportable

Encryption test passed
Community
  • 1
NetScr1be
  • 276
  • 2
  • 1
  • 1
    Most answers recommend `certutil -store My`, but I'm getting blank output on Windows 10 Pro. `certutil -store Root` works just fine. Am I the only one with this problem? – tresf Sep 21 '19 at 14:27
  • Ok, I found it. `My` is the "Personal" section. In my case, I needed the `Trusted Root Certification Authorities` section for the current user. The command is `certutil -store -user Root`. The `-user` differentiates between `Computer` and `User`. Without it, it'll return the `Computer` certificates. – tresf Sep 21 '19 at 14:32