The certutil command in Windows
Certutil.exe is a command line program installed as part of Certificate Services. You can use Certutil.exe to export and display CA configuration information, Certificate Services configuration, backup and restore CA components, verify certificates, key pairs, and certificate chains.
When the certutil command is run by a CA without additional parameters, it displays the current CA configuration. When the certutil command is run on an unassigned CA, the default command to run is certutil -ump.
Warning
Previous versions of the certutil command may not provide all the options described in this document. You can see all the options that a specific version of the certutil command provide by running the commands shown in the " Syntax Notation " section.
The certutil command in Windows
- The verb comes with the certutil command
- Syntax characters
- -dump
- -asn
- -decodehex
- -decode
- -encode
- -deny
- -resubmit
- -setattributes
- -setextension
- -revoke
- -isvalid
- -getconfig
- -ping
- -CAInfo
- -ca.cert
- -ca.chain
- -GetCRL
- -CRL
- -shutdown
- -installCert
- -renewCert
- -schema
- -view
- -db
- -deleterow
- -backup
- -backupDB
- -backupKey
- -restore
- -restoreDB
- -restoreKey
- -importPFX
- -dynamicfilelist
- -databaselocations
- -hashfile
- -store
- -addstore
- -delstore
- -verifystore
- -repairstore
- -viewstore
- -viewdelstore
- -dsPublish
- -ADTemplate
- -Template
- -TemplateCAs
- -CATemplates
- -SetCASites
- -enrollmentServerURL
- -ADCA
- -CA
- -Policy
- -PolicyCache
- -CredStore
- -InstallDefaultTemplates
- -URLCache
- -pulse
- -MachineInfo
- -DCInfo
- -EntInfo
- -TCAInfo
- -SCInfo
- -SCRoots
- -verifykeys
- -verify
- -verifyCTL
- -sign
- -vroot
- -vocsproot
- -addEnrollmentServer
- -deleteEnrollmentServer
- -addPolicyServer
- -deletePolicyServer
- -oid
- -error
- -getreg
- -setreg
- -delreg
- -ImportKMS
- -ImportCert
- -GetKey
- -RecoverKey
- -MergePFX
- -ConvertEPF
- Option
The verb comes with the certutil command
The following table describes the verbs that can be used with the certutil command.
-asn Parsing the file ASN.1
-decodehex file parsing Decrypt the hexadecimal file
-decode Decrypt Base64 encoded file
-encode Encrypt a file into Base64
-deny Reject pending certificate request
-resubmit Resend pending certificate request
-setattributes Set properties for pending certificate request
-setextension Set extension for certificate request pending
-revoke Revoke certificate
-isvalid certificate revocation Displays the layout of the current certificate
-getconfig Get the default configuration string
-ping Try to contact the Active Directory Certificate Services Request
-pingadmin interface Try to contact Active Directory Certificate Services Admin
-CAInfo interface Displays information about the
-ca.cert Tru certification body y export the certificate to the
-ca.chain certification authority Retrieve the certificate chain for the certification authority
-GetCRL Get the certificate revocation list (CRL)
-CRL Export the new certificate revocation list ( CRL) [or only CRL delta]
-shutdown Turn off Active Directory Certificate Services
-installCert CA certificate installation
-renewCert CA
-schema certificate extension Schema output for
-view certificate Export mode view
-db certificate Export a raw database
-deleterow Delete a row from the backup server database Back up Active Directory Certificate Services
-backupDB Back up Active Directory Certificate Services database
-backupKey Back up certificates and private key for Active Directory Certificate Services
-restore Restore Active Directory Certificate Services
-restoreDB Restore Active Directory Certificate Service database s
-restoreKey Recover certificate and private key for Active Directory Certificate Services
-importPFX Import certificate and private key
-dynamicfilelist Show dynamic file list
-databaselocations Display database location
-hashfile Create and display password hash on
-store file Export
-addstore certificate store Add certificate to the repository
-delstore Delete certificate from the repository
-verifystore Verify certificate in the repository
-repairstore Fix a key link or update the certificate or important security descriptor
-viewstore Export the
-viewdelstore certificate store Delete a certificate from the
-dsPublish archive Export a certificate or certificate revocation list (CRL) to Active Directory
-ADTemplate Display The AD
-Template template displays the template for the
-TemplateCAs Display certificate security certificate (CA) for a
-CATemplates certificate template Show templates for CA
-SetCASites Manage site names for CAs
-enrollmentServerURL Display, add or delete registration server URLs associated with CA
-ADCA Show AD CA
-CA Display registration policy CA
-Policy Show registration policy
-PolicyCache Display or delete Enrollment Policy Cache entries
-CredStore Display, add or delete entries Credential Store
-InstallDefaultTemplates Set set default certificate templates
-URLCache Display or delete cache entry URL
-pulse Generate impulse for automatic registration events
-MachineInfo Show information about Active Directory machine objects
-DCInfo Show information about domain controller
-EntInfo Displays information about the enterprise CA
-TCAInfo Displays information about the CA
-SCInfo Show Display information about smart card
-SCRoots Manage root certificates for smart cards
-verifykeys Verify a public or private key
-verify set Verify certificate, certificate revocation list (CRL) or certificate string
-verifyCTL Verify demonstrate AuthRoot or certificate not allowed CTL
-sign Register the certificate revocation list (CRL) or
-vroot certificate Create or delete the virtual root and file share on the web
-vocsproot Create or delete the virtual root on web for a web proxy OCSP
-addEnrollmentServer Add an Enrollment Server
-deleteEnrollmentServer application Delete an Enrollment application Server
-addPolicyServer Add a Policy Server application
-deletePolicyServer Delete an application Policy
-oid server Display object identifier or naming
-error display Displays the text message that is associated with the error code
-get error code reg Displays the
-setreg registry value Set the registration value
-delreg Delete the registry value
-ImportKMS Enter the user key and certificate into the server database to store the key
-ImportCert Enter the certificate file into the base data
-GetKey Access blob to restore private key stored
-RecoverKey Recover private key stored -MergePFX Merge PFX files
-ConvertEPF Convert PFX file to EPF file
-? Show list of verbs
- -? Show help for specified verbs
-? -v Display the full list of verbs
Syntax characters
For the basic command line syntax, run:
certutil -?
For the syntax to use the certutil command with a specific verb, run:
certutil -?
To send all certutil command syntax to a text file, run the following commands:
certutil -v -? > certutilhelp.txt
notepad certutilhelp.txt
The following table describes the symbol used to indicate the command line syntax.
Text without curly braces or brackets : The items you must enter as shown
Text inside curly braces : Placeholder for which you must provide value
[Text inside square brackets] : Optional items
{Text inside brackets} : Choose one of the required fields
Vertical bar (|) : Separator for mutually exclusive items (choose one of the items)
Ellipsis (...) : The items may be repeated
-dump
CertUtil [Options] [-dump] CertUtil [Options] [-dump] File
File output or configuration information:
[-f] [-silent] [-split] [-p Password] [-t Timeout]
-asn
CertUtil [Options] -asn File [type]
ASN file parsing.1
type: numeric CRYPT_STRING_* decoding type
-decodehex
CertUtil [Options] -decodehex InFile OutFile [type] type: numeric CRYPT_STRING_* encoding type [-f]
-decode
CertUtil [Options] -decode InFile OutFile
Decode Base64 encoded file:
[-f]
-encode
CertUtil [Options] -encode InFile OutFile
Encrypt file to Base64:
[-f] [-UnicodeText]
-deny
CertUtil [Options] -deny RequestId
Reject request pending:
[-config MachineCAName]
-resubmit
CertUtil [Options] -resubmit RequestId
Resend request pending:
[-config MachineCAName]
-setattributes
CertUtil [Options] -setattributes RequestId AttributeString
Set properties for pending requests.
RequestId - Number of Request Id of the pending request
AttributeString - Request Attribute name and value pair
- Names and values are separated by colons.
- Multiple name and value pairs are separated by separate lines.
- For example: "CertificateTemplate: UsernEMail: User@Domain.com"
- Each "n" string is converted to a new line separator.
[-config MachineCAName]
-setextension
CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}
Set extension for pending request.
- RequestId - Number of Request Id of the pending request
- ExtensionName - The ObjectId string of the extension
- Flags - 0 is the recommended number, 1 is the important extension, 2 disables it, 3 does both tasks.
- If the last parameter is numeric, it is called a Long.
- If it can be parsed as a date, it is called a Date.
- If it starts with ' @ ', the rest of the token is the file name that contains binary data or ascii-text hex output.
- Anything else is called a String.
[-config MachineCAName]
-revoke
CertUtil [Options] -revoke SerialNumber [Reason]
Revoke the certificate.
SerialNumber: A list of certificate serial numbers separated by commas for revocation.
Reason: Reason for withdrawal by number or symbol.
- 0: CRL_REASON_UNSPECIFIED: Unknown (default)
- 1: CRL_REASON_KEY_COMPROMISE: Key compromise
- 2: CRL_REASON_CA_COMPROMISE: CA Compromise
- 3: CRL_REASON_AFFILIATION_CHANGED: The link has been changed
- 4: CRL_REASON_SUPERSEDED: Replaced
- 5: CRL_REASON_CESSATION_OF_OPERATION: Stop working
- 6: CRL_REASON_CERTIFICATE_HOLD: Hold the certificate
- 8: CRL_REASON_REMOVE_FROM_CRL: Delete from the CRL
- -1: Unrevoke: No revocation
[-config MachineCAName]
-isvalid
CertUtil [Options] -isvalid SerialNumber | CertHash
Show current certificate layout.
[-config MachineCAName]
-getconfig
CertUtil [Options] -getconfig
Get the default configuration string.
[-config MachineCAName]
-ping
CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList]
Try to contact the Active Directory Certificate Services Request interface
CAMachineList - List of CA names separated by commas
- If there is only one machine, use commas to end.
- Displays website costs for each CA machine.
[-config MachineCAName]
-CAInfo
CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]]
Display CA information.
InfoName - Indicates the CA attribute to display (see below). Use " * " for all properties.
Index - Attribute index not based on options.
ErrorCode - Number of error code
[-f] [-split] [-config MachineCAName]
Argument argument InfoName:
- file: File version
- product: Product version
- exitcount: Exit the module counting task
- exit [Index]: Exit module description
- policy: Description of the policy module
- name: CA name
- sanitizedname: Abbreviated name for CA
- dsname: Abbreviated name for CA (DS name)
- sharedfolder: Shared folder
- Error1 ErrorCode: Text error message
- error2 ErrorCode: Error code and error message text
- type: CA type
- info: CA information
- parent: original CA
- certcount: CA certificate number
- xchgcount: Number of CA exchanges
- kracount: Number of KRA certificates
- kraused: Number of KRA certificates used
- propidmax: CA PropId maximum
- certstate [Index]: CA certificate
- certversion [Index]: CA certificate version
- certstatuscode [Index]: CA certificate verification status
- crlstate [Index]: CRL
- krastate [Index]: KRA certificate
- crossstate + [Index]: Certificate of crossover
- crossstate- [Index]: Certificate of reverse crossover
- cert [Index]: CA certificate
- certchain [Index]: CA certificate chain
- certcrlchain [Index]: String CA certificate with CRLs
- xchg [Index]: CA exchange certificate
- xchgchain [Index]: The CA exchange certificate chain
- xchgcrlchain [Index]: The certificate chain exchanges CA with CRLs
- kra [Index]: KRA certificate
- cross + [Index]: Certificate of crossover
- cross- [Index]: Certificate of reverse crossover
- CRL [Index]: Base CRL
- deltacrl [Index]: CRL delta
- crlstatus [Index]: CRL export status
- deltacrlstatus [Index]: Status of exporting CRL delta
- dns: DNS name
- role: Role separation
- ads: Advanced server
- templates: Template
- ocsp [Index]: OCSP URLs
- aia [Index]: AIA URLs
- cdp [Index]: CDP URLs
- localename: Local CA name
- subjecttemplateoids: The OID template theme
-ca.cert
CertUtil [Options] -ca.cert OutCACertFile [Index]
Retrieve CA certificate.
OutCACertFile: Output file.
Index: CA certificate renewal index (default is most recent).
[-f] [-split] [-config MachineCAName]
-ca.chain
CertUtil [Options] -ca.chain OutCACertChainFile [Index]
Retrieve CA certificate chain.
OutCACertChainFile: Output file.
Index: CA certificate renewal index (default is most recent).
[-f] [-split] [-config MachineCAName]
-GetCRL
CertUtil [Options] -GetCRL OutFile [Index] [delta]
Get CRL.
Index: CRL index or main index (default is the CRL for the latest key).
delta: CRL delta (default is the basic CRL).
[-f] [-split] [-config MachineCAName]
-CRL
CertUtil [Options] -CRL [dd:hh | republish] [delta]
Export new CRL [or CRL delta only].
dd: hh - new validity period for CRL by date and time.
republish - republish the most recent CRL.
delta - only CRL delta (default is base CRL and delta).
[-split] [-config MachineCAName]
-shutdown
CertUtil [Options] -shutdown
Turn off Active Directory Certificate Services.
[-config MachineCAName]
-installCert
CertUtil [Options] -installCert [CACertFile]
Install a Certification Authority (CA) certificate.
[-f] [-silent] [-config MachineCAName]
-renewCert
CertUtil [Options] -renewCert [ReuseKeys] [MachineParentCAName]
Renew CA certificate.
Use -f to skip the pending renewal request and create a new request.
[-f] [-silent] [-config MachineCAName]
-schema
CertUtil [Options] -schema [Ext | Attrib | CRL]
Export Certificate Schema. Default to request and certificate table.
Ext: Expanded table.
Attrib: Attribute table.
CRL: CRL table.
[-split] [-config MachineCAName]
-view
CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]
Export Certificate View
- Queue: The requested queue
- Log: Certificate issued or revoked, plus unsuccessful request
- LogFail: Request failed
- Revoked: Certificate revoked
- Ext: Expanded table
- Attrib: Attribute table
- CRL: CRL table
- csv: Output as a value separated by commas
Display the StatusCode column for all items:
-out StatusCode
Show all columns for the last entry:
-restrict "RequestId==$"
To display RequestId and Disposition for three requests:
-restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition"
To display the Row Id and CRL Number for all base CRLs:
-restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL
To display Base CRL Number 3:
-v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL
To display the entire CRL table:
- Use "Date [+ | -dd: hh]" for date limits.
- Use "now + dd: hh" for a day related to the current time.
[-silent] [-split] [-config MachineCAName] [-restrict RestrictionList] [-out ColumnList]
-db
CertUtil [Options] -db
Rendering raw database.
[-config MachineCAName] [-restrict RestrictionList] [-out ColumnList]
-deleterow
CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL]
Delete the server database row.
- Request: Request failed and pending (submission date)
- Cert: Certificate expired and revoked (expiration date)
- Ext: Expanded table
- Attrib: Attribute table
- CRL: CRL table (expiration date)
To delete unsuccessful and pending requests submitted before January 22, 2001:
1/22/2001 Request
To delete all certificates that expire before January 22, 2001:
1/22/2001 Cert
To delete certificate rows, attributes, and extensions for RequestId 37:
37
To delete the CRL that expired on January 22, 2001:
1/22/2001 CRL
[-f] [-config MachineCAName]
-backup
CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog]
Backup Active Directory Certificate Services.
- BackupDirectory: Folder to store backed up data
- Incremental: Only perform incremental backups (default is full backup)
- KeepLog: Retain database log files (by default, cut log files)
[-f] [-config MachineCAName] [-p Password]
-backupDB
CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog]
Back up the Active Directory Certificate Services database.
- BackupDirectory: Folder to store backed up database files
- Incremental: Only perform incremental backups (default is full backup)
- KeepLog: Retain database log files (by default, cut log files
[-f] [-config MachineCAName]
-backupKey
CertUtil [Options] -backupKey BackupDirectory
Back up the certificate and private key of Active Directory Certificate Services.
BackupDirectory: A directory for storing PFX files backed up.
[-f] [-config MachineCAName] [-p Password] [-t Timeout]
-restore
CertUtil [Options] -restore BackupDirectory
Restore Active Directory Certificate Services.
BackupDirectory: The directory containing the restored data
[-f] [-config MachineCAName] [-p Password]
-restoreDB
CertUtil [Options] -restoreDB BackupDirectory
Restore Active Directory Certificate Services database.
BackupDirectory: The directory containing the restored database files.
[-f] [-config MachineCAName]
-restoreKey
CertUtil [Options] -restoreKey BackupDirectory | PFXFile
Restore the certificate and private key of Active Directory Certificate Services.
- BackupDirectory: The directory containing the PFX file is restored
- PFXFile: File PFX is restored
[-f] [-config MachineCAName] [-p Password]
-importPFX
CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers]
Enter the certificate and private key.
CertificateStoreName: Certificate store name. See -store.
PFXFile: PFX file to import
Modifiers: Comma separated list of one or more of the following:
- AT_SIGNATURE: Change KeySpec to Signature
- AT_KEYEXCHANGE: Change KeySpec to Key Exchange
- NoExport: Setting private key tahfnh cannot export
- NoCert: Do not enter a certificate
- NoChain: Do not enter the certificate chain
- NoRoot: Do not enter the original certificate
- Protect: Protect the keys with a password
- NoProtect: Do not protect keys with a password
The default is stored on personal computers.
[-f] [-user] [-p Password] [-csp Provider]
-dynamicfilelist
CertUtil [Options] -dynamicfilelist
Show dynamic file list.
[-config MachineCAName]
-databaselocations
CertUtil [Options] -databaselocations
Display database location.
[-config MachineCAName]
-hashfile
CertUtil [Options] -hashfile InFile [HashAlgorithm]
Create and display the hash hash on a file.
-store
CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]
Certificate store dump.
CertificateStoreName: Certificate store name. For example:
- "My", "CA" (default), "Root",
- "ldap: /// CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? one? objectClass = certificationAuthority" (See original certificate)
- "ldap: /// CN = CAName, CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Change certificate origin)
- "ldap: /// CN = CAName, CN = MachineName, CN = CDP, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (See CRLs)
- "ldap: /// CN = NTAuthCertificates, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Business CA certificate)
- ldap: (AD computer object certificate)
- -user ldap: (AD user object certificate)
CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.
OutputFile: File to save the certificate accordingly
- Use -user to access user archives instead of machine archives.
- Use -enterprise to access enterprise storage.
- Use -service to access the machine service repository.
- Use -grouppolicy to access the machine group policy repository.
For example:
- -enterprise NTAuth
- -enterprise Root 37
- -user My 26e0aaaf000000000004
- CA .11
[-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]
-addstore
CertUtil [Options] -addstore CertificateStoreName InFile
Add a certificate to the repository.
- CertificateStoreName: Certificate store name. See -store.
- InFile: Certificate or CRL file to add to the repository.
[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]
-delstore
CertUtil [Options] -delstore CertificateStoreName CertId
Delete certificate from archive.
- CertificateStoreName: Certificate store name. See -store.
- CertId: Token is in accordance with CRL or certificate. See -store .
[-enterprise] [-user] [-GroupPolicy] [-dc DCName]
-verifystore
CertUtil [Options] -verifystore CertificateStoreName [CertId]
Verify the certificate in the archive.
- CertificateStoreName: Certificate store name. See -store.
- CertId: Token is in accordance with CRL or certificate. See -store .
[-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]
-repairstore
CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]
Fix a key link or update important certificate attributes or security descriptors.
- CertificateStoreName: Certificate store name. See -store.
- CertIdList: List of tokens in accordance with CRL or certificate, separated by commas. See -store CertId description.
- PropertyInfFile: INF file contains external properties:
[Properties] 19 = Empty ; Add archived property, OR: 19 = ; Remove archived property 11 = "{text}Friendly Name" ; Add friendly name property 127 = "{hex}" ; Add custom hexadecimal property _continue_ = "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f" _continue_ = "10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f" 2 = "{text}" ; Add Key Provider Information property _continue_ = "Container=Container Name&" _continue_ = "Provider=Microsoft Strong Cryptographic Provider&" _continue_ = "ProviderType=1&" _continue_ = "Flags=0&" _continue_ = "KeySpec=2" 9 = "{text}" ; Add Enhanced Key Usage property _continue_ = "1.3.6.1.5.5.7.3.2," _continue_ = "1.3.6.1.5.5.7.3.1,"
[-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]
-viewstore
CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]]
Certificate store dump.
CertificateStoreName: Certificate store name. For example:
- "My", "CA" (default), "Root",
- "ldap: /// CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? one? objectClass = certificationAuthority" (See original certificate)
- "ldap: /// CN = CAName, CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Change certificate origin)
- "ldap: /// CN = CAName, CN = MachineName, CN = CDP, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (See CRLs)
- "ldap: /// CN = NTAuthCertificates, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Business CA certificate)
- ldap: (AD machine object certificate)
- -user ldap: (AD user object certificate)
CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.
OutputFile: File to save the certificate accordingly
- Use -user to access user archives instead of machine archives.
- Use -enterprise to access enterprise storage.
- Use -service to access the machine service repository.
- Use -grouppolicy to access the machine group policy repository.
For example:
- -enterprise NTAuth
- -enterprise Root 37
- -user My 26e0aaaf000000000004
- CA .11
[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]
-viewdelstore
CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]]
Delete certificate from archive.
CertificateStoreName: Certificate store name. For example:
- "My", "CA" (default), "Root",
- "ldap: /// CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? one? objectClass = certificationAuthority" (See original certificate)
- "ldap: /// CN = CAName, CN = Certification Authorities, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Change certificate origin)
- "ldap: /// CN = CAName, CN = MachineName, CN = CDP, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (See CRLs)
- "ldap: /// CN = NTAuthCertificates, CN = Public Key Services, CN = Services, CN = Configuration, DC = cpandl, DC = com? cACertificate? base? objectClass = certificationAuthority" (Business CA certificate)
- ldap: (AD machine object certificate)
- -user ldap: (AD user object certificate)
CertId: Token is in accordance with CRL or certificate. This can be serial number, certificate of SHA-1, CRL, CTL or hash public key, numerical index of certificate (0, 1, etc.), numeric CRL index (.0,. 1, etc. .), index number CTL (.0, .1, etc.), public key, signature or extension ObjectId, commonly used names of certificate topics, email addresses, UPN or DNS name, key container name or CSP name, template name or ObjectId, EKU or ObjectId application policies, or a company name issuing CRL. There are cases where there will be more than one match.
OutputFile: File to save the certificate accordingly
- Use -user to access user archives instead of machine archives.
- Use -enterprise to access enterprise storage.
- Use -service to access the machine service repository.
- Use -grouppolicy to access the machine group policy repository.
For example:
- -enterprise NTAuth
- -enterprise Root 37
- -user My 26e0aaaf000000000004
- CA .11
[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]
-dsPublish
CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
Export a certificate or CRL to Active Directory.
- CertFile: Certificate file to publish
- NTAuthCA: Exporting a certificate to the DS Enterprise repository
- RootCA: Export the certificate to the DS Trusted Root repository
- SubCA: Export the CA certificate to the DS CA object
- CrossCA: Publish a cross-certificate for the DS CA object
- KRA: Export certificates for DS Key Recovery Agent
- User: Export the certificate to the User DS object
- Machine: Export the certificate to the Machine DS object
- CRLFile: The CRL file is exported
- DSCDPContainer: DS DS CDP CN, usually the CA host name
- DSCDPCN: DS CDP CN object, usually based on the concise name of CA and key index
Use -f to create the DS object.
[-f] [-user] [-dc DCName]
-ADTemplate
CertUtil [Options] -ADTemplate [Template]
Display AD templates.
[-f] [-user] [-ut] [-mt] [-dc DCName]
-Template
CertUtil [Options] -Template [Template]
Display the Enrollment Policy templates.
[-f] [-user] [-silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
-TemplateCAs
CertUtil [Options] -TemplateCAs Template
Display the CA for the template.
[-f] [-user] [-dc DCName]
-CATemplates
CertUtil [Options] -CATemplates [Template]
Display template for CA.
[-f] [-user] [-ut] [-mt] [-config MachineCAName] [-dc DCName]
-SetCASites
CertUtil [Options] -SetCASites [set] [SiteName] CertUtil [Options] -SetCASites verify [SiteName] CertUtil [Options] -SetCASites delete
Set, verify or delete the CA site name:
- Use the -config option to target a single CA (default is all CAs).
- SiteName is only allowed when targeting a single CA.
- Use -f to override authentication errors for the specified SiteName .
- Use -f to delete all CA site names.
[-f] [-config MachineCAName] [-dc DCName]
-enrollmentServerURL
CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]] CertUtil [Options] -enrollmentServerURL URL delete
Display, add or delete the registration server URL associated with CA.
AuthenticationType: Specifies one of the client authentication methods after adding the URL:
- Kerberos: Use Kerberos SSL login information
- UserName: Use a named account for SSL login information
- ClientCertificate: Use the X.509 Certificate SSL login information
- Anonymous: Use anonymous SSL credentials
delete: Delete the URL specified associated with CA.
Priority: The default is '1' if not specified when adding a URL.
Modifiers: Comma separated list of one or more of the following:
- AllowRenewalsOnly: Only the renewal request can be sent to this CA via this URL.
- AllowKeyBasedRenewal: Allows the use of certificates without linked accounts in AD. This only applies to ClientCertificate and AllowRenewalsOnly.
[-config MachineCAName] [-dc DCName]
-ADCA
CertUtil [Options] -ADCA [CAName]
Display of AD CA.
[-f] [-split] [-dc DCName]
-CA
CertUtil [Options] -CA [CAName | TemplateName]
Display the CA Enrollment Policy.
[-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
-Policy
Display Enrollment Policy.
[-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
-PolicyCache
CertUtil [Options] -PolicyCache [delete]
Display or delete the Enrollment Policy Cache entry.
- delete: Delete the cache Policy Server entries
- -f : use -f to delete all cache entries
[-f] [-user] [-PolicyServer URLOrId]
-CredStore
CertUtil [Options] -CredStore [URL] CertUtil [Options] -CredStore URL add CertUtil [Options] -CredStore URL delete
Show, delete or add Credential Store entries.
- URL: Target URL. Use * to match all entries. Use https: // machine * to match the URL prefix.
- add: Add a Credential Store entry. SSL login information must also be specified.
- delete: Delete the Credential Store entries.
- -f : Use -f to override the entry or delete multiple entries.
[-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
-InstallDefaultTemplates
CertUtil [Options] -InstallDefaultTemplates
Install the default certificate templates.
[-dc DCName]
-URLCache
CertUtil [Options] -URLCache [URL | CRL | * [delete]]
Display or delete URL cache entry.
- URL: the URL is cached.
- CRL: Only works on all cache CRL URLs.
- *: Works on all URLs.
- delete: Delete related URLs from the local cache of the current user
- Use -f to force a specific URL to load and update the cache.
[-f] [-split]
-pulse
CertUtil [Options] -pulse
Create automatic event registration pulse.
[-user]
-MachineInfo
CertUtil [Options] -MachineInfo DomainNameMachineName$
Displays Active Directory computer object information.
-DCInfo
CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]
Displays domain controller information.
The default is to display DC certificates without verification.
[-f] [-user] [-urlfetch] [-dc DCName] [-t Timeout]
Tips:
The ability to identify an Active Directory Domain Services (AD DS) domain [Domain] and specify a domain controller ( -dc ) has been added to Windows Server 2012. To successfully run the command, you must use the administrator account domain member or enterprise administrator. The behavior changes of this command are as follows:
- > 1. If a specific domain and domain controller are not specified, this option will return a list of domain controllers to process from the default domain controller.
- > 2. If a domain is not specified, but the domain controller is specified, a report of certificates on the specified domain controller will be generated.
- > 3. If the domain name is specified, but the domain controller is not specified, a list of domain controllers is created along with certificate reports for each domain controller in the list.
- > 4. If domain names and domain controllers are specified, a list of domain controllers will be created from the target domain controller. A report of the certificates for each domain controller in the list is also generated.
For example, suppose there is a domain named CPANDL with the domain controller as CPANDL-DC1. You can run the following command to retrieve a list of domain controllers and their certificates from CPANDL-DC1:
certutil -dc cpandl-dc1 -dcinfo cpandl
-EntInfo
CertUtil [Options] -EntInfo DomainNameMachineName$ [-f] [-user]
-TCAInfo
CertUtil [Options] -TCAInfo [DomainDN | -]
Display CA information.
[-f] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]
-SCInfo
CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]]
Display smart card information.
CRYPT_DELETEKEYSET: Delete all keys on the smart card.
[-silent] [-split] [-urlfetch] [-t Timeout]
-SCRoots
CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName] CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName] CertUtil [Options] -SCRoots view [InputRootFile | ReaderName] CertUtil [Options] -SCRoots delete [ReaderName]
Manage the original smart card certificates.
[-f] [-split] [-p Password]
-verifykeys
CertUtil [Options] -verifykeys [KeyContainerName CACertFile]
Verify public / private key.
- KeyContainerName: Name key container for verification. The default is the device key. Use -user for user keys.
- CACertFile: Signed or encrypted certificate file.
If no arguments are specified, each signed CA certificate will be verified based on its private key.
This can only be done for a CA or local keys.
[-f] [-user] [-silent] [-config MachineCAName]
-verify
CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]] CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile] CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile]
Verify certificate, CRL or string.
- CertFile: Certificate for verification.
- ApplicationPolicyList: List of mandatory Application Policy ObjectIds separated by optional commas.
- IssuancePolicyList: List of Issuance Policy ObjectIds required separated by commas option.
- CACertFile: Optional CA certificates issue for verification.
- CrossedCACertFile: Optional certificates are cross-certified by CertFile.
- CRLFile: CRL to verify.
- IssuedCertFile: An optional issuing certificate is included by CRLFile.
- DeltaCRLFile: CRL delta optional.
If ApplicationPolicyList is specified, the string construction is restricted to the valid strings for the specified Application Policies.
If the IssuancePolicyList is specified, string construction is restricted to valid strings for the specified Issuance Policies.
If CACertFile is specified, the fields in CACertFile are verified based on CertFile or CRLFile.
If CACertFile is not specified, CertFile is used to build and verify a full chain.
If CACertFile and CrossedCACertFile are both specified, the fields in CACertFile and CrossedCACertFile are verified based on CertFile.
If IssuedCertFile is specified, the fields in IssuedCertFile are verified based on CRLFile.
If DeltaCRLFile is specified, the fields in DeltaCRLFile are verified based on CRLFile.
[-f] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout]
-verifyCTL
CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile]
Verify AuthRoot or Disallowed Certificate CTL certificates.
CTLObject: Define CTL to test:
- AuthRootWU: Read the AuthRoot CAB and the appropriate certificates from the URL cache. Use -f to download from Windows Update instead.
- DisallowedWU: Read Disallowed Certificates CAB and certificate storage file not allowed from URL cache. Use -f to download from Windows Update instead.
- AuthRoot: Read the AuthRoot CTL cache entry. Use with -f and an untrusted CertFile to force the AuthRoot and Disallowed Certificate CTL registry updates.
- Disallowed: Read the registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.
- CTLFileName: File or path http: to CTL or CAB.
CertDir: The directory containing the certificate matches the CTL entry. Http directory path must end with path delimiters. If a directory is not specified with AuthRoot or is not allowed, multiple locations will be searched for the appropriate certificate:
You should read it
- CertUtil.exe allows an attacker to download malicious code and bypass antivirus software
- Del command in Windows
- Set command in Windows
- Cmd command in Windows
- Fc command in Windows
- The echo command in Windows
- Command at in Windows
- Reg command copy in Windows
- Doskey command in Windows
- Bitsadmin getdisplayname and bitsadmin geterror command in Windows
- The command reg add in Windows
- Rem command in Windows