CERTUTIL

Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, verify certificates, key pairs or certificate chains.

Syntax:

  Dump (read config information) from a certificate file
  CertUtil [Options] [-dump] [File]
              [-f] [-silent] [-split] [-p Password] [-t Timeout]

Dump PFX structure CertUtil [Options] -dumpPFX File
[-f] [-Silent] [-split] [-p Password] [-csp Provider] Parse ASN.1 file CertUtil [-f] -asn File [decoding_type] Decode a Hex-encoded file to binary CertUtil [-f] [-v] -decodehex InFile OutFile [encoding_ype] Decode Base64-encoded file to binary CertUtil [-f] [-v] -decode InFile OutFile Encode a binary file to Base64 CertUtil [-f] [-v] -encode InFile OutFile [-UnicodeText] Encode a file as Hex CertUtil [-f] [-v] -encodehex InFile OutFile Format Hex encoded files are around 3x larger than base64 Examples of the Hex formats: certutil -encodehex -f strings64.exe strHex0.txt 0 - base64 with certificate headers. certutil -encodehex -f strings64.exe strHex1.txt 1 - base64 without certificate headers. certutil -encodehex -f strings64.exe strHex2.txt 2 - Pure binary (rarely used). certutil -encodehex -f strings64.exe strHex3.txt 3 - Base64, with request beginning and ending headers. certutil -encodehex -f strings64.exe strHex4.txt 4 - Hexadecimal only. (in columns with spaces). certutil -encodehex -f strings64.exe strHex5.txt 5 - Hexadecimal, with ASCII character display. certutil -encodehex -f strings64.exe strHex9.txt 9 - Base64, with X.509 CRL beginning and ending headers. certutil -encodehex -f strings64.exe strHx10.txt 10 - Hexadecimal, with address display. certutil -encodehex -f strings64.exe strHx11.txt 11 - Hexadecimal, with ASCII character and address display. certutil -encodehex -f strings64.exe strHx12.txt 12 - A raw hexadecimal string in one line. Deny pending request CertUtil [Options] -deny RequestId [-v] [-config Machine\CAName] Resubmit pending request CertUtil [Options] -resubmit RequestId [-v] [-config Machine\CAName] Set attributes for pending request CertUtil [Options] -setattributes RequestId AttributeString [-v] [-config Machine\CAName]

RequestId : Numeric Request Id of pending request.
AttributeString : Request Attribute name and value pairs.
Names and values are colon separated. Multiple name, value pairs are newline separated.
Example: "CertificateTemplate:User\nEMail:User@Domain.com"
Each "\n" sequence is converted to a newline separator.

 Set extension for pending request
  CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}
              [-v] [-config Machine\CAName]

RequestId : Numeric Request Id of a pending request.
ExtensionName : ObjectId string of the extension.
Flags : 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both.
If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date.
If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.
Anything else is taken as a String.

 Revoke Certificate
 CertUtil [Options] -revoke SerialNumber [Reason]
             [-v] [-config Machine\CAName]

    SerialNumber: Comma separated list of certificate serial numbers to revoke 
    Reason: numeric or symbolic revocation reason
     0: CRL_REASON_UNSPECIFIED: Unspecified (default)
     1: CRL_REASON_KEY_COMPROMISE: Key Compromise
     2: CRL_REASON_CA_COMPROMISE: CA Compromise
     3: CRL_REASON_AFFILIATION_CHANGED: Affiliation Changed
     4: CRL_REASON_SUPERSEDED: Superseded
     5: CRL_REASON_CESSATION_OF_OPERATION: Cessation of Operation
     6: CRL_REASON_CERTIFICATE_HOLD: Certificate Hold
     8: CRL_REASON_REMOVE_FROM_CRL: Remove From CRL
     9: CRL_REASON_PRIVILEGE_WITHDRAWN  -- Privilege Withdrawn
10: CRL_REASON_AA_COMPROMISE -- AA Compromise -1: Unrevoke: Unrevoke Display current certificate disposition CertUtil [Options] -isvalid SerialNumber | CertHash [-v] [-config Machine\CAName] Get default configuration string CertUtil [Options] -getconfig [-v] [-config Machine\CAName] Ping Active Directory Certificate Services Request interface CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList] [-v] [-config Machine\CAName] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

CAMachineList -- Comma-separated CA machine name list.
For a single machine, use a terminating comma.
Displays the site cost for each CA machine. Modifiers: SCEP CES CEP

  Ping Active Directory Certificate Services Admin interface
  CertUtil [Options] -pingadmin [MaxSecondsToWait | CAMachineList]
              [-v] [-config Machine\CAName]

CAMachineList -- Comma-separated CA machine name list.
For a single machine, use a terminating comma.
Displays the site cost for each CA machine.

  Display CA Information
  CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]]
              [-v] [-f] [-split] [-config Machine\CAName]

InfoName : Indicates the CA property to display. CertUtil -CAInfo -? for a list. Use "*" for all properties.
Index : Optional zero-based property index.
ErrorCode : Numeric error code.

  Retrieve the CA's certificate 
  CertUtil [Options] -ca.cert OutCACertFile [Index]
              [-f] [-v] [-split] [-config Machine\CAName]

OutCACertFile: output file.
Index: CA certificate renewal index (defaults to most recent).

  Retrieve the CA's certificate chain 
  CertUtil [Options] -ca.chain OutCACertChainFile [Index]
              [-f] [-v] [-split] [-config Machine\CAName]

OutCACertChainFile: output file.
Index: CA certificate renewal index (defaults to most recent).

  Get CRL 
  CertUtil [Options] -GetCRL OutFile [Index] [delta]
              [-f] [-v] [-split] [-config Machine\CAName]

Index : CRL index or key index (defaults to CRL for newest key).
delta : delta CRL (default is base CRL).

  Publish new CRLs [or delta CRLs only]
  CertUtil [Options] -CRL [dd:hh | republish] [delta]
              [-v] [-split] [-config Machine\CAName]

dd:hh -- new CRL validity period in days and hours.
republish : republish most recent CRLs.
delta : delta CRLs only (default is base and delta CRLs).

  Shutdown Active Directory Certificate Services
  CertUtil [Options] -shutdown
              [-v] [-config Machine\CAName]

  Install Certification Authority certificate 
  CertUtil [Options] -installCert [CACertFile]
              [-f] [-v] [-silent] [-config Machine\CAName]

  Renew Certification Authority certificate 
  CertUtil [Options] -renewCert [ReuseKeys] [Machine\ParentCAName]
              [-f] [-v] [-silent] [-config Machine\CAName]
    Use -f to ignore an outstanding renewal request, and generate a new request.

  Dump Certificate Schema
  CertUtil [Options] -schema [Ext | Attrib | CRL]
              [-v] [-split] [-config Machine\CAName]

Ext : Extension table.
Attrib : Attribute table.
CRL : CRL table.
Defaults to Request and Certificate table.

  Dump Certificate View
  CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]
              [-v] [-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

Queue : Request queue.
Log :  Issued or revoked certificates, plus failed requests.
LogFail : Failed requests.
Revoked : Revoked certificates.
Ext :  Extension table.
Attrib : Attribute table.
CRL :  CRL table.
csv :  Output as Comma Separated Values.

To display the StatusCode column for all entries: -out StatusCode
To display all columns for the last entry: -restrict "RequestId==$"
To display RequestId and Disposition for three requests:
-restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition"
To display Row Ids and CRL Numbers for all Base CRLs: -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL
To display Base CRL Number 3: -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL
To display the entire CRL table: CRL Use "Date[+|-dd:hh]" for date restrictions Use "now+dd:hh" for a date relative to the current time.

  Dump Raw Database
  CertUtil [Options] -db
              [-v] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

  Delete server database row
  CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL] 
              [-f] [-v] [-config Machine\CAName]

Request : Failed and pending requests (submission date).
Cert : Expired and revoked certificates (expiration date).
Ext :  Extension table Attrib: Attribute table.
Attrib : Attribute table.
CRL :  CRL table (expiration date).

To delete failed and pending requests submitted by January 22, 2001: 1/22/2001 Request
To delete all certificates that expired by January 22, 2001: 1/22/2001 Cert
To delete the certificate row, attributes and extensions for RequestId 37: 37
To delete CRLs that expired by January 22, 2001: 1/22/2001 CRL [-f] [-config Machine\CAName]

  Backup Active Directory Certificate Services
  CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog]
              [-f] [-v] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList]

BackupDirectory : directory to store backed up data.
Incremental : perform incremental backup only (default is full backup).
KeepLog : preserve database log files (default is to truncate log files).

  Backup Active Directory Certificate Services database
  CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog]
              [-f] [-v] [-config Machine\CAName]

BackupDirectory : directory to store backed up data.
Incremental : perform incremental backup only (default is full backup).
KeepLog : preserve database log files (default is to truncate log files).

  Backup Active Directory Certificate Services certificate and private key
  CertUtil [Options] -backupKey BackupDirectory
              [-f] [-v] [-config Machine\CAName] [-p Password] [-t Timeout]

BackupDirectory : directory to store backed up PFX file.

  Restore Active Directory Certificate Services
  CertUtil [Options] -restore BackupDirectory
              [-f] [-v] [-config Machine\CAName] [-p Password]

BackupDirectory : directory containing data to be restored.

  Restore Active Directory Certificate Services database
  CertUtil [Options] -restoreDB BackupDirectory
    Options:  [-f] [-v] [-config Machine\CAName] [-p Password]

BackupDirectory : directory containing database files to be restored.

  Restore Active Directory Certificate Services certificate and private key
  CertUtil [Options] -restoreKey [ BackupDirectory | PFXFile ]
              [-f] [-v] [-config Machine\CAName] [-p Password]

BackupDirectory : directory containing PFX file to be restored.
PFXFile : PFX file to be restored.

  Import certificate and private key
  CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers]  [-Enterprise]
              [-f] [-v] [-user] [-p Password] [-GroupPolicy] [-Silent] [-csp Provider]

CertificateStoreName : Certificate store name. See -store.
PFXFile :  PFX file to be imported.
Modifiers : Comma separated list of one or more of the following [defaults to personal machine store]:

AT_SIGNATURE : Change the KeySpec to Signature.
AT_KEYEXCHANGE : Change the KeySpec to Key Exchange.
ExportEncrypted
FriendlyName=
KeyFriendlyName=
KeyDescription=
NoExport
: Make the private key non-exportable.
NoCert :  Do not import the certificate.
NoChain : Do not import the certificate chain, End Entity certificate only.
NoRoot :  Do not import the root certificate.
Protect : Protect keys with password.
NoProtect : Do not password protect keys.
Protect
ProtectHigh
Pkcs8
VSM

  Display dynamic file List
  CertUtil [Options] -dynamicfilelist
              [-v] [-config Machine\CAName]

  Display database locations
  CertUtil [Options] -databaselocations
              [-v] [-config Machine\CAName]

  Generate and display cryptographic hash over a file.
  CertUtil [Options] -hashfile InFile [HashAlgorithm] [-v]

  Dump certificate store 
  CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]
              [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]

CertificateStoreName : Certificate store name.

Examples:
"My", "CA" (default), "Root",

"ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?cACertificate?one?objectClass=certificationAuthority" (View Root Certificates)

"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?cACertificate?base?objectClass=certificationAuthority" (Modify Root Certificates)

"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?certificateRevocationList?base?objectClass=cRLDistributionPoint" (View CRLs)

"ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?cACertificate?base?objectClass=certificationAuthority" (Enterprise CA Certificates)

ldap: (AD machine object certificates)
-user ldap: (AD user object certificates)

CertId :  Certificate or CRL match token. This can be:

a serial number, an SHA-1 certificate, CRL, CTL or public key hash,
a numeric cert index (0, 1, and so on),
a numeric CRL index (.0, .1, and so on),
a numeric CTL index (..0, ..1, and so on),
a public key, signature or extension ObjectId,
a certificate subject Common Name,
an e-mail address, UPN or DNS name,
a key container name or CSP name,
a template name or ObjectId,
an EKU or Application Policies ObjectId, or a CRL issuer Common Name.
Many of the above may result in multiple matches.

OutputFile :  File to save matching cert.

Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.

Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

  Enumerate certificate stores
  CertUtil [Options] -enumstore [\\MachineName] [-Enterprise] [-user] [-GroupPolicy]
              MachineName -- remote machine name.
  Add certificate to store
  CertUtil [Options] -addstore CertificateStoreName InFile
              [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
InFile : Certificate or CRL file to add to store.

Modifiers: Certs  CRLs  CTLs  Root  NoRoot

  Delete certificate from store
  CertUtil [Options] -delstore CertificateStoreName CertId
              [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-Silent] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store.

  Verify certificate in store
  CertUtil [Options] -verifystore CertificateStoreName [CertId]
              [-f] [-v] [-enterprise] [-user]  [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]

CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store.

  Repair key association or update certificate properties or key security descriptor
  CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]
              [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]

CertificateStoreName : Certificate store name. See -store for examples.
CertIdList : comma separated list of Certificate or CRL match tokens. See -store CertId description.
PropertyInfFile : INF file containing external properties:

[Properties]
19 = Empty ; Add archived property, OR:
19 = ; Remove archived property

11 = "{text}Friendly Name" ; Add friendly name property

127 = "{hex}" ; Add custom hexadecimal property
_continue_ = "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"
_continue_ = "10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f"

2 = "{text}" ; Add Key Provider Information property
_continue_ = "Container=Container Name&"
_continue_ = "Provider=Microsoft Strong Cryptographic Provider&"
_continue_ = "ProviderType=1&"
_continue_ = "Flags=0&"
_continue_ = "KeySpec=2"

9 = "{text}" ; Add Enhanced Key Usage property
_continue_ = "1.3.6.1.5.5.7.3.2,"
_continue_ = "1.3.6.1.5.5.7.3.1,"

  Dump certificate store
  CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]]
              [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store for a list of formats.
OutputFile : file to save matching cert.

Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.

Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

  Delete certificate from store
  CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]] 
    Options:   [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store for a list of formats.
OutputFile :  File to save matching cert.

Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.

Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

Invoke CryptUI
  CertUtil [Options] -UI File [import]
Verify Key Attestation Request
  CertUtil [Options] -attest RequestFile
              [-user] [-Silent] [-split]
              
Publish certificate or CRL to Active Directory
  CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
    Options:   [-f] [-v] [-user] [-dc DCName]

  CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]] [-f] [-user] [-dc DCName]
    Options:   [-f] [-v] [-user] [-dc DCName]

CertFile : certificate file to publish
NTAuthCA : Publish cert to DS Enterprise store
RootCA : Publish cert to DS Trusted Root store
SubCA : Publish CA cert to DS CA object
CrossCA : Publish cross cert to DS CA object
KRA :  Publish cert to DS Key Recovery Agent object
User : Publish cert to User DS object
Machine : Publish cert to Machine DS object
CRLFile : CRL file to publish
DSCDPContainer : DS CDP container CN, usually the CA machine name
DSCDPCN : DS CDP object CN, usually based on the sanitized CA short name and key index
Use -f to create DS object.

  Display AD templates
  CertUtil [Options] -ADTemplate [Template] 
    Options:   [-f] [-v] [-user] [-ut] [-mt] [-dc DCName]

  Display Enrollment Policy templates 
  CertUtil [Options] -Template [Template] 
    Options:   [-f] [-v] [-user] [-dc DCName] [-user] [-silent] [-PolicyServer URLOrId]
     [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  Display CAs for template
  CertUtil [Options] -TemplateCAs Template
    Options:   [-f] [-v] [-user] [-dc DCName]

  Display templates for CA
  CertUtil [Options] -CATemplates [Template] 
    Options:   [-f] [-v] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]

  Set, Verify or Delete CA site names
  CertUtil [Options] -SetCASites [set] [Sitename]
  CertUtil [Options] -SetCASites verify [Sitename]
  CertUtil [Options] -SetCASites delete
    Options:   [-f] [-v] [-config Machine\CAName] [-dc DCName]

Use the -config option to target a single CA (Default is all CAs)
Sitename is allowed only when targeting a single CA
Use -f to override validation errors for the specified Sitename
Use -f to delete all CA site names

  Display, add or delete enrollment server URLs associated with a CA 
  CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]]
              [-f] [-config Machine\CAName] [-dc DCName]

  CertUtil [Options] -enrollmentServerURL URL delete 
              [-f] [-config Machine\CAName] [-dc DCName]

AuthenticationType: Specify one of the following client authentication methods while adding a URL:

Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
Anonymous : Use anonymous SSL credentials.

delete : Delete the specified URL associated with the CA
Priority : Defaults to '1' if not specified when adding a URL
Modifiers : Comma separated list of one or more of the following:

AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allow use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly Mode

  Display AD CAs
  CertUtil [Options] -ADCA [CAName] [-f] [-split] [-dc DCName]

  Display Enrollment Policy CAs
  CertUtil [Options] -CA [CAName | TemplateName] [-f] [-user] [-silent]
           [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos]
              [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  Display Enrollment Policy
  CertUtil [Options] -Policy [-f] [-user] [-silent] [-split]
              [-PolicyServer URLOrId] [-Anonymous] [-Kerberos]
                 [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  Display or delete Enrollment Policy Cache entries
  CertUtil [Options] -PolicyCache [delete] 
              [-f] [-user] [-PolicyServer URLOrId]

    delete: delete Policy Server cache entries 
        -f: use -f to delete all cache entries

  Display, add or delete Credential Store entries
  CertUtil [Options] -CredStore [URL]
              [-f] [-user] [-silent] [-Anonymous] [-Kerberos]
                 [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  CertUtil [Options] -CredStore URL add 
              [-f] [-user] [-silent] [-Anonymous] [-Kerberos]
                 [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  CertUtil [Options] -CredStore URL delete
              [-f] [-user] [-silent] [-Anonymous] [-Kerberos]
                 [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

URL : Target URL. Use * to match all entries. Use https://machine* to match a URL prefix.
add : Add a Credential Store entry. SSL credentials must also be specified.
delete : Delete Credential Store entries
-f : use -f to overwrite an entry or to delete multiple entries.

  Install default certificate templates
  CertUtil [Options] -InstallDefaultTemplates 
              [-f] [-v] [-dc DCName]

  Display or delete URL cache entries
  CertUtil [Options] -URLCache [URL | CRL | * [delete]]
              [-f] [-v] [-split]

URL : Cached URL
CRL : Operate on all cached CRL URLs only
* : Operate on all cached URLs
delete : Delete relevant URLs from the current user's local cache
-f : Force fetch of a specific URL and update the cache.
-split : Dump the file to disk
-v : Will display the whole internet history and cache file locations.
e.g.
certutil.exe -urlcache -split -f "https://download.sysinternals.com/files/SysinternalsSuite.zip" pstools.zip

  Pulse autoenrollment events
  CertUtil [Options] -pulse [TaskName [SRKThumbprint]] [Modifiers] [-v] [-user]

TaskName : The task to trigger:

Pregen : NGC Key Pregen task
AIKEnroll : NGC AIK certificate enrollment task.
defaults to autoenrollment event.

SRKThumbprint : Thumprint of Storage Root Key.

Modifiers: Pregen  PregenDelay  AIKEnroll  CryptoPolicy  NgcPregenKey  DIMSRoam

  Display Active Directory computer object information
  CertUtil [Options] -MachineInfo DomainName\MachineName$ [-v] 

  Display domain controller information
  CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]
              [-f] [-v] [-user] [-urlfetch] [-dc DCName] [-t Timeout] [Modifiers]

Default is to display DC certs without verification.
Modifiers: Verify  DeleteBad  DeleteAll

  Display Enterprise CA information
  CertUtil [Options] -EntInfo DomainName\MachineName$
    Options:   [-f] [-v] [-user]

  Display CA information
  CertUtil [Options] -TCAInfo [DomainDN | -]
    Options:   [-f] [-v] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

  Display smart card information
  CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]]
    Options:   [-v] [-silent] [-split] [-urlfetch] [-t Timeout]

CRYPT_DELETEKEYSET : Delete all keys on the smart card

  Manage smart card root certificates
  CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName]
     [-f] [-split] [-p Password]

  CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName]
     [-f] [-split] [-p Password]

  CertUtil [Options] -SCRoots view [InputRootFile | ReaderName]
     [-f] [-split] [-p Password]

  CertUtil [Options] -SCRoots delete [ReaderName] 
     [-f] [-split] [-p Password]

  Delete Hello Logon container.
  CertUtil [Options] -DeleteHelloContainer
     ** Users need to sign out after using this option for it to complete. **
 
  Verify public/private key set
  CertUtil [Options] -verifykeys [KeyContainerName CACertFile]
              [-f] [-v] [-user] [-silent] [-config Machine\CAName]

KeyContainerName : Key container name of the key to verify. Defaults to machine keys. Use -user for user keys.
CACertFile : Signing or encryption certificate file
If no arguments are specified, each signing CA cert is verified against its private key.
This operation can only be performed against a local CA or local keys.

  Verify certificate, CRL or chain
  CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] [Modifiers]
     [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName]

  CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]] [Modifiers]
     [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName]

  CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile] [Modifiers]
     [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName]

  CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile] [Modifiers]
     [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName]

CertFile : Certificate to verify Application
ApplicationPolicyList: Optional comma separated list of required Application Policy ObjectIds.
IssuancePolicyList : Optional comma separated list of required Issuance Policy ObjectIds.
CACertFile : Optional issuing CA certificate to verify against.
CrossedCACertFile : optional certificate cross-certified by CertFile.
CRLFile :  CRL to verify IssuedCertFile: optional issued certificate covered by CRLFile.
IssuedCertFile : Optional issued certificate covered by CRLFile.
DeltaCRLFile : Optional delta CRL.

If ApplicationPolicyList is specified, chain building is restricted to chains valid for
the specified Application Policies.
If IssuancePolicyList is specified, chain building is restricted to chains valid for the
specified Issuance Policies.
If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile.
If CACertFile is not specified, CertFile is used to build and verify a full chain.
If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile
are verified against CertFile.
If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile.
If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.

Modifiers:
Strong : Strong signature verification.
MSRoot : Must chain to a Microsoft root.
MSTestRoot : Must chain to a Microsoft test root.
AppRoot : Must chain to a Microsoft application root.
EV : Enforce Extended Validation Policy.

  Verify AuthRoot or Disallowed Certificates CTL
  CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile] [-f] [-user] [-split]

CTLObject : Identifies the CTL to verify:

AuthRootWU : read AuthRoot CAB and matching certificates from the URL cache. Use -f to download from Windows Update instead.
DisallowedWU : read Disallowed Certificates CAB and disallowed certificate store file from the URL cache. Use -f to download from Windows Update instead.
PinRulesWU : read PinRules CAB from the URL cache. Use -f to download from Windows Update instead.
AuthRoot : read registry cached AuthRoot CTL. Use with -f and a CertFile that is not already trusted to force updating the registry cached AuthRoot and Disallowed Certificate CTLs.
Disallowed : read registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.
PinRules : read registry cached PinRules CTL. -f has the same behavior as with PinRulesWU.
CTLFileName : file or http: path to CTL or CAB

CertDir : folder containing certificates matching CTL entries. An http: folder path must end with a path separator. If a folder is not specified with AuthRoot or Disallowed, multiple locations will be searched for matching certificates: local certificate stores, crypt32.dll resources and the local URL cache. Use -f to download from Windows Update when necessary.
Otherwise defaults to the same folder or web site as the CTLObject.
CertFile : file containing certificate(s) to verify. Certificates will be matched against CTL entries,
and match results displayed. Suppresses most of the default output.

  Sync with Windows Update
  CertUtil [Options] -syncWithWU DestinationDir [-f]
    DestinationDir -- folder to copy to.
         The following files are downloaded from Windows Update:
             authrootstl.cab - contains CTL of Third Party Roots.
             disallowedcertstl.cab - contains CTL of Disallowed Certificates.
             disallowedcert.sst - Disallowed Certificates.
             pinrulesstl.cab - contains CTL of SSL Pin Rules.
             pinrules.sst - Pin Rules Certificates.
             thumbprint.crt - Third Party Roots.

  Generate SST from Windows Update
  CertUtil [Options] -generateSSTFromWU SSTFile [-f] [-split]
    SSTFile : .sst file to be created.
         The generated .sst file contains the Third Party Roots downloaded from Windows Update.

  Generate Pin Rules CTL
  CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile [QueryFilesPrefix]] [-f]
    XMLFile : input XML file to be parsed.
    CTLFile : output CTL file to be generated.
    SSTFile : optional .sst file to be created.
         The .sst file contains all of the certificates used for pinning.
    QueryFilesPrefix -- optional Domains.csv and Keys.csv files to be created for database query.
         The QueryFilesPrefix string is prepended to each created file.
         The Domains.csv file contains rule name, domain rows.
         The Keys.csv file contains rule name, key SHA256 thumbprint rows.

  Download OCSP Responses and Write to Directory
  CertUtil [Options] -downloadOcsp CertificateDir OcspDir [ThreadCount] [Modifiers]
    CertificateDir : directory of certificate, store and PFX files.
    OcspDir        : directory to write OCSP responses.
    ThreadCount    : optional maximum number of threads for concurrent downloading. Default is 10.
    Modifiers : Comma separated list of one or more of the following:
                DownloadOnce : Download once and exit
                ReadOcsp     : Read from OcspDir instead of writing
    By default, certutil won't exit and must be explicitly terminated.

  Generate HPKP header using certificates in specified file or directory
  CertUtil [Options] -generateHpkpHeader CertFileOrDir MaxAge [ReportUri] [Modifiers]

    CertFileOrDir  : file or directory of certificates. Source of pin-sha256.
    MaxAge         : max-age value in seconds.
    ReportUri      : optional report-uri.
    Modifiers  : Comma separated list of one or more of the following:
                 includeSubDomains : append includeSubDomains.

  Flush specified caches in selected process, such as, lsass.exe
  CertUtil [Options] -flushCache ProcessId CacheMask [Modifiers]
    ProcessId : numeric id of process to flush. Set to 0 to flush all processes where flush is enabled.
    CacheMask : bit mask of caches to be flushed. Numeric OR of following bits:
            0x01: CERT_WNF_FLUSH_CACHE_REVOCATION
            0x02: CERT_WNF_FLUSH_CACHE_OFFLINE_URL
            0x04: CERT_WNF_FLUSH_CACHE_MACHINE_CHAIN_ENGINE
            0x08: CERT_WNF_FLUSH_CACHE_USER_CHAIN_ENGINES
            0x10: CERT_WNF_FLUSH_CACHE_SERIAL_CHAIN_CERTS
            0x20: CERT_WNF_FLUSH_CACHE_SSL_TIME_CERTS
            0x40: CERT_WNF_FLUSH_CACHE_OCSP_STAPLING
               0: ShowOnly
    Modifiers : Comma separated list of one or more of the following:
                Show : Show caches being flushed. Certutil must be explicitly terminated.

  Add ECC Curve
  CertUtil [Options] -addEccCurve [CurveClass:]CurveName CurveParameters [CurveOID] [CurveType] [-f]

      CurveClass:       -- ECC Curve Class Type:
                             - WEIERSTRASS [Default]
                             - MONTGOMERY 
                             - TWISTED_EDWARDS 

      CurveName         -- ECC Curve Name

      CurveParameters   -- ECC Curve Parameters. It is one of the following 
                             - Certificate Filename Containing ASN Encoded Parameters
                             - File Containing ASN Encoded Parameters

      CurveOID          -- ECC Curve OID. It is one of the following:
                             - Certificate Filename Containing ASN Encoded OID
                             - Explicit ECC Curve OID

      CurveType         -- Schannel ECC NamedCurve Point (Numeric)

  Delete ECC Curve
  CertUtil [Options] -deleteEccCurve CurveName | CurveOID [-f]

    CurveName : ECC Curve Name
    CurveOID  : ECC Curve OID

  Display ECC Curve
  CertUtil [Options] -displayEccCurve [CurveName | CurveOID] [-f]

    CurveName : ECC Curve Name
    CurveOID  : ECC Curve OID

  Re-sign CRL or certificate
  CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [StartDate[+|-dd:hh]+|-dd:hh]
     [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile] [-nullsign]
        [-f] [-user] [-silent] [-Cert CertId] [-csp Provider]

  CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [#HashAlgorithm]
     [+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm]  [-nullsign] 
        [-f] [-user] [-silent] [-Cert CertId] [-csp Provider]

  CertUtil [Options] -sign InFileList OutFileList [Subject:CN=...] [Issuer:hex data]

InFileList : comma separated list of Certificate or CRL files to modify and re-sign
SerialNumber : Serial number of certificate to create. Validity period and other options must not be present.
CRL :   Create an empty CRL. Validity period and other options must not be present.
OutFileList : comma separated list of modified Certificate or CRL output files. The number of files must match InFileList.

StartDate+dd:hh : new validity period: optional date plus; optional days and hours validity period;
If both are specified, use a plus sign (+) separator.
Use "now[+dd:hh]" to start at the current time. Use "never" to have no expiration date (for CRLs only).

SerialNumberList : Comma separated serial number list to add or remove
ObjectIdList :  Comma separated extension ObjectId list to remove
@ExtensionFile : INF file containing extensions to update or remove:

[Extensions]
2.5.29.31 = ; Remove CRL Distribution Points extension
2.5.29.15 = "{hex}" ; Update Key Usage extension
_continue_="03 02 01 86"

HashAlgorithm : Name of the hash algorithm preceded by a # sign: #MD2 #MD4 #MD5 #SHA1 #SHA256 #SHA384 or #SHA512
AlternateSignatureAlgorithm: alternate Signature algorithm specifier

A minus sign causes serial numbers and extensions to be removed. A plus sign causes serial numbers to be added to a CRL.
When removing items from a CRL, the list can contain both serial numbers and ObjectIds.
A minus sign before AlternateSignatureAlgorithm causes the legacy signature format to be used.
A plus sign before AlternateSignatureAlgorithm causes the alternature signature format to be used.
If AlternateSignatureAlgorithm is not specified then the signature format in the certificate or CRL is used.

  Create/delete web virtual roots and file shares
  CertUtil [Options] -vroot [delete]

  Create/delete web virtual roots for OCSP web proxy
  CertUtil [Options] -vocsproot [delete]

  Add an Enrollment Server application
  CertUtil [Options] -addEnrollmentServer Kerberos | UserName | ClientCertificate [AllowRenewalsOnly]
              [AllowKeyBasedRenewal] [-f] [-config Machine\CAName] [Modifiers]

Add an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not install binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.

Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials
AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allows use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly mode.

Modifiers:
AllowRenewalsOnly
AllowKeyBasedRenewal

  Delete an Enrollment Server application
  CertUtil [Options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate
              [-f] [-config Machine\CAName]

Delete an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.

Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials

  Add a Policy Server application
  CertUtil [Options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Add a policy server application and application pool if necessary.
This command does not install binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Policy Server.

Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : Only policies that contain KeyBasedRenewal templates are returned to the client. This flag applies only for UserName and ClientCertificate authentication.

  Delete a Policy Server application
  CertUtil [Options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Delete a policy server application and application pool if necessary.
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Policy Server.

Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : KeyBasedRenewal policy server.

  Display ObjectId or set display name
  CertUtil [Options] -oid ObjectId [DisplayName | delete [LanguageId [Type]]] [-f]

  CertUtil [Options] -oid GroupId [-f]

  CertUtil [Options] -oid AlgId | AlgorithmName [GroupId] [-f]

ObjectId : ObjectId to display or to add display name
GroupId : Decimal GroupId number for ObjectIds to enumerate
AlgId :  Hexadecimal AlgId for ObjectId to look up
AlgorithmName : Algorithm Name for ObjectId to look up
DisplayName : Display Name to store in DS
delete :  Delete display name
LanguageId : Language Id (defaults to current: 1033)
Type :  DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy
Use -f to create DS object.

  Display error code message text
  CertUtil [-v] -error ErrorCode


  Display registry value
  CertUtil [Options] -getreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryName] RegistryValue
              [-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

ca :  Use CA's registry key
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit :  Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain :  Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId :  Use policy or exit module's ProgId (registry subkey name)
RegistryName : registry value name (use "Name*" to prefix match)
RegistryValue : Numeric, string or date registry value or filename:

If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value.

If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from
the existing registry value.
To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value.

If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation
of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional
days and hours. If both are specified, use a plus sign (+) or minus sign (-) separator. Use "now+dd:hh" for a date relative to the current time.
Use "i64" as a suffix to create a REG_QWORD value.

    Registry Aliases:
      Config
      CA
      Policy         PolicyModules
      Exit           ExitModules
      Restore        RestoreInProgress
      Template       Software\Microsoft\Cryptography\CertificateTemplateCache
      Enroll         Software\Microsoft\Cryptography\AutoEnrollment (Software\Policies\Microsoft\Cryptography\AutoEnrollment)
      MSCEP          Software\Microsoft\Cryptography\MSCEP
      Chain          Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
      PolicyServers  Software\Microsoft\Cryptography\PolicyServers (Software\Policies\Microsoft\Cryptography\PolicyServers)
      Crypt32        System\CurrentControlSet\Services\crypt32
      NGC            System\CurrentControlSet\Control\Cryptography\Ngc
      AutoUpdate     Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
      Passport       Software\Policies\Microsoft\PassportForWork
      MDM            Software\Microsoft\Policies\PassportForWork

    Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

  Set registry value
  CertUtil [Options] -setreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]]
     [RegistryValueName] Value
    Options:   [-f] [-user] [-GroupPolicy] [-config Machine\CAName]

ca :  Use CA's registry key
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit :  Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain :  Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : registry value name (use "Name*" to prefix match)
Value : New numeric, string or date registry value or filename:

Value : new numeric, string or date registry value or filename.
If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value. If a string value
starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value.
To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value. If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value.
If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours.
If both are specified, use a plus sign (+) or minus sign (-) separator.
Use "now+dd:hh" for a date relative to the current time.
Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

  Delete registry value
  CertUtil [Options] -delreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryValueName]
              [-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

ca :  Use CA's registry key
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit :  Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain :  Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : Registry value name (use "Name*" to prefix match)

    Registry Aliases: See CertUtil -getreg
      
  Import user keys and certificates into server database for key archival
  CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId] [-f] [-v] [-silent] [-split] 
              [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]]

UserKeyAndCertFile : Data file containing user private keys and certificates to be archived.
This can be any of the following:
   Exchange Key Management Server (KMS) export file
   PFX file
CertId : KMS export file decryption certificate match token. See -store.
Use -f to import certificates not issued by the CA.

  Import a certificate file into the database 
  CertUtil [Options] -ImportCert Certfile [ExistingRow] 
    Options:   [-f] [-v] [-config Machine\CAName]

Use ExistingRow to import the certificate in place of a pending request for the same key.
Use -f to import certificates not issued by the CA. The CA might also need to be configured to support foreign certificate import: certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

  Retrieve archived private key recovery blob, generate a recovery script, or recover archived keys 
  CertUtil [Options] -GetKey SearchToken [RecoveryBlobOutFile]
              [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password]
                  [-ProtectTo SAMNameAndSIDList] [-csp Provider]

  CertUtil [Options] -GetKey SearchToken Script OutputScriptFile
              [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password]
                  [-ProtectTo SAMNameAndSIDList] [-csp Provider]

  CertUtil [Options] -GetKey SearchToken retrieve | recover OutputFileBaseName
              [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password]
                  [-ProtectTo SAMNameAndSIDList] [-csp Provider]

Script : generate a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if
the output file is not specified).
retrieve : retrieve one or more Key Recovery Blobs (default behavior if exactly one
matching recovery candidate is found, and if the output file is specified)
recover : retrieve and recover private keys in one step (requires Key Recovery Agent
certificates and private keys)
SearchToken : Used to select the keys and certificates to be recovered.
any of the following:
  Certificate Common Name
  Certificate Serial Number
  Certificate SHA-1 hash (thumbprint)
  Certificate KeyId SHA-1 hash (Subject Key Identifier)
  Requester Name (domain\user)
  UPN (user@domain)

RecoveryBlobOutFile : output file containing a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.
OutputScriptFile : output file containing a batch script to retrieve and recover private keys.
OutputFileBaseName : output file base name. For retrieve, any extension is truncated and a certificate-specific string and the .rec extension are appended for each key recovery blob. Each file contains a certificate chain and an associated private key, still encrypted to
one or more Key Recovery Agent certificates. For recover, any extension is truncated and the .p12 extension is appended.
Contains the recovered certificate chains and associated private keys, stored as a PFX file.

  Recover archived private key
  CertUtil [Options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]] [-f] [-user]
              [-silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout]

  Merge PFX files
  CertUtil [Options] -MergePFX PFXInFileList PFXOutFile [ExtendedProperties] [-f] [-user]
              [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [Modifiers]

PFXInFileList : Comma separated PFX input file list
PFXOutFile : PFX output file
ExtendedProperties: Include extended properties.

Modifiers : Comma separated list of one or more of the following:

ExtendedProperties : Include extended properties.
NoEncryptCert : Do not encrypt the certificates.
EncryptCert : Encrypt the certificates.

The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is "*", the user will be prompted for
the output file password.

  Convert PFX files to EPF file
  CertUtil [Options] -ConvertEPF PFXInFileList EPFOutFile [cast | cast-] [V3CACertId][,Salt] 
              [-f] [-Silent] [-split] [-dc DCName] [-p Password] [-csp Provider]

PFXInFileList : Comma separated PFX input file list
EPFOutFile : EPF output file
cast : Use CAST 64 encryption
cast- : Use CAST 64 encryption (export)
V3CACertId : V3 CA Certificate match token. See -store CertId description.
Salt: EPF output file salt string

The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is "*", the user will be prompted for
the output file password.

  Add certificate chain
  CertUtil [Options] -add-chain LogId certificate OutFile [-f]

  Add pre-certificate chain
  CertUtil [Options] -add-pre-chain LogId pre-certificate OutFile [-f]

  Get signed tree head
  CertUtil [Options] -get-sth [LogId] [-f]

  Get signed tree head changes
  CertUtil [Options] -get-sth-consistency LogId TreeSize1 TreeSize2 [-f]

  Get proof by hash
  CertUtil [Options] -get-proof-by-hash LogId Hash [TreeSize][-f]

  Get entries
  CertUtil [Options] -get-entries LogId FirstIndex LastIndex[-f]

  Get roots
  CertUtil [Options] -get-roots LogId [-f]

  Get entry and proof
  CertUtil [Options] -get-entry-and-proof LogId Index [TreeSize] [-f]

  Verify certificate SCT
  CertUtil [Options] -VerifyCT Certificate SCT [precert][-f]

OPTIONS
If used, these gobal options must be entered on the command line before the main Verb.

   -nullsign     Use hash of data as signature
   -f            Force overwrite
   -enterprise   Use local machine Enterprise registry certificate store
   -user         Use HKEY_CURRENT_USER keys or certificate store
   -GroupPolicy  Use Group Policy certificate store
   -ut           Display user templates
   -mt           Display machine templates
   -Unicode      Write redirected output in Unicode
   -UnicodeText  Write output file in Unicode
   -gmt          Display times as GMT
   -seconds      Display times with seconds and milliseconds
   -silent       Use silent flag to acquire crypt context
   -split        Split embedded ASN.1 elements, and save to files
   -v            Verbose operation
   -privatekey   Display password and private key data
   -pin PIN      Smart Card PIN
   -urlfetch     Retrieve and verify AIA Certs and CDP CRLs
   -config Machine\CAName  CA and computer name string
   -PolicyServer URLOrId   Policy Server URL or Id. For selection U/I, use -PolicyServer.
                           For all Policy Servers, use -PolicyServer *
   -Anonymous    Use anonymous SSL credentials
   -Kerberos     Use Kerberos SSL credentials
   -ClientCertificate ClientCertId   Use X.509 Certificate SSL credentials. For selection U/I, use -clientCertificate.
   -UserName UserName   Use named account for SSL credentials. For selection U/I, use -UserName.
   -Cert CertId  Signing certificate
   -dc DCName    Target a specific Domain Controller
   -restrict RestrictionList   Comma separated Restriction List. Each restriction consists
                 of a column name, a relational operator and a constant integer, string or date.
                 One column name can be preceded by a plus or minus sign to indicate the sort order.
                 Examples:  "RequestId = 47"    "+RequesterName >= a, RequesterName < b"
                            "-RequesterName > DOMAIN, Disposition = 21"
   -out ColumnList   Comma separated Column List
   -p Password   Password
   -ProtectTo SAMNameAndSIDList   Comma separated SAM Name/SID List
   -csp Provider Provider
        KSP -- "Microsoft Software Key Storage Provider"
        TPM -- "Microsoft Platform Crypto Provider"
        NGC -- "Microsoft Passport Key Storage Provider"
        SC -- "Microsoft Smart Card Key Storage Provider"

   -Location     AlternateStorageLocation -- (-loc) AlternateStorageLocation
   AIK -- "C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK"
   -t Timeout    URL fetch timeout in milliseconds
   -symkeyalg SymmetricKeyAlgorithm[,KeyLength]   Name of Symmetric Key Algorithm with
                 optional key length, example: AES,128 or 3DES
   -sid WELL_KNOWN_SID_TYPE  -- Numeric SID
   22 -- Local System
   23 -- Local Service
   24 -- Network Service
   -sslpolicy ServerName     -- SSL Policy matching ServerName

Certutil is sensitive to the order of command-line parameters.

Certutil replaces the File Checksum Integrity Verifier (FCIV) found in earlier versions of Windows.

There are a some documentation inconsistencies between the command-line help (Certutil -?) and the various MSDN help pages.
e.g. -encodehex is completely missing from the command-line help.
The -decode option might not always restore spaces - see forum thread.

Examples

Display the SHA256 hash of a file:

certutil -hashfile c:\demo\anything.txt SHA256

Dump (read config information) from a certificate file:

certutil -dump c:\demo\sample.CER

Copy a certificate revocation list (CRL) to a file:

certutil -getcrl F:\ss64.crl

Purge local policy cache (Certificate Enrollment Policy Web Services):

certutil -f -policyserver * -policycache delete

Enumerate certificate stores:

CertUtil -enumstore

ls Cert:\LocalMachine

View the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store:

certutil -enterprise -viewstore Root

Check the browsers Trusted Certificate list against the WindowsUpdate servers:

certutil -f -verifyCTL AuthRootWU

Stop Certificate Services:

certutil -shutdown

Convert a hex-encoded file to a binary executable. This is primarily intended for converting X.509 certificates from a human-readable format (.asn) into a computer-readable format (.bin):

certutil -decodehex hex.dat ss64.exe

“And yet I do observe that audiences which used to be deeply affected by the inspiring sternness of the music of Livius and Naevius, now leap up and twist their necks and turn their eyes in time with our modern tunes” ~ Cicero (De Legibus II.39 c. 50 BCE) on the evils of modern music.

Related commands

CertMgr.MSC - GUI for managing Certificates.
CERTREQ - Request certificate from a certification authority.
SIGNTOOL - Digitally sign files.
How Certificate Revocation Works - TechNet.
Equivalent PowerShell cmdlets: Get-FileHash - Compute the hash value for a file. Get-Certificate - Submit/retrieve certificate requests.
Equivalent bash command: cksum - Print CRC checksum and byte counts. / base64 - encode/decode and print to StdOut.


 
Copyright © 1999-2024 SS64.com
Some rights reserved