Any tools to List Certificates in Windows Certificate Stores RRS feed

  • Question

  • Hello Folks! Are there any tools to list all Certificates (e.g X509) that resides in Windows System?



    Thursday, April 28, 2011 6:28 PM

All replies

  • Control Panel->Internet Options > Content > Certificates

    Or do you mean want to write one by yourself since you are posting in a web site for helping visitors to write software?

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP
    Saturday, April 30, 2011 12:46 AM
  • Hi,

    For simply listing the user or system certificates, going to Internet Options as described above is sufficient. But sometimes, for certificates which have an associated private key, one needs to access the extended CSP information (i.e. container name and provider) that are not displayed by Internet Options.

    For that purpose, I have written a while ago a small tool (.NET 2.0 based) that displays the list of certificates of a given certificate store along with the CSP information of the associated private key if any. This proved to be useful in many occasions. You can get it from the following link : http://www.idrix.fr/Root/Samples/StoreExplorer.zip

    I have also written recently a native WIN32 version of this tool that implement a new interesting feature: Exporting private key marked as NOT EXPORTABLE. This was done after being able to understand how such keys are protected and I implemented the mechanisms that btpass Microsoft protections using the excellent EasyHook library (http://easyhook.codeplex.com). You can download this native tool here : http://www.idrix.fr/Root/Samples/StoreExplorerPlus.zip .
    The zip contains the exe file along with the EasyHook dll upon which it depends.

    Good luck,
    Mounir IDRASSI


    Mounir IDRASSI IDRIX http://www.idrix.fr
    Tuesday, May 3, 2011 1:46 AM
  • You can also use certutil which ships on Vista and up.

    Exporting private keys marked as not exportable may break across OS versions so I would not rely on it.

    To list certs and related csp information in the user my store, run:

    certutil -user -v -store My

    To list certs and related csp information in the machine my store, run:

    certutil -v -store My



    Tuesday, May 3, 2011 1:58 AM
  • The export key feature works on all OS versions starting from Windows 2000 till Windows 7 SP1. It uses a design flaw in the storage format of private keys used by Microsoft software CSPs. I doubt that Microsoft will change this in future Windows versions because it would require significant changes to core system components. Moreover, Microsoft shifted its focus to the new CNG architecture which doesn't suffer from this flaw.

    Anyway, this feature can be useful in many situations.
    Mounir IDRASSI

    Mounir IDRASSI IDRIX http://www.idrix.fr
    Tuesday, May 3, 2011 2:41 AM
  • So your tool to export private keys will only work for Microsoft CSPs?

    I also doubt that the Microsoft CSP will change significantly between OS versions but if it is really a security issue then it seems reasonable that Microsoft may decide to patch it one day. It is hard to know for sure.

    In any case, I think most people would prefer to use out-of-the box tools. However, if there is a need to export a non-exportable private key for a Microsoft CSP then clearly the tool you provide serves a need.



    Tuesday, May 3, 2011 3:55 AM