Share via

Exporting Certificates using CertUtil

  • Article

There are many instances where you need to move a server to a new hardware. What you will carry from the old server to the new one will vary; you need to plan according to the server role in order to create your own checklist. Recently I had to move my own TMG Server to a new hardware (in this case a new VM) and I decided to install all over again and just import the rules. In a scenario with TMG, besides the core configuration (XML Backup) you also need to consider the certificates that are in use. As I only have a couple of certificates, there was no big deal, I just opened MMC and exported those certs. However, there are scenarios where you have a great amount of certificates and the process of exporting one by one can get quiet tedious.

But, you can use certutil to automate that. The first step in this procedure is to identity the certificate’s thumbprint (or serial number – depends on the approach in use). To do that you can use the PowerShell commands below:

PS C:\Users\Administrator> cd cert:

PS cert:\> dir

Location : CurrentUser

StoreNames : {SmartCardRoot, UserDS, AuthRoot, CA...}

Location : LocalMachine

StoreNames : {SmartCardRoot, AuthRoot, CA, Trust...}

PS cert:\> cd LocalMachine

PS cert:\LocalMachine> dir

Name : SmartCardRoot

Name : AuthRoot

Name : CA

Name : Trust

Name : Disallowed

Name : My

Name : Root

Name : TrustedPeople

Name : TrustedDevices

Name : Remote Desktop

Name : TrustedPublisher

Name : REQUEST

PS cert:\LocalMachine> dir My

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint Subject

---------- -------

C571112B20BE45D10AD185FAA6A022ADB08F1693 CN=TMGFW

089D8C1FD45893D7BF76F3788D3B1ED7E0974100 CN=mail.contoso.com, OU=Security, O=Contoso, L=Dallas, S=Texas

Or you can also use the CertUtil command to list all the certificate in your local store:

C:\Users\Administrator>certutil -store my

my

================ Certificate 0 ================

Serial Number: 67137d4819445f8947dfe5975c2dcda4

Issuer: CN=TMGFW

NotBefore: 1/8/2010 6:19 PM

NotAfter: 1/8/2015 6:19 PM

Subject: CN=TMGFW

Signature matches Public Key

Root Certificate: Subject matches Issuer

Template:

Cert Hash(sha1): c5 71 11 2b 20 be 45 d1 0a d1 85 fa a6 a0 22 ad b0 8f 16 93

Key Container = cb450661-cef0-423d-8c8d-f35770442ef9

Unique container name: 1c5d966ed267ef52208611a02c81673c_5d23994c-569c-4045-8627-97f7be02ff89

Provider = (null)

Private key is NOT exportable

Encryption test passed

================ Certificate 1 ================

Serial Number: 610df5bb000000000002

Issuer: CN=Contoso CA, DC=contoso, DC=com

NotBefore: 1/29/2010 4:21 PM

NotAfter: 1/29/2012 4:31 PM

Subject: CN=mail.contoso.com, OU=Security, O=Contoso, L=Dallas, S=Texas

Non-root Certificate

Template:

Cert Hash(sha1): 08 9d 8c 1f d4 58 93 d7 bf 76 f3 78 8d 3b 1e d7 e0 97 41 00

Key Container = a5195f11b98a20b15d90c79844b9eeb8_b616de3c-8c7e-4aa6-bb33-aae84203823f

Unique container name: 45ec83860a1e2a33a77a819ede5c1d80_5d23994c-569c-4045-8627-97f7be02ff89

Provider = Microsoft Enhanced Cryptographic Provider v1.0

Encryption test passed

CertUtil: -store command completed successfully.

Write it down the certificate’s serial number and assuming that the key is exportable, you now just need to run the command below:

certutil -exportPFX -p "Password" my 610df5bb000000000002 contoso.pfx

See the article Manual Key Archival for more information about CertUtil tool with -ExportPFX parameter.

Comments

  • Anonymous
    January 01, 2003
    Thanks! I'm glad you liked it :)

  • Anonymous
    January 01, 2003
    Thanks.

  • Anonymous
    January 01, 2003
    I'm glad it did. Thanks for your feedback, Creech!

  • Anonymous
    January 04, 2013
    The comment has been removed

  • Anonymous
    April 09, 2013
    i was wondering if you could help me out.  i was trying to use certutil to dump a list of all issued certs on a CA. however i am not getting the parameters correct. this just posts on what the certutil command does. C:Users>certutil -view -restrict "Certificate Template=Machine" -out"R equesterName" > c:supportallcerts.txt appreciate the time and effort.

  • Anonymous
    June 27, 2014
    Thanks. This was very helpful.

  • Anonymous
    October 03, 2014
    Thanks man, helped me out a lot.

  • Anonymous
    January 12, 2015
    Thanks a lot Yuri..

  • Anonymous
    June 24, 2015
    Bookmark this! http://aka.ms/PkiLinks
    Having taken some recent internal PKI training, I decided to

  • Anonymous
    November 03, 2015
    My server got it's certificate from a CA server, no problem. Now I need to use that certificate to configure a digital sender device. I just need to export a computer's certificate (public key only + complete chain) from my server (not a CA server). I can already do this through the certificate's double-click GUI with no problem, but I want to script it so I can do it from all of my servers centrally. How can I do this with certutil.exe, PowerShell, or some other native windows tool that can be scripted? I'm not asking for a complete script (I can write the rest). I just need the one command that will export the certificate from the server (not the CA) to a p7b file. Great info here, BTW.

  • Anonymous
    December 03, 2015
    Hello JCSunday,

    Have you try this?
    https://technet.microsoft.com/en-us/library/hh848635.aspx

    Regards,

    Yuri

  • Anonymous
    May 26, 2016
    Thanks for this!