how to use CERTUTIL command
Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, verify certificates, key pairs or certificate chains. A subset of these CERTUTIL commands are also supported underServer 2003 or by installing the Server 2003 Administration Tools.
Syntax: Dump certificate file information CertUtil [Options] [-dump] [File] Options: [-f] [-silent] [-split] [-p Password] [-t Timeout] Parse ASN.1 file CertUtil [Options] -asn File Options: [-f] [decoding_type] Decode a Hex-encoded file to binary CertUtil [-f] [-v] -decodehex InFile OutFile Decode Base64-encoded file to binary CertUtil [-f] [-v] -decode InFile OutFile Encode a binary file to Base64 CertUtil [-f] [-v] -encode InFile OutFile [-UnicodeText] Encode a file as Hex CertUtil [-f] [-v] -encodehex InFile OutFile Hex encoded files are around 3x larger than base64, in most cases -encode is more useful. Deny pending request CertUtil [Options] -deny RequestId Options: [-v] [-config Machine\CAName] Resubmit pending request CertUtil [Options] -resubmit RequestId Options: [-v] [-config Machine\CAName] Set attributes for pending request CertUtil [Options] -setattributes RequestId AttributeString Options: [-v] [-config Machine\CAName] RequestId: Numeric Request Id of pending request AttributeString: Request Attribute name and value pairs Names and values are colon separated. Multiple name, value pairs are newline separated. Example: "CertificateTemplate:User\nEMail:User@Domain.com" Each "\n" sequence is converted to a newline separator. Set extension for pending request CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile} Options: [-v] [-config Machine\CAName] RequestId: Numeric Request Id of a pending request ExtensionName: ObjectId string of the extension Flags: 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both. If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date. If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump. Anything else is taken as a String. Revoke Certificate CertUtil [Options] -revoke SerialNumber [Reason] Options: [-v] [-config Machine\CAName] SerialNumber: Comma separated list of certificate serial numbers to revoke Reason: numeric or symbolic revocation reason 0: CRL_REASON_UNSPECIFIED: Unspecified (default) 1: CRL_REASON_KEY_COMPROMISE: Key Compromise 2: CRL_REASON_CA_COMPROMISE: CA Compromise 3: CRL_REASON_AFFILIATION_CHANGED: Affiliation Changed 4: CRL_REASON_SUPERSEDED: Superseded 5: CRL_REASON_CESSATION_OF_OPERATION: Cessation of Operation 6: CRL_REASON_CERTIFICATE_HOLD: Certificate Hold 8: CRL_REASON_REMOVE_FROM_CRL: Remove From CRL -1: Unrevoke: Unrevoke Display current certificate disposition CertUtil [Options] -isvalid SerialNumber | CertHash Options: [-v] [-config Machine\CAName] Get default configuration string CertUtil [Options] -getconfig Options: [-v] [-config Machine\CAName] Ping Active Directory Certificate Services Request interface CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList] Options: [-v] [-config Machine\CAName] Request interface CAMachineList -- Comma-separated CA machine name list For a single machine, use a terminating comma Displays the site cost for each CA machine Ping Active Directory Certificate Services Admin interface CertUtil [Options] -pingadmin [MaxSecondsToWait | CAMachineList] Options: [-v] [-config Machine\CAName] Request interface CAMachineList -- Comma-separated CA machine name list For a single machine, use a terminating comma Displays the site cost for each CA machine Display CA Information CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]] Options: [-v] [-config Machine\CAName] InfoName -- indicates the CA property to display. Use "*" for all properties. Index -- optional zero-based property index ErrorCode -- numeric error code [-f] [-split] [-config Machine\CAName] Retrieve the CA's certificate CertUtil [Options] -ca.cert OutCACertFile [Index] Options: [-f] [-v] [-split] [-config Machine\CAName] OutCACertFile: output file Index: CA certificate renewal index (defaults to most recent) Retrieve the CA's certificate chain CertUtil [Options] -ca.chain OutCACertChainFile [Index] Options: [-f] [-v] [-split] [-config Machine\CAName] OutCACertChainFile: output file Index: CA certificate renewal index (defaults to most recent) Get CRL CertUtil [Options] -GetCRL OutFile [Index] [delta] Options: [-f] [-v] [-split] [-config Machine\CAName] Index: CRL index or key index (defaults to CRL for newest key) delta: delta CRL (default is base CRL) Publish new CRLs [or delta CRLs only] CertUtil [Options] -CRL [dd:hh | republish] [delta] Options: [-v] [-split] [-config Machine\CAName] dd:hh -- new CRL validity period in days and hours republish -- republish most recent CRLs delta -- delta CRLs only (default is base and delta CRLs) Shutdown Active Directory Certificate Services CertUtil [Options] -shutdown Options: [-v] [-config Machine\CAName] Install Certification Authority certificate CertUtil [Options] -installCert [CACertFile] Options: [-f] [-v] [-silent] [-config Machine\CAName] Renew Certification Authority certificate CertUtil [Options] -renewCert [ReuseKeys] [Machine\ParentCAName] Options: [-f] [-v] [-silent] [-config Machine\CAName] Use -f to ignore an outstanding renewal request, and generate a new request. Dump Certificate Schema CertUtil [Options] -schema [Ext | Attrib | CRL] Options: [-v] [-split] [-config Machine\CAName] Ext: Extension table Attrib: Attribute table CRL: CRL table Defaults to Request and Certificate table Dump Certificate View CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv] Options: [-v] [-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList] Queue: Request queue Log: Issued or revoked certificates, plus failed requests LogFail: Failed requests Revoked: Revoked certificates Ext: Extension table Attrib: Attribute table CRL: CRL table csv: Output as Comma Separated Values To display the StatusCode column for all entries: -out StatusCode To display all columns for the last entry: -restrict "RequestId==$" To display RequestId and Disposition for three requests: -restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition" To display Row Ids and CRL Numbers for all Base CRLs: -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL To display Base CRL Number 3: -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL To display the entire CRL table: CRL Use "Date[+|-dd:hh]" for date restrictions Use "now+dd:hh" for a date relative to the current time Dump Raw Database CertUtil [Options] -db Options: [-v] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList] Delete server database row CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL] Options: [-f] [-v] [-config Machine\CAName] Request: Failed and pending requests (submission date) Cert: Expired and revoked certificates (expiration date) Ext: Extension table Attrib: Attribute table CRL: CRL table (expiration date) To delete failed and pending requests submitted by January 22, 2001: 1/22/2001 Request To delete all certificates that expired by January 22, 2001: 1/22/2001 Cert To delete the certificate row, attributes and extensions for RequestId 37: 37 To delete CRLs that expired by January 22, 2001: 1/22/2001 CRL [-f] [-config Machine\CAName] Backup Active Directory Certificate Services CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog] Options: [-f] [-v] [-config Machine\CAName] [-p Password] BackupDirectory: directory to store backed up data Incremental: perform incremental backup only (default is full backup) KeepLog: preserve database log files (default is to truncate log files) Backup Active Directory Certificate Services database CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog] Options: [-f] [-v] [-config Machine\CAName] BackupDirectory: directory to store backed up database files Incremental: perform incremental backup only (default is full backup) KeepLog: preserve database log files (default is to truncate log files) Backup Active Directory Certificate Services certificate and private key CertUtil [Options] -backupKey BackupDirectory Options: [-f] [-v] [-config Machine\CAName] [-p Password] [-t Timeout] BackupDirectory: directory to store backed up PFX file Restore Active Directory Certificate Services CertUtil [Options] -restore BackupDirectory Options: [-f] [-v] [-config Machine\CAName] [-p Password] BackupDirectory: directory containing data to be restored Restore Active Directory Certificate Services database CertUtil [Options] -restoreDB BackupDirectory Options: [-f] [-v] [-config Machine\CAName] [-p Password] BackupDirectory: directory containing database files to be restored Restore Active Directory Certificate Services certificate and private key CertUtil [Options] -restoreKey BackupDirectory | PFXFile Options: [-f] [-v] [-config Machine\CAName] [-p Password] BackupDirectory: directory containing PFX file to be restored PFXFile: PFX file to be restored Import certificate and private key CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers] [-csp Provider] Options: [-f] [-v] [-user] [-p Password] CertificateStoreName: Certificate store name. See -store. PFXFile: PFX file to be imported Modifiers: Comma separated list of one or more of the following: AT_SIGNATURE: Change the KeySpec to Signature AT_KEYEXCHANGE: Change the KeySpec to Key Exchange NoExport: Make the private key non-exportable NoCert: Do not import the certificate NoChain: Do not import the certificate chain NoRoot: Do not import the root certificate Protect: Protect keys with password NoProtect: Do not password protect keys Defaults to personal machine store. Display dynamic file List CertUtil [Options] -dynamicfilelist Options: [-v] [-config Machine\CAName] Display database locations CertUtil [Options] -databaselocations Options: [-v] [-config Machine\CAName] Generate and display cryptographic hash over a file. CertUtil [Options] -hashfile InFile [HashAlgorithm] Options: [-v] Dump certificate store CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]] Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] CertificateStoreName: Certificate store name. CertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. Many of these may result in multiple matches. OutputFile: file to save matching cert Use -user to access a user store instead of a machine store. Use -enterprise to access a machine enterprise store. Use -service to access a machine service store. Use -grouppolicy to access a machine group policy store. Add certificate to store CertUtil [Options] -addstore CertificateStoreName InFile Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName] CertificateStoreName: Certificate store name. See -store. InFile: Certificate or CRL file to add to store. Delete certificate from store CertUtil [Options] -delstore CertificateStoreName CertId Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName] CertificateStoreName: Certificate store name. See -store. CertId: Certificate or CRL match token. See -store. Verify certificate in store CertUtil [Options] -verifystore CertificateStoreName [CertId] Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout] CertificateStoreName: Certificate store name. See -store. CertId: Certificate or CRL match token. See -store. Repair key association or update certificate properties or key security descriptor CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor] Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider] CertificateStoreName: Certificate store name. See -store. CertIdList: comma separated list of Certificate or CRL match tokens. See -store CertId description. PropertyInfFile -- INF file containing external properties: Dump certificate store CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]] Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName] CertificateStoreName: Certificate store name. CertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. Many of these may result in multiple matches. OutputFile: file to save matching cert Use -user to access a user store instead of a machine store. Use -enterprise to access a machine enterprise store. Use -service to access a machine service store. Use -grouppolicy to access a machine group policy store. Delete certificate from store CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]] Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName] CertificateStoreName: Certificate store name. CertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. Many of these may result in multiple matches. OutputFile: file to save matching cert Use -user to access a user store instead of a machine store. Use -enterprise to access a machine enterprise store. Use -service to access a machine service store. Use -grouppolicy to access a machine group policy store. Publish certificate or CRL to Active Directory CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] Options: [-f] [-v] [-user] [-dc DCName] CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]] [-f] [-user] [-dc DCName] Options: [-f] [-v] [-user] [-dc DCName] CertFile: certificate file to publish NTAuthCA: Publish cert to DS Enterprise store RootCA: Publish cert to DS Trusted Root store SubCA: Publish CA cert to DS CA object CrossCA: Publish cross cert to DS CA object KRA: Publish cert to DS Key Recovery Agent object User: Publish cert to User DS object Machine: Publish cert to Machine DS object CRLFile: CRL file to publish DSCDPContainer: DS CDP container CN, usually the CA machine name DSCDPCN: DS CDP object CN, usually based on the sanitized CA short name and key index Use -f to create DS object. Display AD templates CertUtil [Options] -ADTemplate [Template] Options: [-f] [-v] [-user] [-ut] [-mt] [-dc DCName] Display Enrollment Policy templates CertUtil [Options] -Template [Template] Options: [-f] [-v] [-user] [-dc DCName] [-user] [-silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] Display CAs for template CertUtil [Options] -TemplateCAs Template Options: [-f] [-v] [-user] [-dc DCName] Display templates for CA CertUtil [Options] -CATemplates [Template] Options: [-f] [-v] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName] Set, Verify or Delete CA site names CertUtil [Options] -SetCASites [set] [Sitename] CertUtil [Options] -SetCASites verify [Sitename] CertUtil [Options] -SetCASites delete Options: [-f] [-v] [-config Machine\CAName] [-dc DCName] Use the -config option to target a single CA (Default is all CAs) Sitename is allowed only when targeting a single CA Use -f to override validation errors for the specified Sitename Use -f to delete all CA site names Display, add or delete enrollment server URLs associated with a CA CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]] CertUtil [Options] -enrollmentServerURL URL delete Options: [-f] [-config Machine\CAName] [-dc DCName] AuthenticationType: Specify one of the following client authentication methods while adding a URL Kerberos: Use Kerberos SSL credentials UserName: Use named account for SSL credentials ClientCertificate: Use X.509 Certificate SSL credentials Anonymous: Use anonymous SSL credentials delete: deletes the specified URL associated with the CA Priority: defaults to '1' if not specified when adding a URL Modifiers -- Comma separated list of one or more of the following: AllowRenewalsOnly: Only renewal requests can be submitted to this CA via this URL AllowKeyBasedRenewal: Allow use of a certificate that has no associated account in the AD. This applies only with ClientCertificate and AllowRenewalsOnly Mode Display AD CAs CertUtil [Options] -ADCA [CAName] Options: [-f] [-split] [-dc DCName] Display Enrollment Policy CAs CertUtil [Options] -CA [CAName | TemplateName] Options: [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] Display Enrollment Policy CertUtil [Options] -Policy Options: [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] Display or delete Enrollment Policy Cache entries CertUtil [Options] -PolicyCache [delete] Options: [-f] [-user] [-PolicyServer URLOrId] delete: delete Policy Server cache entries -f: use -f to delete all cache entries Display, add or delete Credential Store entries CertUtil [Options] -CredStore [URL] CertUtil [Options] -CredStore URL add CertUtil [Options] -CredStore URL delete Options: [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] URL: target URL. Use * to match all entries. Use https://machine* to match a URL prefix. add: add a Credential Store entry. SSL credentials must also be specified. delete: delete Credential Store entries -f: use -f to overwrite an entry or to delete multiple entries. Install default certificate templates CertUtil [Options] -InstallDefaultTemplates Options: [-f] [-v] [-dc DCName] Display or delete URL cache entries CertUtil [Options] -URLCache [URL | CRL | * [delete]] Options: [-f] [-v] [-split] URL: Cached URL CRL: Operate on all cached CRL URLs only *: Operate on all cached URLs delete: Delete relevant URLs from the current user's local cache Use -f to force fetching a specific URL and updating the cache. -v : Will display the whole IE internet history and cache file locations (…\Content.IE5…) Pulse autoenrollment events CertUtil [Options] -pulse Options: [-v] [-user] Display Active Directory computer object information CertUtil [Options] -MachineInfo DomainName\MachineName$ Options: [-v] Display domain controller information CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll] Options: [-f] [-v] [-user] [-urlfetch] [-dc DCName] [-t Timeout] Default is to display DC certs without verification. Display Enterprise CA information CertUtil [Options] -EntInfo DomainName\MachineName$ Options: [-f] [-v] [-user] Display CA information CertUtil [Options] -TCAInfo [DomainDN | -] Options: [-f] [-v] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout] Display smart card information CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]] Options: [-v] [-silent] [-split] [-urlfetch] [-t Timeout] CRYPT_DELETEKEYSET: Delete all keys on the smart card Manage smart card root certificates CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName] CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName] CertUtil [Options] -SCRoots view [InputRootFile | ReaderName] CertUtil [Options] -SCRoots delete [ReaderName] Options: [-f] [-split] [-p Password] Verify public/private key set CertUtil [Options] -verifykeys [KeyContainerName CACertFile] Options: [-f] [-v] [-user] [-silent] [-config Machine\CAName] KeyContainerName: key container name of the key to verify. Defaults to machine keys. Use -user for user keys. CACertFile: signing or encryption certificate file If no arguments are specified, each signing CA cert is verified against its private key. This operation can only be performed against a local CA or local keys. Verify certificate, CRL or chain CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]] CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile] CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile] Options: [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] CertFile: Certificate to verify Application PolicyList: optional comma separated list of required Application Policy ObjectIds IssuancePolicyList: optional comma separated list of required Issuance Policy ObjectIds CACertFile: optional issuing CA certificate to verify against CrossedCACertFile: optional certificate cross-certified by CertFile CRLFile: CRL to verify IssuedCertFile: optional issued certificate covered by CRLFile DeltaCRLFile: optional delta CRL If ApplicationPolicyList is specified, chain building is restricted to chains valid for the specified Application Policies. If IssuancePolicyList is specified, chain building is restricted to chains valid for the specified Issuance Policies. If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile. If CACertFile is not specified, CertFile is used to build and verify a full chain. If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile are verified against CertFile. If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile. If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile. Verify AuthRoot or Disallowed Certificates CTL CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile] Options: [-f] [-user] [-split] CTLObject: Identifies the CTL to verify: AuthRootWU: read AuthRoot CAB and matching certificates from the URL cache. Use -f to download from Windows Update instead. DisallowedWU: read Disallowed Certificates CAB and disallowed certificate store file from the URL cache. Use -f to download from Windows Update instead. AuthRoot: read registry cached AuthRoot CTL. Use with -f and a CertFile that is not already trusted to force updating the registry cached AuthRoot and Disallowed Certificate CTLs. Disallowed: read registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot. CTLFileName: file or http: path to CTL or CAB CertDir: folder containing certificates matching CTL entries. An http: folder path must end with a path separator. If a folder is not specified with AuthRoot or Disallowed, multiple locations will be searched for matching certificates: local certificate stores, crypt32.dll resources and the local URL cache. Use -f to download from Windows Update when necessary. Otherwise defaults to the same folder or web site as the CTLObject. CertFile: file containing certificate(s) to verify. Certificates will be matched against CTL entries, and match results displayed. Suppresses most of the default output. Re-sign CRL or certificate CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [StartDate+dd:hh] [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile] [-nullsign] CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [#HashAlgorithm] [+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm] [-nullsign] Options: [-f] [-silent] [-Cert CertId] InFileList: comma separated list of Certificate or CRL files to modify and re-sign SerialNumber: Serial number of certificate to create. Validity period and other options must not be present. CRL: Create an empty CRL. Validity period and other options must not be present. OutFileList: comma separated list of modified Certificate or CRL output files. The number of files must match InFileList. StartDate+dd:hh: new validity period: optional date plus; optional days and hours validity period; If both are specified, use a plus sign (+) separator. Use "now[+dd:hh]" to start at the current time. Use "never" to have no expiration date (for CRLs only). SerialNumberList: comma separated serial number list to add or remove ObjectIdList: comma separated extension ObjectId list to remove @ExtensionFile: INF file containing extensions to update or remove: HashAlgorithm: Name of the hash algorithm preceded by a # sign AlternateSignatureAlgorithm: alternate Signature algorithm specifier A minus sign causes serial numbers and extensions to be removed. A plus sign causes serial numbers to be added to a CRL. When removing items from a CRL, the list may contain both serial numbers and ObjectIds. A minus sign before AlternateSignatureAlgorithm causes the legacy signature format to be used. A plus sign before AlternateSignatureAlgorithm causes the alternature signature format to be used. If AlternateSignatureAlgorithm is not specified then the signature format in the certificate or CRL is used. Create/delete web virtual roots and file shares CertUtil [Options] -vroot [delete] Create/delete web virtual roots for OCSP web proxy CertUtil [Options] -vocsproot [delete] Add an Enrollment Server application CertUtil [Options] -addEnrollmentServer Kerberos | UserName | ClientCertificate [AllowRenewalsOnly] [AllowKeyBasedRenewal] Options: [-f] [-config Machine\CAName] Add an Enrollment Server application and application pool if necessary, for the specified CA. This command does not install binaries or packages. One of the following authentication methods with which the client connects to a Certificate Enrollment Server. Kerberos: Use Kerberos SSL credentials UserName: Use named account for SSL credentials ClientCertificate: Use X.509 Certificate SSL credentials AllowRenewalsOnly: Only renewal requests can be submitted to this CA via this URL AllowKeyBasedRenewal -- Allows use of a certificate that has no associated account in the AD. This applies only with ClientCertificate and AllowRenewalsOnly mode. Delete an Enrollment Server application CertUtil [Options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate Options: [-f] [-config Machine\CAName] Delete an Enrollment Server application and application pool if necessary, for the specified CA. This command does not remove binaries or packages. One of the following authentication methods with which the client connects to a Certificate Enrollment Server. Kerberos: Use Kerberos SSL credentials UserName: Use named account for SSL credentials ClientCertificate: Use X.509 Certificate SSL credentials Add a Policy Server application CertUtil [Options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal] Add a policy server application and application pool if necessary. This command does not install binaries or packages. One of the following authentication methods with which the client connects to a Certificate Policy Server. Kerberos: Use Kerberos SSL credentials UserName: Use named account for SSL credentials ClientCertificate: Use X.509 Certificate SSL credentials KeyBasedRenewal: Only policies that contain KeyBasedRenewal templates are returned to the client. This flag applies only for UserName and ClientCertificate authentication. Delete a Policy Server application CertUtil [Options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal] Delete a policy server application and application pool if necessary. This command does not remove binaries or packages. One of the following authentication methods with which the client connects to a Certificate Policy Server. Kerberos: Use Kerberos SSL credentials UserName: Use named account for SSL credentials ClientCertificate: Use X.509 Certificate SSL credentials KeyBasedRenewal: KeyBasedRenewal policy server Display ObjectId or set display name CertUtil [Options] -oid ObjectId [DisplayName | delete [LanguageId [Type]]] [-f] CertUtil [Options] -oid GroupId CertUtil [Options] -oid AlgId | AlgorithmName [GroupId] [-f] ObjectId -- ObjectId to display or to add display name GroupId -- decimal GroupId number for ObjectIds to enumerate AlgId -- hexadecimal AlgId for ObjectId to look up AlgorithmName -- Algorithm Name for ObjectId to look up DisplayName -- Display Name to store in DS delete -- delete display name LanguageId -- Language Id (defaults to current: 1033) Type -- DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy Use -f to create DS object. Display error code message text CertUtil [-v] -error ErrorCode Display registry value CertUtil [Options] -getreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryValueName] Options: [-f] [-user] [-GroupPolicy] [-config Machine\CAName] ca: Use CA's registry key restore: Use CA's restore registry key policy: Use policy module's registry key exit: Use first exit module's registry key template: Use template registry key (use -user for user templates) enroll: Use enrollment registry key (use -user for user context) chain: Use chain configuration registry key PolicyServers: Use Policy Servers registry key ProgId: Use policy or exit module's ProgId (registry subkey name) RegistryValueName: registry value name (use "Name*" to prefix match) Set registry value CertUtil [Options] -setreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryValueName] Value Options: [-f] [-user] [-GroupPolicy] [-config Machine\CAName] ca: Use CA's registry key restore: Use CA's restore registry key policy: Use policy module's registry key exit: Use first exit module's registry key template: Use template registry key (use -user for user templates) enroll: Use enrollment registry key (use -user for user context) chain: Use chain configuration registry key PolicyServers: Use Policy Servers registry key ProgId: Use policy or exit module's ProgId (registry subkey name) RegistryValueName: registry value name (use "Name*" to prefix match) Value: new numeric, string or date registry value or filename. If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value. If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value. If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours. If both are specified, use a plus sign (+) or minus sign (-) separator. Use "now+dd:hh" for a date relative to the current time. Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs. Delete registry value CertUtil [Options] -delreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryValueName] Options: [-f] [-user] [-GroupPolicy] [-config Machine\CAName] ca: Use CA's registry key restore: Use CA's restore registry key policy: Use policy module's registry key exit: Use first exit module's registry key template: Use template registry key (use -user for user templates) enroll: Use enrollment registry key (use -user for user context) chain: Use chain configuration registry key PolicyServers: Use Policy Servers registry key ProgId: Use policy or exit module's ProgId (registry subkey name) RegistryValueName: registry value name (use "Name*" to prefix match) Import user keys and certificates into server database for key archival CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId] Options: [-f] [-v] [-silent] [-split] [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]] UserKeyAndCertFile -- Data file containing user private keys and certificates to be archived. This can be any of the following: Exchange Key Management Server (KMS) export file PFX file CertId: KMS export file decryption certificate match token. See -store. Use -f to import certificates not issued by the CA. Import a certificate file into the database CertUtil [Options] -ImportCert Certfile [ExistingRow] Options: [-f] [-v] [-config Machine\CAName] Use ExistingRow to import the certificate in place of a pending request for the same key. Use -f to import certificates not issued by the CA. The CA may also need to be configured to support foreign certificate import: certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN Retrieve archived private key recovery blob, generate a recovery script, or recover archived keys CertUtil [Options] -GetKey SearchToken [RecoveryBlobOutFile] CertUtil [Options] -GetKey SearchToken script OutputScriptFile CertUtil [Options] -GetKey SearchToken retrieve | recover OutputFileBaseName Options: [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] script: generate a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if the output file is not specified). retrieve: retrieve one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified) recover: retrieve and recover private keys in one step (requires Key Recovery Agent certificates and private keys) SearchToken: Used to select the keys and certificates to be recovered. any of the following: Certificate Common Name Certificate Serial Number Certificate SHA-1 hash (thumbprint) Certificate KeyId SHA-1 hash (Subject Key Identifier) Requester Name (domain\user) UPN (user@domain) RecoveryBlobOutFile: output file containing a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates. OutputScriptFile: output file containing a batch script to retrieve and recover private keys. OutputFileBaseName: output file base name. For retrieve, any extension is truncated and a certificate-specific string and the .rec extension are appended for each key recovery blob. Each file contains a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates. For recover, any extension is truncated and the .p12 extension is appended. Contains the recovered certificate chains and associated private keys, stored as a PFX file. Recover archived private key CertUtil [Options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]] Options: [-f] [-user] [-silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout] Merge PFX files CertUtil [Options] -MergePFX PFXInFileList PFXOutFile [ExtendedProperties] Options: [-f] [-user] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] PFXInFileList: Comma separated PFX input file list PFXOutFile: PFX output file ExtendedProperties: Include extended properties The password specified on the command line is a comma separated password list. If more than one password is specified, the last password is used for the output file. If only one password is provided or if the last password is "*", the user will be prompted for the output file password. Convert PFX files to EPF file CertUtil [Options] -ConvertEPF PFXInFileList EPFOutFile [cast | cast-] [V3CACertId][,Salt] Options: [-f] [-split] [-p Password] [-csp Provider] PFXInFileList: Comma separated PFX input file list EPF: EPF output file cast: Use CAST 64 encryption cast-: Use CAST 64 encryption (export) V3CACertId: V3 CA Certificate match token. See -store CertId description. Salt: EPF output file salt string The password specified on the command line is a comma separated password list. If more than one password is specified, the last password is used for the output file. If only one password is provided or if the last password is "*", the user will be prompted for the output file password. OPTIONS These options must be entered on the command line before the main Verb -nullsign Use hash of data as signature -f Force overwrite -enterprise Use local machine Enterprise registry certificate store -user Use HKEY_CURRENT_USER keys or certificate store -GroupPolicy Use Group Policy certificate store -ut Display user templates -mt Display machine templates -Unicode Write redirected output in Unicode -UnicodeText Write output file in Unicode -gmt Display times as GMT -seconds Display times with seconds and milliseconds -silent Use silent flag to acquire crypt context -split Split embedded ASN.1 elements, and save to files -v Verbose operation -privatekey Display password and private key data -pin PIN Smart Card PIN -urlfetch Retrieve and verify AIA Certs and CDP CRLs -config Machine\CAName CA and computer name string -PolicyServer URLOrId Policy Server URL or Id. For selection U/I, use -PolicyServer. For all Policy Servers, use -PolicyServer * -Anonymous Use anonymous SSL credentials -Kerberos Use Kerberos SSL credentials -ClientCertificate ClientCertId Use X.509 Certificate SSL credentials. For selection U/I, use -clientCertificate. -UserName UserName Use named account for SSL credentials. For selection U/I, use -UserName. -Cert CertId Signing certificate -dc DCName Target a specific Domain Controller -restrict RestrictionList Comma separated Restriction List. Each restriction consists of a column name, a relational operator and a constant integer, string or date. One column name may be preceded by a plus or minus sign to indicate the sort order. Examples: "RequestId = 47" "+RequesterName >= a, RequesterName < b" "-RequesterName > DOMAIN, Disposition = 21" -out ColumnList Comma separated Column List -p Password Password -ProtectTo SAMNameAndSIDList Comma separated SAM Name/SID List -csp Provider Provider -t Timeout URL fetch timeout in milliseconds -symkeyalg SymmetricKeyAlgorithm[,KeyLength] Name of Symmetric Key Algorithm with optional key length, example: AES,128 or 3DES
To use Certutil.exe on a Windows XP client, install the Windows Server 2003 Administration Tools Pack.
Bugs
There are a few small documentation bugs/inconsistencies between the command-line help (Certutil -?) and the various MSDN help pages.
- e.g. -encodehex is completely missing from the command-line help.
- The -decode option may not always restore spaces - see forum thread.
Certutil is sensitive to the order of command-line parameters.
Examples
View the configuration settings for the CA:
certutil -dump
certutil -getreg
certutil -getreg CA
certutil -getreg
certutil -getreg CA
Copy a certificate revocation list (CRL) to a file:
certutil -getcrl F:\ss64.crl
Purge local policy cache (Certificate Enrollment Policy Web Services):
certutil -f -policyserver * -policycache delete
View the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store:
certutil -enterprise -viewstore Root
Stop Certificate Services
certutil -shutdown
Convert a hex-encoded file to a binary executable. This is primarily intended for converting X.509 certificates from a human-readable format (.asn) into a computer-readable format (.bin):
certutil -decodehex hex.dat ss64.exe
How To Use Certutil Command >>>>> Download Now
ReplyDelete>>>>> Download Full
How To Use Certutil Command >>>>> Download LINK
>>>>> Download Now
How To Use Certutil Command >>>>> Download Full
>>>>> Download LINK ih