CertTools Logo
CertTools

Windows Certificate Manager

Guide to using Certificate Manager (certmgr.msc) and certutil commands for Windows certificate management.

← Back to All References

Opening Certificate Manager

User certificates

Manage current user's personal certificates:

# Run from Run dialog (Win+R) or Command Prompt
certmgr.msc

# Or via Start menu search:
# Search for "Manage user certificates"

Computer certificates

Manage system-wide certificates (requires admin):

# Run from elevated Command Prompt or Run dialog
certlm.msc

# Or through MMC:
mmc
# File → Add/Remove Snap-in → Certificates → Computer account

Service certificates

Manage certificates for specific services:

# Through MMC snap-in
mmc
# File → Add/Remove Snap-in → Certificates → Service account
# Select service (e.g., "Network Service", "IIS")

Certificate Store Structure

Common certificate stores

Understanding Windows certificate store locations:

Personal (My):
  - User's personal certificates with private keys
  - SSL/TLS client certificates
  - Code signing certificates

Trusted Root Certification Authorities:
  - Root CA certificates that Windows trusts
  - System automatically trusts certs signed by these CAs

Intermediate Certification Authorities:
  - Intermediate CA certificates
  - Chain between root and end-entity certs

Trusted People:
  - Certificates of trusted entities
  - Used for email encryption (S/MIME)

Enterprise Trust:
  - Certificates trusted by organization
  - Deployed via Group Policy

Trusted Publishers:
  - Code signing certificates
  - Trusted software publishers

certutil Command-Line Operations

View certificate stores

List certificates in various stores:

# List certificates in Personal store (current user)
certutil -store My

# List certificates in Trusted Root store
certutil -store Root

# List certificates in computer's Personal store (requires admin)
certutil -store -enterprise My

# List all certificates in all stores
certutil -viewstore

Add certificate to store

Import certificate into Windows certificate store:

# Add to current user's Personal store
certutil -addstore My certificate.cer

# Add to Trusted Root store (requires admin)
certutil -addstore -f Root root-ca.cer

# Add to Intermediate CA store
certutil -addstore CA intermediate.cer

# Import PFX/PKCS#12 with private key (prompts for password)
certutil -importPFX My certificate.pfx

Delete certificate

Remove certificate from store:

# Delete by certificate thumbprint/hash
certutil -delstore My "a1 b2 c3 d4 e5 f6 ..."

# Delete from Root store (requires admin)
certutil -delstore -enterprise Root "thumbprint"

View certificate details

Display certificate information:

# View certificate file
certutil -dump certificate.cer

# View certificate in store by hash
certutil -viewstore My "thumbprint"

# Verify certificate chain
certutil -verify certificate.cer

GUI Operations in certmgr.msc

Import certificate wizard

Steps to import certificate via GUI:

1. Open certmgr.msc
2. Navigate to desired store (e.g., Personal → Certificates)
3. Right-click → All Tasks → Import
4. Click Next in Certificate Import Wizard
5. Browse and select certificate file (.cer, .pfx, .p12)
6. If PFX: Enter password, select "Mark this key as exportable"
7. Select certificate store (or leave automatic)
8. Click Finish

Export certificate

Export certificate with or without private key:

1. Open certmgr.msc
2. Navigate to certificate location
3. Right-click certificate → All Tasks → Export
4. Click Next in Certificate Export Wizard
5. Choose export options:
   - "No, do not export the private key" → .cer file
   - "Yes, export the private key" → .pfx file (requires password)
6. Select format (DER or Base-64 for .cer, PFX for private key)
7. If PFX: Set password, enable strong encryption
8. Specify file name and location
9. Click Finish

Request new certificate

Generate certificate signing request:

1. Open certmgr.msc
2. Right-click Personal → All Tasks → Advanced Operations → Create Custom Request
3. Select template (or proceed without enrollment policy)
4. Choose certificate type (e.g., "Web Server", "User")
5. Configure key properties:
   - Algorithm: RSA (2048-bit minimum)
   - Check "Make private key exportable" if needed
6. Add certificate details:
   - Common Name (CN): domain name or identifier
   - Organization (O), Organizational Unit (OU), etc.
   - Add Subject Alternative Names if needed
7. Save request as .req or .csr file
8. Submit to CA for signing

Delete certificate

Remove certificate from store:

1. Open certmgr.msc
2. Navigate to certificate
3. Right-click certificate → Delete
4. Confirm deletion
5. Warning: Deleting certificate with private key is permanent

IIS Certificate Management

Bind certificate to IIS site

Configure HTTPS binding in IIS:

1. Open IIS Manager (inetmgr)
2. Select website in left pane
3. Click "Bindings..." in Actions pane
4. Click "Add..." or edit existing HTTPS binding
5. Select:
   - Type: https
   - IP Address: (select or leave "All Unassigned")
   - Port: 443
   - Host name: example.com (for SNI)
   - SSL certificate: Select from dropdown
6. Check "Require Server Name Indication" for SNI
7. Click OK

View IIS certificates via certutil

List certificates available to IIS:

# List certificates in Local Computer Personal store
certutil -store -enterprise My

# Verify certificate has private key
certutil -verifykeys

# Check which cert is bound to IIS
netsh http show sslcert

Certificate Renewal

Renew certificate via GUI

Renew certificate through certmgr.msc:

1. Open certmgr.msc
2. Navigate to certificate requiring renewal
3. Right-click certificate → All Tasks → Renew Certificate with New Key
4. Follow enrollment wizard
5. Submit request to CA
6. Install renewed certificate when received
7. Update bindings/applications to use new certificate
8. Delete old certificate after verification

Check certificate expiration

Find certificates nearing expiration:

# List all certificates with expiration dates
certutil -store My | findstr /C:"NotAfter"

# View specific certificate details
certutil -dump certificate.cer | findstr /C:"NotAfter"

Troubleshooting

Repair certificate store

Fix corrupted certificate store:

# Rebuild certificate store index
certutil -repairstore My

# Rebuild all stores
certutil -repairstore Root
certutil -repairstore CA
certutil -repairstore Trust

Verify private key access

Check if private key is accessible:

# Check all certificates for private key association
certutil -verifykeys

# Fix private key permissions (requires admin)
# Run from certificate properties:
# Right-click cert → All Tasks → Manage Private Keys
# Add appropriate users/groups with Read permissions

Clear certificate cache

Clear cached CRLs and OCSP responses:

# Clear URL cache (CRL/OCSP cache)
certutil -URLcache * delete

# Clear specific cached CRL
certutil -URLcache CRL delete

See Also

PowerShell Cert Commands
Modern PowerShell certificate management
OpenSSL Commands
Certificate format conversion
makecert Commands
Deprecated certificate creation tool

Important Notes

Administrator Rights:

Managing computer-wide certificates (certlm.msc) requires administrator privileges. User certificates (certmgr.msc) do not.

Private Key Exportability:

When importing PFX files, check "Mark this key as exportable" if you need to backup or migrate the certificate later. This cannot be changed after import.

Store Locations:

User certificates: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates

Computer certificates: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

IIS SSL Bindings:

For IIS, certificates must be in Local Computer Personal store (certlm.msc → Personal → Certificates), not User store.

SNI Support:

Windows Server 2012+ and IIS 8+ support SNI. Older versions require unique IP per certificate.

Certificate Validation:

Windows automatically validates certificates against CRL and OCSP. Configure via Group Policy or Internet Options → Advanced tab.

Backup Certificates:

Export certificates with private keys to .pfx files and store securely. Use strong passwords and strong encryption option.

Documentation:

Microsoft docs: docs.microsoft.com/windows-server/networking/technologies/certificate-manager