How to List Installed Certificates in Batch Script
Digital Certificates (SSL/TLS) are the foundation of trust in Windows. They verify the identity of websites, authenticate users, and ensure that your code is signed by a trusted developer. However, certificates expire, and "Bad" certificates from untrusted authorities can be accidentally installed by malicious software. Manually browsing the certificate store via the certmgr.msc GUI is slow and makes it easy to miss tucked-away entries. A Batch script can use the certutil command to generate a comprehensive, searchable list of every certificate on the system, allowing you to audit expiration dates and verify the integrity of your Root authorities.
This guide will explain how to list and audit the Windows certificate store.
Method 1: The Global Audit (Certutil)
The certutil tool is a powerful command-line utility for managing certificates. The -store flag allows you to view specific "Vaults" like the Root CA store or the Personal store.
@echo off
echo [AUDIT] Listing Root Trusted Authorities...
echo.
:: -store root = The Trusted Root Certification Authorities (Local Machine)
certutil -store root
echo.
pause
Method 2: Listing Certificate Expiration Dates
Certificates are useless once they expire. You can use findstr to extract the "NotAfter" date and subject name from each entry for a quick expiration review.
@echo off
echo [SCAN] Listing expiration dates in the Local Machine Personal store...
echo.
:: -store my = The 'Personal' store for the Local Machine
:: To check the Current User store instead, use: certutil -user -store my
certutil -store my | findstr /C:"NotAfter:" /C:"Subject:"
echo.
pause
Method 3: Detailed CSV Export (PowerShell Bridge)
If you need a report for a security audit, certutil text is hard to read. PowerShell can export a clean list with Thumbprints and Subject names.
@echo off
echo [REPORT] Exporting certificate list to CSV...
powershell -NoProfile -Command "Get-ChildItem Cert:\LocalMachine\Root | Select-Object Subject, NotAfter, Thumbprint | Export-Csv -Path '%~dp0Cert_Audit.csv' -NoTypeInformation"
if %errorlevel% equ 0 (
echo [DONE] Audit saved to %~dp0Cert_Audit.csv
) else (
echo [ERROR] Export failed. Ensure you are running as ADMIN.
)
pause
How to Avoid Common Errors
Wrong Way: Confusing "Current User" vs "Local Machine"
Windows has two separate certificate stores: one for the User (Personal) and one for the Computer (System). If you install a certificate in the User store, a service running as "System" will not see it.
Correct Way: Use the -store flag with certutil. By default, certutil -store queries the Local Machine store. To query the Current User store, add the -user flag before -store (e.g., certutil -user -store my). PowerShell (Method 3) makes this distinction explicit through its path: Cert:\LocalMachine\Root vs Cert:\CurrentUser\Root.
Problem: Large Output
The Root store contains dozens of certificates.
Solution: Always pipe the output to a text file for analysis:
certutil -store root > all_certs.txt
Best Practices and Rules
1. Identify "Untrusted" Stores
Check the Disallowed store. This is where Windows keeps certificates that have been revoked or are known to be malicious.
certutil -store Disallowed
2. Administrator Privileges
While users can view their own personal certificates, auditing the LocalMachine or Root stores requires running the script as an Administrator.
3. Check Thumbprints
If you are verifying a certificate's integrity, check the Thumbprint (SHA1/SHA256). If the thumbprint doesn't match the one provided by your CA (Certificate Authority), the certificate has been tampered with or replaced.
Conclusions
Listing installed certificates via Batch script provides a vital layer of visibility into your system's trust infrastructure. By moving from manual GUI inspection to automated auditing, you gain the ability to proactively manage expirations and detect unauthorized additions to your certificate stores. This professional level of oversight is essential for maintaining secure communication, valid code signing, and a high-integrity Windows environment.