The certutil command in Windows

When the certutil command is run by a CA without additional parameters, it displays the current CA configuration. When the certutil command is run on an unassigned CA, the default command to run is certutil -ump.

Certutil.exe is a command line program installed as part of Certificate Services. You can use Certutil.exe to export and display CA configuration information, Certificate Services configuration, backup and restore CA components, verify certificates, key pairs, and certificate chains.

When the certutil command is run by a CA without additional parameters, it displays the current CA configuration. When the certutil command is run on an unassigned CA, the default command to run is certutil -ump.

Warning

Previous versions of the certutil command may not provide all the options described in this document. You can see all the options that a specific version of the certutil command provide by running the commands shown in the " Syntax Notation " section.

The certutil command in Windows

  1. The verb comes with the certutil command
  2. Syntax characters
    1. -dump
    2. -asn
    3. -decodehex
    4. -decode
    5. -encode
    6. -deny
    7. -resubmit
    8. -setattributes
    9. -setextension
    10. -revoke
    11. -isvalid
    12. -getconfig
    13. -ping
    14. -CAInfo
    15. -ca.cert
    16. -ca.chain
    17. -GetCRL
    18. -CRL
    19. -shutdown
    20. -installCert
    21. -renewCert
    22. -schema
    23. -view
    24. -db
    25. -deleterow
    26. -backup
    27. -backupDB
    28. -backupKey
    29. -restore
    30. -restoreDB
    31. -restoreKey
    32. -importPFX
    33. -dynamicfilelist
    34. -databaselocations
    35. -hashfile
    36. -store
    37. -addstore
    38. -delstore
    39. -verifystore
    40. -repairstore
    41. -viewstore
    42. -viewdelstore
    43. -dsPublish
    44. -ADTemplate
    45. -Template
    46. -TemplateCAs
    47. -CATemplates
    48. -SetCASites
    49. -enrollmentServerURL
    50. -ADCA
    51. -CA
    52. -Policy
    53. -PolicyCache
    54. -CredStore
    55. -InstallDefaultTemplates
    56. -URLCache
    57. -pulse
    58. -MachineInfo
    59. -DCInfo
    60. -EntInfo
    61. -TCAInfo
    62. -SCInfo
    63. -SCRoots
    64. -verifykeys
    65. -verify
    66. -verifyCTL
    67. -sign
    68. -vroot
    69. -vocsproot
    70. -addEnrollmentServer
    71. -deleteEnrollmentServer
    72. -addPolicyServer
    73. -deletePolicyServer
    74. -oid
    75. -error
    76. -getreg
    77. -setreg
    78. -delreg
    79. -ImportKMS
    80. -ImportCert
    81. -GetKey
    82. -RecoverKey
    83. -MergePFX
    84. -ConvertEPF
  3. Option

The verb comes with the certutil command

The following table describes the verbs that can be used with the certutil command.

-dump File or configuration information
-asn Parsing the file ASN.1
-decodehex file parsing Decrypt the hexadecimal file
-decode Decrypt Base64 encoded file
-encode Encrypt a file into Base64
-deny Reject pending certificate request
-resubmit Resend pending certificate request
-setattributes Set properties for pending certificate request
-setextension Set extension for certificate request pending
-revoke Revoke certificate
-isvalid certificate revocation Displays the layout of the current certificate
-getconfig Get the default configuration string
-ping Try to contact the Active Directory Certificate Services Request
-pingadmin interface Try to contact Active Directory Certificate Services Admin
-CAInfo interface Displays information about the
-ca.cert Tru certification body y export the certificate to the
-ca.chain certification authority Retrieve the certificate chain for the certification authority
-GetCRL Get the certificate revocation list (CRL)
-CRL Export the new certificate revocation list ( CRL) [or only CRL delta]
-shutdown Turn off Active Directory Certificate Services
-installCert CA certificate installation
-renewCert CA
-schema certificate extension Schema output for
-view certificate Export mode view
-db certificate Export a raw database
-deleterow Delete a row from the backup server database Back up Active Directory Certificate Services
-backupDB Back up Active Directory Certificate Services database
-backupKey Back up certificates and private key for Active Directory Certificate Services
-restore Restore Active Directory Certificate Services
-restoreDB Restore Active Directory Certificate Service database s
-restoreKey Recover certificate and private key for Active Directory Certificate Services
-importPFX Import certificate and private key
-dynamicfilelist Show dynamic file list
-databaselocations Display database location
-hashfile Create and display password hash on
-store file Export
-addstore certificate store Add certificate to the repository
-delstore Delete certificate from the repository
-verifystore Verify certificate in the repository
-repairstore Fix a key link or update the certificate or important security descriptor
-viewstore Export the
-viewdelstore certificate store Delete a certificate from the
-dsPublish archive Export a certificate or certificate revocation list (CRL) to Active Directory
-ADTemplate Display The AD
-Template template displays the template for the
-TemplateCAs Display certificate security certificate (CA) for a
-CATemplates certificate template Show templates for CA
-SetCASites Manage site names for CAs
-enrollmentServerURL Display, add or delete registration server URLs associated with CA
-ADCA Show AD CA
-CA Display registration policy CA
-Policy Show registration policy
-PolicyCache Display or delete Enrollment Policy Cache entries
-CredStore Display, add or delete entries Credential Store
-InstallDefaultTemplates Set set default certificate templates
-URLCache Display or delete cache entry URL
-pulse Generate impulse for automatic registration events
-MachineInfo Show information about Active Directory machine objects
-DCInfo Show information about domain controller
-EntInfo Displays information about the enterprise CA
-TCAInfo Displays information about the CA
-SCInfo Show Display information about smart card
-SCRoots Manage root certificates for smart cards
-verifykeys Verify a public or private key
-verify set Verify certificate, certificate revocation list (CRL) or certificate string
-verifyCTL Verify demonstrate AuthRoot or certificate not allowed CTL
-sign Register the certificate revocation list (CRL) or
-vroot certificate Create or delete the virtual root and file share on the web
-vocsproot Create or delete the virtual root on web for a web proxy OCSP
-addEnrollmentServer Add an Enrollment Server
-deleteEnrollmentServer application Delete an Enrollment application Server
-addPolicyServer Add a Policy Server application
-deletePolicyServer Delete an application Policy
-oid server Display object identifier or naming
-error display Displays the text message that is associated with the error code
-get error code reg Displays the
-setreg registry value Set the registration value
-delreg Delete the registry value
-ImportKMS Enter the user key and certificate into the server database to store the key
-ImportCert Enter the certificate file into the base data
-GetKey Access blob to restore private key stored
-RecoverKey Recover private key stored -MergePFX Merge PFX files
-ConvertEPF Convert PFX file to EPF file
-? Show list of verbs
- -? Show help for specified verbs
-? -v Display the full list of verbs

Syntax characters

For the basic command line syntax, run:

 certutil -? 

For the syntax to use the certutil command with a specific verb, run:

 certutil -? 

To send all certutil command syntax to a text file, run the following commands:

 certutil -v -? > certutilhelp.txt 
 notepad certutilhelp.txt 

The following table describes the symbol used to indicate the command line syntax.

Text without curly braces or brackets : The items you must enter as shown
Text inside curly bracesPlaceholder for which you must provide value
[Text inside square brackets]Optional items
{Text inside brackets} : Choose one of the required fields
Vertical bar (|) Separator for mutually exclusive items (choose one of the items)
Ellipsis (...) The items may be repeated


-dump

 CertUtil [Options] [-dump] CertUtil [Options] [-dump] File 

File output or configuration information:

 [-f] [-silent] [-split] [-p Password] [-t Timeout] 

-asn

 CertUtil [Options] -asn File [type] 

ASN file parsing.1

 type: numeric CRYPT_STRING_* decoding type 

-decodehex

 CertUtil [Options] -decodehex InFile OutFile [type] type: numeric CRYPT_STRING_* encoding type [-f] 

-decode

 CertUtil [Options] -decode InFile OutFile 

Decode Base64 encoded file:

 [-f] 

-encode

 CertUtil [Options] -encode InFile OutFile 

Encrypt file to Base64:

 [-f] [-UnicodeText] 

-deny

 CertUtil [Options] -deny RequestId 

Reject request pending:

 [-config MachineCAName] 

-resubmit

 CertUtil [Options] -resubmit RequestId 

Resend request pending:

 [-config MachineCAName] 

-setattributes

 CertUtil [Options] -setattributes RequestId AttributeString 

Set properties for pending requests.

RequestId - Number of Request Id of the pending request

AttributeString - Request Attribute name and value pair

  1. Names and values ​​are separated by colons.
  2. Multiple name and value pairs are separated by separate lines.
  3. For example: "CertificateTemplate: UsernEMail: User@Domain.com"
  4. Each "n" string is converted to a new line separator.
 [-config MachineCAName] 

-setextension

 CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile} 

Set extension for pending request.

  1. RequestId - Number of Request Id of the pending request
  2. ExtensionName - The ObjectId string of the extension
  3. Flags - 0 is the recommended number, 1 is the important extension, 2 disables it, 3 does both tasks.
  4. If the last parameter is numeric, it is called a Long.
  5. If it can be parsed as a date, it is called a Date.
  6. If it starts with ' @ ', the rest of the token is the file name that contains binary data or ascii-text hex output.
  7. Anything else is called a String.
 [-config MachineCAName] 

-revoke

 CertUtil [Options] -revoke SerialNumber [Reason] 

Revoke the certificate.

SerialNumber: A list of certificate serial numbers separated by commas for revocation.

Reason: Reason for withdrawal by number or symbol.

  1. 0: CRL_REASON_UNSPECIFIED: Unknown (default)
  2. 1: CRL_REASON_KEY_COMPROMISE: Key compromise
  3. 2: CRL_REASON_CA_COMPROMISE: CA Compromise
  4. 3: CRL_REASON_AFFILIATION_CHANGED: The link has been changed
  5. 4: CRL_REASON_SUPERSEDED: Replaced
  6. 5: CRL_REASON_CESSATION_OF_OPERATION: Stop working
  7. 6: CRL_REASON_CERTIFICATE_HOLD: Hold the certificate
  8. 8: CRL_REASON_REMOVE_FROM_CRL: Delete from the CRL
  9. -1: Unrevoke: No revocation
 [-config MachineCAName] 

-isvalid

 CertUtil [Options] -isvalid SerialNumber | CertHash 

Show current certificate layout.

 [-config MachineCAName] 

-getconfig

 CertUtil [Options] -getconfig 

Get the default configuration string.

 [-config MachineCAName] 

-ping

 CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList] 

Try to contact the Active Directory Certificate Services Request interface

CAMachineList - List of CA names separated by commas

  1. If there is only one machine, use commas to end.
  2. Displays website costs for each CA machine.
 [-config MachineCAName] 

-CAInfo

 CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]] 

Display CA information.

InfoName - Indicates the CA attribute to display (see below). Use " * " for all properties.

Index - Attribute index not based on options.

ErrorCode - Number of error code

 [-f] [-split] [-config MachineCAName] 

Argument argument InfoName:

  1. file: File version
  2. product: Product version
  3. exitcount: Exit the module counting task
  4. exit [Index]: Exit module description
  5. policy: Description of the policy module
  6. name: CA name
  7. sanitizedname: Abbreviated name for CA
  8. dsname: Abbreviated name for CA (DS name)
  9. sharedfolder: Shared folder
  10. Error1 ErrorCode: Text error message
  11. error2 ErrorCode: Error code and error message text
  12. type: CA type
  13. info: CA information
  14. parent: original CA
  15. certcount: CA certificate number
  16. xchgcount: Number of CA exchanges
  17. kracount: Number of KRA certificates
  18. kraused: Number of KRA certificates used
  19. propidmax: CA PropId maximum
  20. certstate [Index]: CA certificate
  21. certversion [Index]: CA certificate version
  22. certstatuscode [Index]: CA certificate verification status
  23. crlstate [Index]: CRL
  24. krastate [Index]: KRA certificate
  25. crossstate + [Index]: Certificate of crossover
  26. crossstate- [Index]: Certificate of reverse crossover
  27. cert [Index]: CA certificate
  28. certchain [Index]: CA certificate chain
  29. certcrlchain [Index]: String CA certificate with CRLs
  30. xchg [Index]: CA exchange certificate
  31. xchgchain [Index]: The CA exchange certificate chain
  32. xchgcrlchain [Index]: The certificate chain exchanges CA with CRLs
  33. kra [Index]: KRA certificate
  34. cross + [Index]: Certificate of crossover
  35. cross- [Index]: Certificate of reverse crossover
  36. CRL [Index]: Base CRL
  37. deltacrl [Index]: CRL delta
  38. crlstatus [Index]: CRL export status
  39. deltacrlstatus [Index]: Status of exporting CRL delta
  40. dns: DNS name
  41. role: Role separation
  42. ads: Advanced server
  43. templates: Template
  44. ocsp [Index]: OCSP URLs
  45. aia [Index]: AIA URLs
  46. cdp [Index]: CDP URLs
  47. localename: Local CA name
  48. subjecttemplateoids: The OID template theme

-ca.cert

 CertUtil [Options] -ca.cert OutCACertFile [Index] 

Retrieve CA certificate.

OutCACertFile: Output file.

Index: CA certificate renewal index (default is most recent).

 [-f] [-split] [-config MachineCAName] 

-ca.chain

 CertUtil [Options] -ca.chain OutCACertChainFile [Index] 

Retrieve CA certificate chain.

OutCACertChainFile: Output file.

Index: CA certificate renewal index (default is most recent).

 [-f] [-split] [-config MachineCAName] 

-GetCRL

 CertUtil [Options] -GetCRL OutFile [Index] [delta] 

Get CRL.

Index: CRL index or main index (default is the CRL for the latest key).

delta: CRL delta (default is the basic CRL).

 [-f] [-split] [-config MachineCAName] 

-CRL

 CertUtil [Options] -CRL [dd:hh | republish] [delta] 

Export new CRL [or CRL delta only].

dd: hh - new validity period for CRL by date and time.

republish - republish the most recent CRL.

delta - only CRL delta (default is base CRL and delta).

 [-split] [-config MachineCAName] 

-shutdown

 CertUtil [Options] -shutdown 

Turn off Active Directory Certificate Services.

 [-config MachineCAName] 

-installCert

 CertUtil [Options] -installCert [CACertFile] 

Install a Certification Authority (CA) certificate.

 [-f] [-silent] [-config MachineCAName] 

-renewCert

 CertUtil [Options] -renewCert [ReuseKeys] [MachineParentCAName] 

Renew CA certificate.

Use -f to skip the pending renewal request and create a new request.

 [-f] [-silent] [-config MachineCAName] 

-schema

 CertUtil [Options] -schema [Ext | Attrib | CRL] 

Export Certificate Schema. Default to request and certificate table.

Ext: Expanded table.

Attrib: Attribute table.

CRL: CRL table.

 [-split] [-config MachineCAName] 

-view

 CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv] 

Export Certificate View

  1. Queue: The requested queue
  2. Log: Certificate issued or revoked, plus unsuccessful request
  3. LogFail: Request failed
  4. Revoked: Certificate revoked
  5. Ext: Expanded table
  6. Attrib: Attribute table
  7. CRL: CRL table
  8. csv: Output as a value separated by commas

Display the StatusCode column for all items:

 -out StatusCode 

Show all columns for the last entry:

 -restrict "RequestId==$" 

To display RequestId and Disposition for three requests:

 -restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition" 

To display the Row Id and CRL Number for all base CRLs:

 -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL 

To display Base CRL Number 3:

 -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL 

To display the entire CRL table:

  1. Use "Date [+ | -dd: hh]" for date limits.
  2. Use "now + dd: hh" for a day related to the current time.
 [-silent] [-split] [-config MachineCAName] [-restrict RestrictionList] [-out ColumnList] 

-db

 CertUtil [Options] -db 

Rendering raw database.

 [-config MachineCAName] [-restrict RestrictionList] [-out ColumnList] 

-deleterow

 CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL] 

Delete the server database row.

  1. Request: Request failed and pending (submission date)
  2. Cert: Certificate expired and revoked (expiration date)
  3. Ext: Expanded table
  4. Attrib: Attribute table
  5. CRL: CRL table (expiration date)

To delete unsuccessful and pending requests submitted before January 22, 2001:

 1/22/2001 Request 

To delete all certificates that expire before January 22, 2001:

 1/22/2001 Cert 

To delete certificate rows, attributes, and extensions for RequestId 37:

 37 

To delete the CRL that expired on January 22, 2001:

 1/22/2001 CRL 
 [-f] [-config MachineCAName] 

-backup

 CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog] 

Backup Active Directory Certificate Services.

  1. BackupDirectory: Folder to store backed up data
  2. Incremental: Only perform incremental backups (default is full backup)
  3. KeepLog: Retain database log files (by default, cut log files)
 [-f] [-config MachineCAName] [-p Password] 

-backupDB

 CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog] 

Back up the Active Directory Certificate Services database.

  1. BackupDirectory: Folder to store backed up database files
  2. Incremental: Only perform incremental backups (default is full backup)
  3. KeepLog: Retain database log files (by default, cut log files
 [-f] [-config MachineCAName] 

-backupKey

 CertUtil [Options] -backupKey BackupDirectory 

Back up the certificate and private key of Active Directory Certificate Services.

BackupDirectory: A directory for storing PFX files backed up.

 [-f] [-config MachineCAName] [-p Password] [-t Timeout] 

-restore

 CertUtil [Options] -restore BackupDirectory 

Restore Active Directory Certificate Services.

BackupDirectory: The directory containing the restored data

 [-f] [-config MachineCAName] [-p Password] 

-restoreDB

 CertUtil [Options] -restoreDB BackupDirectory 

Restore Active Directory Certificate Services database.

BackupDirectory: The directory containing the restored database files.

 [-f] [-config MachineCAName] 

-restoreKey

 CertUtil [Options] -restoreKey BackupDirectory | PFXFile 

Restore the certificate and private key of Active Directory Certificate Services.

  1. BackupDirectory: The directory containing the PFX file is restored
  2. PFXFile: File PFX is restored
 [-f] [-config MachineCAName] [-p Password] 

-importPFX

 CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers] 

Enter the certificate and private key.

CertificateStoreName: Certificate store name. See -store.

PFXFile: PFX file to import

Modifiers: Comma separated list of one or more of the following:

  1. AT_SIGNATURE: Change KeySpec to Signature
  2. AT_KEYEXCHANGE: Change KeySpec to Key Exchange
  3. NoExport: Setting private key tahfnh cannot export
  4. NoCert: Do not enter a certificate
  5. NoChain: Do not enter the certificate chain
  6. NoRoot: Do not enter the original certificate
  7. Protect: Protect the keys with a password
  8. NoProtect: Do not protect keys with a password

The default is stored on personal computers.

 [-f] [-user] [-p Password] [-csp Provider] 

-dynamicfilelist

 CertUtil [Options] -dynamicfilelist 

Show dynamic file list.

 [-config MachineCAName] 

-databaselocations

 CertUtil [Options] -databaselocations 

Display database location.

 [-config MachineCAName] 

-hashfile

 CertUtil [Options] -hashfile InFile [HashAlgorithm] 

Create and display the hash hash on a file.

-store

 CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]] 

Certificate store dump.

CertificateStoreName: Certificate store name. For example:

  1. "My", "CA" (default), "Root",
  2. "ldap: /// CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? one? objectClass = certificationAuthority" (See original certificate)
  3. "ldap: /// CN = CAName, CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Change certificate origin)
  4. "ldap: /// CN = CAName, CN = MachineName, CN = CDP, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (See CRLs)
  5. "ldap: /// CN = NTAuthCertificates, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Business CA certificate)
  6. ldap: (AD computer object certificate)
  7. -user ldap: (AD user object certificate)

CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.

OutputFile: File to save the certificate accordingly

  1. Use -user to access user archives instead of machine archives.
  2. Use -enterprise to access enterprise storage.
  3. Use -service to access the machine service repository.
  4. Use -grouppolicy to access the machine group policy repository.

For example:

  1. -enterprise NTAuth
  2. -enterprise Root 37
  3. -user My 26e0aaaf000000000004
  4. CA .11
 [-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] 

-addstore

 CertUtil [Options] -addstore CertificateStoreName InFile 

Add a certificate to the repository.

  1. CertificateStoreName: Certificate store name. See -store.
  2. InFile: Certificate or CRL file to add to the repository.
 [-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName] 

-delstore

 CertUtil [Options] -delstore CertificateStoreName CertId 

Delete certificate from archive.

  1. CertificateStoreName: Certificate store name. See -store.
  2. CertId: Token is in accordance with CRL or certificate. See -store .
 [-enterprise] [-user] [-GroupPolicy] [-dc DCName] 

-verifystore

 CertUtil [Options] -verifystore CertificateStoreName [CertId] 

Verify the certificate in the archive.

  1. CertificateStoreName: Certificate store name. See -store.
  2. CertId: Token is in accordance with CRL or certificate. See -store .
 [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout] 

-repairstore

 CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor] 

Fix a key link or update important certificate attributes or security descriptors.

  1. CertificateStoreName: Certificate store name. See -store.
  2. CertIdList: List of tokens in accordance with CRL or certificate, separated by commas. See -store CertId description.
  3. PropertyInfFile: INF file contains external properties:
 [Properties] 19 = Empty ; Add archived property, OR: 19 = ; Remove archived property 11 = "{text}Friendly Name" ; Add friendly name property 127 = "{hex}" ; Add custom hexadecimal property _continue_ = "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f" _continue_ = "10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f" 2 = "{text}" ; Add Key Provider Information property _continue_ = "Container=Container Name&" _continue_ = "Provider=Microsoft Strong Cryptographic Provider&" _continue_ = "ProviderType=1&" _continue_ = "Flags=0&" _continue_ = "KeySpec=2" 9 = "{text}" ; Add Enhanced Key Usage property _continue_ = "1.3.6.1.5.5.7.3.2," _continue_ = "1.3.6.1.5.5.7.3.1," 
 [-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider] 

-viewstore

 CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]] 

Certificate store dump.

CertificateStoreName: Certificate store name. For example:

  1. "My", "CA" (default), "Root",
  2. "ldap: /// CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? one? objectClass = certificationAuthority" (See original certificate)
  3. "ldap: /// CN = CAName, CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Change certificate origin)
  4. "ldap: /// CN = CAName, CN = MachineName, CN = CDP, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (See CRLs)
  5. "ldap: /// CN = NTAuthCertificates, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Business CA certificate)
  6. ldap: (AD machine object certificate)
  7. -user ldap: (AD user object certificate)

CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.

OutputFile: File to save the certificate accordingly

  1. Use -user to access user archives instead of machine archives.
  2. Use -enterprise to access enterprise storage.
  3. Use -service to access the machine service repository.
  4. Use -grouppolicy to access the machine group policy repository.

For example:

  1. -enterprise NTAuth
  2. -enterprise Root 37
  3. -user My 26e0aaaf000000000004
  4. CA .11
 [-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName] 

-viewdelstore

 CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]] 

Delete certificate from archive.

CertificateStoreName: Certificate store name. For example:

  1. "My", "CA" (default), "Root",
  2. "ldap: /// CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? one? objectClass = certificationAuthority" (See original certificate)
  3. "ldap: /// CN = CAName, CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Change certificate origin)
  4. "ldap: /// CN = CAName, CN = MachineName, CN = CDP, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (See CRLs)
  5. "ldap: /// CN = NTAuthCertificates, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Business CA certificate)
  6. ldap: (AD machine object certificate)
  7. -user ldap: (AD user object certificate)

CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.

OutputFile: File to save the certificate accordingly

  1. Use -user to access user archives instead of machine archives.
  2. Use -enterprise to access enterprise storage.
  3. Use -service to access the machine service repository.
  4. Use -grouppolicy to access the machine group policy repository.

For example:

  1. -enterprise NTAuth
  2. -enterprise Root 37
  3. -user My 26e0aaaf000000000004
  4. CA .11
 [-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName] 

-dsPublish

 CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]] 

Export a certificate or CRL to Active Directory.

  1. CertFile: Certificate file to publish
  2. NTAuthCA: Exporting a certificate to the DS Enterprise repository
  3. RootCA: Export the certificate to the DS Trusted Root repository
  4. SubCA: Export the CA certificate to the DS CA object
  5. CrossCA: Publish a cross-certificate for the DS CA object
  6. KRA: Export certificates for DS Key Recovery Agent
  7. User: Export the certificate to the User DS object
  8. Machine: Export the certificate to the Machine DS object
  9. CRLFile: The CRL file is exported
  10. DSCDPContainer: DS DS CDP CN, ​​usually the CA host name
  11. DSCDPCN: DS CDP CN object, usually based on the concise name of CA and key index

Use -f to create the DS object.

 [-f] [-user] [-dc DCName] 

-ADTemplate

 CertUtil [Options] -ADTemplate [Template] 

Display AD templates.

 [-f] [-user] [-ut] [-mt] [-dc DCName] 

-Template

 CertUtil [Options] -Template [Template] 

Display the Enrollment Policy templates.

 [-f] [-user] [-silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] 

-TemplateCAs

 CertUtil [Options] -TemplateCAs Template 

Display the CA for the template.

 [-f] [-user] [-dc DCName] 

-CATemplates

 CertUtil [Options] -CATemplates [Template] 

Display template for CA.

 [-f] [-user] [-ut] [-mt] [-config MachineCAName] [-dc DCName] 

-SetCASites

 CertUtil [Options] -SetCASites [set] [SiteName] CertUtil [Options] -SetCASites verify [SiteName] CertUtil [Options] -SetCASites delete 

Set, verify or delete the CA site name:

  1. Use the -config option to target a single CA (default is all CAs).
  2. SiteName is only allowed when targeting a single CA.
  3. Use -f to override authentication errors for the specified SiteName .
  4. Use -f to delete all CA site names.
 [-f] [-config MachineCAName] [-dc DCName] 

-enrollmentServerURL

 CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]] CertUtil [Options] -enrollmentServerURL URL delete 

Display, add or delete the registration server URL associated with CA.

AuthenticationType: Specifies one of the client authentication methods after adding the URL:

  1. Kerberos: Use Kerberos SSL login information
  2. UserName: Use a named account for SSL login information
  3. ClientCertificate: Use the X.509 Certificate SSL login information
  4. Anonymous: Use anonymous SSL credentials

delete: Delete the URL specified associated with CA.

Priority: The default is '1' if not specified when adding a URL.

Modifiers: Comma separated list of one or more of the following:

  1. AllowRenewalsOnly: Only the renewal request can be sent to this CA via this URL.
  2. AllowKeyBasedRenewal: Allows the use of certificates without linked accounts in AD. This only applies to ClientCertificate and AllowRenewalsOnly.
 [-config MachineCAName] [-dc DCName] 

-ADCA

 CertUtil [Options] -ADCA [CAName] 

Display of AD CA.

 [-f] [-split] [-dc DCName] 

-CA

 CertUtil [Options] -CA [CAName | TemplateName] 

Display the CA Enrollment Policy.

 [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] 

-Policy

Display Enrollment Policy.

 [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] 

-PolicyCache

 CertUtil [Options] -PolicyCache [delete] 

Display or delete the Enrollment Policy Cache entry.

  1. delete: Delete the cache Policy Server entries
  2. -f : use -f to delete all cache entries
 [-f] [-user] [-PolicyServer URLOrId] 

-CredStore

 CertUtil [Options] -CredStore [URL] CertUtil [Options] -CredStore URL add CertUtil [Options] -CredStore URL delete 

Show, delete or add Credential Store entries.

  1. URL: Target URL. Use * to match all entries. Use https: // machine * to match the URL prefix.
  2. add: Add a Credential Store entry. SSL login information must also be specified.
  3. delete: Delete the Credential Store entries.
  4. -f : Use -f to override the entry or delete multiple entries.
 [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] 

-InstallDefaultTemplates

 CertUtil [Options] -InstallDefaultTemplates 

Install the default certificate templates.

 [-dc DCName] 

-URLCache

 CertUtil [Options] -URLCache [URL | CRL | * [delete]] 

Display or delete URL cache entry.

  1. URL: the URL is cached.
  2. CRL: Only works on all cache CRL URLs.
  3. *: Works on all URLs.
  4. delete: Delete related URLs from the local cache of the current user
  5. Use -f to force a specific URL to load and update the cache.
 [-f] [-split] 

-pulse

 CertUtil [Options] -pulse 

Create automatic event registration pulse.

 [-user] 

-MachineInfo

 CertUtil [Options] -MachineInfo DomainNameMachineName$ 

Displays Active Directory computer object information.

-DCInfo

 CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll] 

Displays domain controller information.

The default is to display DC certificates without verification.

 [-f] [-user] [-urlfetch] [-dc DCName] [-t Timeout] 

Tips:

The ability to identify an Active Directory Domain Services (AD DS) domain [Domain] and specify a domain controller ( -dc ) has been added to Windows Server 2012. To successfully run the command, you must use the administrator account domain member or enterprise administrator. The behavior changes of this command are as follows:

  1. > 1. If a specific domain and domain controller are not specified, this option will return a list of domain controllers to process from the default domain controller.
  2. > 2. If a domain is not specified, but the domain controller is specified, a report of certificates on the specified domain controller will be generated.
  3. > 3. If the domain name is specified, but the domain controller is not specified, a list of domain controllers is created along with certificate reports for each domain controller in the list.
  4. > 4. If domain names and domain controllers are specified, a list of domain controllers will be created from the target domain controller. A report of the certificates for each domain controller in the list is also generated.

For example, suppose there is a domain named CPANDL with the domain controller as CPANDL-DC1. You can run the following command to retrieve a list of domain controllers and their certificates from CPANDL-DC1:

 certutil -dc cpandl-dc1 -dcinfo cpandl 

-EntInfo

 CertUtil [Options] -EntInfo DomainNameMachineName$ [-f] [-user] 

-TCAInfo

 CertUtil [Options] -TCAInfo [DomainDN | -] 

Display CA information.

 [-f] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout] 

-SCInfo

 CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]] 

Display smart card information.

CRYPT_DELETEKEYSET: Delete all keys on the smart card.

 [-silent] [-split] [-urlfetch] [-t Timeout] 

-SCRoots

 CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName] CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName] CertUtil [Options] -SCRoots view [InputRootFile | ReaderName] CertUtil [Options] -SCRoots delete [ReaderName] 

Manage the original smart card certificates.

 [-f] [-split] [-p Password] 

-verifykeys

 CertUtil [Options] -verifykeys [KeyContainerName CACertFile] 

Verify public / private key.

  1. KeyContainerName: Name key container for verification. The default is the device key. Use -user for user keys.
  2. CACertFile: Signed or encrypted certificate file.

If no arguments are specified, each signed CA certificate will be verified based on its private key.

This can only be done for a CA or local keys.

 [-f] [-user] [-silent] [-config MachineCAName] 

-verify

 CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]] CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile] CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile] 

Verify certificate, CRL or string.

  1. CertFile: Certificate for verification.
  2. ApplicationPolicyList: List of mandatory Application Policy ObjectIds separated by optional commas.
  3. IssuancePolicyList: List of Issuance Policy ObjectIds required separated by commas option.
  4. CACertFile: Optional CA certificates issue for verification.
  5. CrossedCACertFile: Optional certificates are cross-certified by CertFile.
  6. CRLFile: CRL to verify.
  7. IssuedCertFile: An optional issuing certificate is included by CRLFile.
  8. DeltaCRLFile: CRL delta optional.

If ApplicationPolicyList is specified, the string construction is restricted to the valid strings for the specified Application Policies.

If the IssuancePolicyList is specified, string construction is restricted to valid strings for the specified Issuance Policies.

If CACertFile is specified, the fields in CACertFile are verified based on CertFile or CRLFile.

If CACertFile is not specified, CertFile is used to build and verify a full chain.

If CACertFile and CrossedCACertFile are both specified, the fields in CACertFile and CrossedCACertFile are verified based on CertFile.

If IssuedCertFile is specified, the fields in IssuedCertFile are verified based on CRLFile.

If DeltaCRLFile is specified, the fields in DeltaCRLFile are verified based on CRLFile.

 [-f] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] 

-verifyCTL

 CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile] 

Verify AuthRoot or Disallowed Certificate CTL certificates.

CTLObject: Define CTL to test:

  1. AuthRootWU: Read the AuthRoot CAB and the appropriate certificates from the URL cache. Use -f to download from Windows Update instead.
  2. DisallowedWU: Read Disallowed Certificates CAB and certificate storage file not allowed from URL cache. Use -f to download from Windows Update instead.
  3. AuthRoot: Read the AuthRoot CTL cache entry. Use with -f and an untrusted CertFile to force the AuthRoot and Disallowed Certificate CTL registry updates.
  4. Disallowed: Read the registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.
  5. CTLFileName: File or path http: to CTL or CAB.

CertDir: The directory containing the certificate matches the CTL entry. Http directory path must end with path delimiters. If a directory is not specified with AuthRoot or is not allowed, multiple locations will be searched for the appropriate certificate:

4 ★ | 1038 Vote