For the basic command line syntax, run:
certutil -?
For the syntax to use the certutil command with a specific verb, run:
certutil -?
To send all certutil command syntax to a text file, run the following commands:
certutil -v -? > certutilhelp.txt
notepad certutilhelp.txt
The following table describes the symbol used to indicate the command line syntax.
Text without curly braces or brackets : The items you must enter as shown
Text inside curly braces : Placeholder for which you must provide value
[Text inside square brackets] : Optional items
{Text inside brackets} : Choose one of the required fields
Vertical bar (|) : Separator for mutually exclusive items (choose one of the items)
Ellipsis (...) : The items may be repeated
CertUtil [Options] [-dump] CertUtil [Options] [-dump] File
File output or configuration information:
[-f] [-silent] [-split] [-p Password] [-t Timeout]
CertUtil [Options] -asn File [type]
ASN file parsing.1
type: numeric CRYPT_STRING_* decoding type
CertUtil [Options] -decodehex InFile OutFile [type] type: numeric CRYPT_STRING_* encoding type [-f]
CertUtil [Options] -decode InFile OutFile
Decode Base64 encoded file:
[-f]
CertUtil [Options] -encode InFile OutFile
Encrypt file to Base64:
[-f] [-UnicodeText]
CertUtil [Options] -deny RequestId
Reject request pending:
[-config MachineCAName]
CertUtil [Options] -resubmit RequestId
Resend request pending:
[-config MachineCAName]
CertUtil [Options] -setattributes RequestId AttributeString
Set properties for pending requests.
RequestId - Number of Request Id of the pending request
AttributeString - Request Attribute name and value pair
[-config MachineCAName]
CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}
Set extension for pending request.
[-config MachineCAName]
CertUtil [Options] -revoke SerialNumber [Reason]
Revoke the certificate.
SerialNumber: A list of certificate serial numbers separated by commas for revocation.
Reason: Reason for withdrawal by number or symbol.
[-config MachineCAName]
CertUtil [Options] -isvalid SerialNumber | CertHash
Show current certificate layout.
[-config MachineCAName]
CertUtil [Options] -getconfig
Get the default configuration string.
[-config MachineCAName]
CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList]
Try to contact the Active Directory Certificate Services Request interface
CAMachineList - List of CA names separated by commas
[-config MachineCAName]
CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]]
Display CA information.
InfoName - Indicates the CA attribute to display (see below). Use " * " for all properties.
Index - Attribute index not based on options.
ErrorCode - Number of error code
[-f] [-split] [-config MachineCAName]
Argument argument InfoName:
CertUtil [Options] -ca.cert OutCACertFile [Index]
Retrieve CA certificate.
OutCACertFile: Output file.
Index: CA certificate renewal index (default is most recent).
[-f] [-split] [-config MachineCAName]
CertUtil [Options] -ca.chain OutCACertChainFile [Index]
Retrieve CA certificate chain.
OutCACertChainFile: Output file.
Index: CA certificate renewal index (default is most recent).
[-f] [-split] [-config MachineCAName]
CertUtil [Options] -GetCRL OutFile [Index] [delta]
Get CRL.
Index: CRL index or main index (default is the CRL for the latest key).
delta: CRL delta (default is the basic CRL).
[-f] [-split] [-config MachineCAName]
CertUtil [Options] -CRL [dd:hh | republish] [delta]
Export new CRL [or CRL delta only].
dd: hh - new validity period for CRL by date and time.
republish - republish the most recent CRL.
delta - only CRL delta (default is base CRL and delta).
[-split] [-config MachineCAName]
CertUtil [Options] -shutdown
Turn off Active Directory Certificate Services.
[-config MachineCAName]
CertUtil [Options] -installCert [CACertFile]
Install a Certification Authority (CA) certificate.
[-f] [-silent] [-config MachineCAName]
CertUtil [Options] -renewCert [ReuseKeys] [MachineParentCAName]
Renew CA certificate.
Use -f to skip the pending renewal request and create a new request.
[-f] [-silent] [-config MachineCAName]
CertUtil [Options] -schema [Ext | Attrib | CRL]
Export Certificate Schema. Default to request and certificate table.
Ext: Expanded table.
Attrib: Attribute table.
CRL: CRL table.
[-split] [-config MachineCAName]
CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]
Export Certificate View
Display the StatusCode column for all items:
-out StatusCode
Show all columns for the last entry:
-restrict "RequestId==$"
To display RequestId and Disposition for three requests:
-restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition"
To display the Row Id and CRL Number for all base CRLs:
-restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL
To display Base CRL Number 3:
-v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL
To display the entire CRL table:
[-silent] [-split] [-config MachineCAName] [-restrict RestrictionList] [-out ColumnList]
CertUtil [Options] -db
Rendering raw database.
[-config MachineCAName] [-restrict RestrictionList] [-out ColumnList]
CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL]
Delete the server database row.
To delete unsuccessful and pending requests submitted before January 22, 2001:
1/22/2001 Request
To delete all certificates that expire before January 22, 2001:
1/22/2001 Cert
To delete certificate rows, attributes, and extensions for RequestId 37:
37
To delete the CRL that expired on January 22, 2001:
1/22/2001 CRL
[-f] [-config MachineCAName]
CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog]
Backup Active Directory Certificate Services.
[-f] [-config MachineCAName] [-p Password]
CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog]
Back up the Active Directory Certificate Services database.
[-f] [-config MachineCAName]
CertUtil [Options] -backupKey BackupDirectory
Back up the certificate and private key of Active Directory Certificate Services.
BackupDirectory: A directory for storing PFX files backed up.
[-f] [-config MachineCAName] [-p Password] [-t Timeout]
CertUtil [Options] -restore BackupDirectory
Restore Active Directory Certificate Services.
BackupDirectory: The directory containing the restored data
[-f] [-config MachineCAName] [-p Password]
CertUtil [Options] -restoreDB BackupDirectory
Restore Active Directory Certificate Services database.
BackupDirectory: The directory containing the restored database files.
[-f] [-config MachineCAName]
CertUtil [Options] -restoreKey BackupDirectory | PFXFile
Restore the certificate and private key of Active Directory Certificate Services.
[-f] [-config MachineCAName] [-p Password]
CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers]
Enter the certificate and private key.
CertificateStoreName: Certificate store name. See -store.
PFXFile: PFX file to import
Modifiers: Comma separated list of one or more of the following:
The default is stored on personal computers.
[-f] [-user] [-p Password] [-csp Provider]
CertUtil [Options] -dynamicfilelist
Show dynamic file list.
[-config MachineCAName]
CertUtil [Options] -databaselocations
Display database location.
[-config MachineCAName]
CertUtil [Options] -hashfile InFile [HashAlgorithm]
Create and display the hash hash on a file.
CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]
Certificate store dump.
CertificateStoreName: Certificate store name. For example:
CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.
OutputFile: File to save the certificate accordingly
For example:
[-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]
CertUtil [Options] -addstore CertificateStoreName InFile
Add a certificate to the repository.
[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]
CertUtil [Options] -delstore CertificateStoreName CertId
Delete certificate from archive.
[-enterprise] [-user] [-GroupPolicy] [-dc DCName]
CertUtil [Options] -verifystore CertificateStoreName [CertId]
Verify the certificate in the archive.
[-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]
CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]
Fix a key link or update important certificate attributes or security descriptors.
[Properties] 19 = Empty ; Add archived property, OR: 19 = ; Remove archived property 11 = "{text}Friendly Name" ; Add friendly name property 127 = "{hex}" ; Add custom hexadecimal property _continue_ = "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f" _continue_ = "10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f" 2 = "{text}" ; Add Key Provider Information property _continue_ = "Container=Container Name&" _continue_ = "Provider=Microsoft Strong Cryptographic Provider&" _continue_ = "ProviderType=1&" _continue_ = "Flags=0&" _continue_ = "KeySpec=2" 9 = "{text}" ; Add Enhanced Key Usage property _continue_ = "1.3.6.1.5.5.7.3.2," _continue_ = "1.3.6.1.5.5.7.3.1,"
[-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]
CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]]
Certificate store dump.
CertificateStoreName: Certificate store name. For example:
CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.
OutputFile: File to save the certificate accordingly
For example:
[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]
CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]]
Delete certificate from archive.
CertificateStoreName: Certificate store name. For example:
CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.
OutputFile: File to save the certificate accordingly
For example:
[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]
CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
Export a certificate or CRL to Active Directory.
Use -f to create the DS object.
[-f] [-user] [-dc DCName]
CertUtil [Options] -ADTemplate [Template]
Display AD templates.
[-f] [-user] [-ut] [-mt] [-dc DCName]
CertUtil [Options] -Template [Template]
Display the Enrollment Policy templates.
[-f] [-user] [-silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
CertUtil [Options] -TemplateCAs Template
Display the CA for the template.
[-f] [-user] [-dc DCName]
CertUtil [Options] -CATemplates [Template]
Display template for CA.
[-f] [-user] [-ut] [-mt] [-config MachineCAName] [-dc DCName]
CertUtil [Options] -SetCASites [set] [SiteName] CertUtil [Options] -SetCASites verify [SiteName] CertUtil [Options] -SetCASites delete
Set, verify or delete the CA site name:
[-f] [-config MachineCAName] [-dc DCName]
CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]] CertUtil [Options] -enrollmentServerURL URL delete
Display, add or delete the registration server URL associated with CA.
AuthenticationType: Specifies one of the client authentication methods after adding the URL:
delete: Delete the URL specified associated with CA.
Priority: The default is '1' if not specified when adding a URL.
Modifiers: Comma separated list of one or more of the following:
[-config MachineCAName] [-dc DCName]
CertUtil [Options] -ADCA [CAName]
Display of AD CA.
[-f] [-split] [-dc DCName]
CertUtil [Options] -CA [CAName | TemplateName]
Display the CA Enrollment Policy.
[-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
Display Enrollment Policy.
[-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
CertUtil [Options] -PolicyCache [delete]
Display or delete the Enrollment Policy Cache entry.
[-f] [-user] [-PolicyServer URLOrId]
CertUtil [Options] -CredStore [URL] CertUtil [Options] -CredStore URL add CertUtil [Options] -CredStore URL delete
Show, delete or add Credential Store entries.
[-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
CertUtil [Options] -InstallDefaultTemplates
Install the default certificate templates.
[-dc DCName]
CertUtil [Options] -URLCache [URL | CRL | * [delete]]
Display or delete URL cache entry.
[-f] [-split]
CertUtil [Options] -pulse
Create automatic event registration pulse.
[-user]
CertUtil [Options] -MachineInfo DomainNameMachineName$
Displays Active Directory computer object information.
CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]
Displays domain controller information.
The default is to display DC certificates without verification.
[-f] [-user] [-urlfetch] [-dc DCName] [-t Timeout]
Tips:
The ability to identify an Active Directory Domain Services (AD DS) domain [Domain] and specify a domain controller ( -dc ) has been added to Windows Server 2012. To successfully run the command, you must use the administrator account domain member or enterprise administrator. The behavior changes of this command are as follows:
For example, suppose there is a domain named CPANDL with the domain controller as CPANDL-DC1. You can run the following command to retrieve a list of domain controllers and their certificates from CPANDL-DC1:
certutil -dc cpandl-dc1 -dcinfo cpandl
CertUtil [Options] -EntInfo DomainNameMachineName$ [-f] [-user]
CertUtil [Options] -TCAInfo [DomainDN | -]
Display CA information.
[-f] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]
CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]]
Display smart card information.
CRYPT_DELETEKEYSET: Delete all keys on the smart card.
[-silent] [-split] [-urlfetch] [-t Timeout]
CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName] CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName] CertUtil [Options] -SCRoots view [InputRootFile | ReaderName] CertUtil [Options] -SCRoots delete [ReaderName]
Manage the original smart card certificates.
[-f] [-split] [-p Password]
CertUtil [Options] -verifykeys [KeyContainerName CACertFile]
Verify public / private key.
If no arguments are specified, each signed CA certificate will be verified based on its private key.
This can only be done for a CA or local keys.
[-f] [-user] [-silent] [-config MachineCAName]
CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]] CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile] CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile]
Verify certificate, CRL or string.
If ApplicationPolicyList is specified, the string construction is restricted to the valid strings for the specified Application Policies.
If the IssuancePolicyList is specified, string construction is restricted to valid strings for the specified Issuance Policies.
If CACertFile is specified, the fields in CACertFile are verified based on CertFile or CRLFile.
If CACertFile is not specified, CertFile is used to build and verify a full chain.
If CACertFile and CrossedCACertFile are both specified, the fields in CACertFile and CrossedCACertFile are verified based on CertFile.
If IssuedCertFile is specified, the fields in IssuedCertFile are verified based on CRLFile.
If DeltaCRLFile is specified, the fields in DeltaCRLFile are verified based on CRLFile.
[-f] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout]
CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile]
Verify AuthRoot or Disallowed Certificate CTL certificates.
CTLObject: Define CTL to test:
CertDir: The directory containing the certificate matches the CTL entry. Http directory path must end with path delimiters. If a directory is not specified with AuthRoot or is not allowed, multiple locations will be searched for the appropriate certificate: