CERTUTIL (2008 R2/Server 2012)

Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, verify certificates, key pairs or certificate chains. A subset of these CERTUTIL commands are also supported under Server 2003 or by installing the Server 2003 Administration Tools.

Syntax:

  Dump certificate file information
  CertUtil [Options] [-dump] [File]
    Options:  [-f] [-silent] [-split] [-p Password] [-t Timeout]

  Parse ASN.1 file
  CertUtil [Options] -asn File 
    Options:  [-f] [decoding_type]

  Decode a Hex-encoded file to binary
  CertUtil [-f] [-v] -decodehex InFile OutFile
 
  Decode Base64-encoded file to binary
  CertUtil [-f] [-v] -decode InFile OutFile

  Encode a binary file to Base64
  CertUtil [-f] [-v] -encode InFile OutFile [-UnicodeText]

  Encode a file as Hex
  CertUtil [-f] [-v] -encodehex InFile OutFile
     Hex encoded files are around 3x larger than base64, in most cases -encode is more useful.

  Deny pending request
  CertUtil [Options] -deny RequestId 
    Options:  [-v] [-config Machine\CAName]

  Resubmit pending request
  CertUtil [Options] -resubmit RequestId
    Options:  [-v] [-config Machine\CAName]

  Set attributes for pending request
  CertUtil [Options] -setattributes RequestId AttributeString
    Options:  [-v] [-config Machine\CAName]

     RequestId:        Numeric Request Id of pending request 
     AttributeString:  Request Attribute name and value pairs
                      Names and values are colon separated.
       Multiple name, value pairs are newline separated.
       Example: "CertificateTemplate:User\nEMail:User@Domain.com"
       Each "\n" sequence is converted to a newline separator.

 Set extension for pending request
  CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}
    Options:  [-v] [-config Machine\CAName]

    RequestId:     Numeric Request Id of a pending request
    ExtensionName: ObjectId string of the extension 
    Flags:         0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both.
    If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date.
    If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.
    Anything else is taken as a String.

 Revoke Certificate
 CertUtil [Options] -revoke SerialNumber [Reason]
    Options:  [-v] [-config Machine\CAName]

    SerialNumber: Comma separated list of certificate serial numbers to revoke 
    Reason: numeric or symbolic revocation reason
     0: CRL_REASON_UNSPECIFIED: Unspecified (default)
     1: CRL_REASON_KEY_COMPROMISE: Key Compromise
     2: CRL_REASON_CA_COMPROMISE: CA Compromise
     3: CRL_REASON_AFFILIATION_CHANGED: Affiliation Changed
     4: CRL_REASON_SUPERSEDED: Superseded
     5: CRL_REASON_CESSATION_OF_OPERATION: Cessation of Operation
     6: CRL_REASON_CERTIFICATE_HOLD: Certificate Hold
     8: CRL_REASON_REMOVE_FROM_CRL: Remove From CRL
     -1: Unrevoke: Unrevoke

  Display current certificate disposition
  CertUtil [Options] -isvalid SerialNumber | CertHash
    Options:  [-v] [-config Machine\CAName]

  Get default configuration string
  CertUtil [Options] -getconfig
    Options:  [-v] [-config Machine\CAName]

  Ping Active Directory Certificate Services Request interface
  CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList]
    Options:  [-v] [-config Machine\CAName]

     Request interface CAMachineList -- Comma-separated CA machine name list
     For a single machine, use a terminating comma
     Displays the site cost for each CA machine

  Ping Active Directory Certificate Services Admin interface
  CertUtil [Options] -pingadmin [MaxSecondsToWait | CAMachineList]
    Options:  [-v] [-config Machine\CAName]

     Request interface CAMachineList -- Comma-separated CA machine name list
     For a single machine, use a terminating comma
     Displays the site cost for each CA machine

  Display CA Information
  CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]]
    Options:  [-v] [-config Machine\CAName]

    InfoName -- indicates the CA property to display.
    Use "*" for all properties.
    Index -- optional zero-based property index
    ErrorCode -- numeric error code [-f] [-split] [-config Machine\CAName]

  Retrieve the CA's certificate 
  CertUtil [Options] -ca.cert OutCACertFile [Index]
    Options:  [-f] [-v] [-split] [-config Machine\CAName]

    OutCACertFile: output file
    Index:   CA certificate renewal index (defaults to most recent)

  Retrieve the CA's certificate chain 
  CertUtil [Options] -ca.chain OutCACertChainFile [Index]
    Options:  [-f] [-v] [-split] [-config Machine\CAName]

    OutCACertChainFile: output file
    Index:     CA certificate renewal index (defaults to most recent)

  Get CRL 
  CertUtil [Options] -GetCRL OutFile [Index] [delta]
    Options:  [-f] [-v] [-split] [-config Machine\CAName]

    Index: CRL index or key index (defaults to CRL for newest key)
    delta: delta CRL (default is base CRL)

  Publish new CRLs [or delta CRLs only]
  CertUtil [Options] -CRL [dd:hh | republish] [delta]
    Options:  [-v] [-split] [-config Machine\CAName]

    dd:hh    -- new CRL validity period in days and hours
    republish -- republish most recent CRLs
    delta    -- delta CRLs only (default is base and delta CRLs)

  Shutdown Active Directory Certificate Services
  CertUtil [Options] -shutdown
    Options:  [-v] [-config Machine\CAName]

  Install Certification Authority certificate 
  CertUtil [Options] -installCert [CACertFile]
    Options:  [-f] [-v] [-silent] [-config Machine\CAName]

  Renew Certification Authority certificate 
  CertUtil [Options] -renewCert [ReuseKeys] [Machine\ParentCAName]
    Options:  [-f] [-v] [-silent] [-config Machine\CAName]
    Use -f to ignore an outstanding renewal request, and generate a new request.

  Dump Certificate Schema
  CertUtil [Options] -schema [Ext | Attrib | CRL]
    Options:  [-v] [-split] [-config Machine\CAName]

    Ext:    Extension table
    Attrib: Attribute table
    CRL:    CRL table
    Defaults to Request and Certificate table

  Dump Certificate View
  CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]
    Options:  [-v] [-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

     Queue:   Request queue
     Log:     Issued or revoked certificates, plus failed requests 
     LogFail: Failed requests 
     Revoked: Revoked certificates 
     Ext:     Extension table 
     Attrib:  Attribute table 
     CRL:     CRL table 
     csv:     Output as Comma Separated Values 
     To display the StatusCode column for all entries: -out StatusCode 
     To display all columns for the last entry: -restrict "RequestId==$" 
     To display RequestId and Disposition for three requests: -restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition"
     To display Row Ids and CRL Numbers for all Base CRLs: -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL 
     To display Base CRL Number 3: -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL
     To display the entire CRL table: CRL Use "Date[+|-dd:hh]" for date restrictions Use "now+dd:hh" for a date relative to the current time

  Dump Raw Database
  CertUtil [Options] -db
    Options:  [-v] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

  Delete server database row
  CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL] 
    Options:  [-f] [-v] [-config Machine\CAName]

    Request: Failed and pending requests (submission date) 
    Cert: Expired and revoked certificates (expiration date)
    Ext: Extension table Attrib: Attribute table
    CRL: CRL table (expiration date) 
    To delete failed and pending requests submitted by January 22, 2001: 1/22/2001 Request 
    To delete all certificates that expired by January 22, 2001: 1/22/2001 Cert 
    To delete the certificate row, attributes and extensions for RequestId 37: 37 
    To delete CRLs that expired by January 22, 2001: 1/22/2001 CRL [-f] [-config Machine\CAName]

  Backup Active Directory Certificate Services
  CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog]
    Options:  [-f] [-v] [-config Machine\CAName] [-p Password]

    BackupDirectory: directory to store backed up data
    Incremental:     perform incremental backup only (default is full backup)
    KeepLog:         preserve database log files (default is to truncate log files)

  Backup Active Directory Certificate Services database
  CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog]
    Options:  [-f] [-v] [-config Machine\CAName]

    BackupDirectory: directory to store backed up database files
    Incremental:     perform incremental backup only (default is full backup)
    KeepLog:         preserve database log files (default is to truncate log files)

  Backup Active Directory Certificate Services certificate and private key
  CertUtil [Options] -backupKey BackupDirectory
    Options:  [-f] [-v] [-config Machine\CAName] [-p Password] [-t Timeout]

    BackupDirectory: directory to store backed up PFX file

  Restore Active Directory Certificate Services
  CertUtil [Options] -restore BackupDirectory
    Options:  [-f] [-v] [-config Machine\CAName] [-p Password]

    BackupDirectory: directory containing data to be restored

  Restore Active Directory Certificate Services database
  CertUtil [Options] -restoreDB BackupDirectory
    Options:  [-f] [-v] [-config Machine\CAName] [-p Password]

    BackupDirectory: directory containing database files to be restored 

  Restore Active Directory Certificate Services certificate and private key
  CertUtil [Options] -restoreKey BackupDirectory | PFXFile
    Options:  [-f] [-v] [-config Machine\CAName] [-p Password]

    BackupDirectory: directory containing PFX file to be restored
    PFXFile: PFX file to be restored 

  Import certificate and private key
  CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers] [-csp Provider]
    Options:  [-f] [-v] [-user] [-p Password]

    CertificateStoreName: Certificate store name. See -store. 
    PFXFile: PFX file to be imported 
    Modifiers: Comma separated list of one or more of the following:
       AT_SIGNATURE: Change the KeySpec to Signature
       AT_KEYEXCHANGE: Change the KeySpec to Key Exchange
       NoExport: Make the private key non-exportable
       NoCert:   Do not import the certificate
       NoChain:  Do not import the certificate chain
       NoRoot:   Do not import the root certificate
       Protect:  Protect keys with password
       NoProtect: Do not password protect keys
    Defaults to personal machine store. 

  Display dynamic file List
  CertUtil [Options] -dynamicfilelist
    Options:  [-v] [-config Machine\CAName]

  Display database locations
  CertUtil [Options] -databaselocations
    Options:  [-v] [-config Machine\CAName]

  Generate and display cryptographic hash over a file.
  CertUtil [Options] -hashfile InFile [HashAlgorithm]
    Options:  [-v]

  Dump certificate store 
  CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]
    Options:  [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]

    CertificateStoreName: Certificate store name.
    CertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate,
            CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric
            CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key,
            signature or extension ObjectId, a certificate subject Common Name, an e-mail address,
            UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU
            or Application Policies ObjectId, or a CRL issuer Common Name.
            Many of these may result in multiple matches.
    OutputFile: file to save matching cert 
    Use -user to access a user store instead of a machine store. 
    Use -enterprise to access a machine enterprise store. 
    Use -service to access a machine service store. 
    Use -grouppolicy to access a machine group policy store.

  Add certificate to store
  CertUtil [Options] -addstore CertificateStoreName InFile
    Options:  [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

    CertificateStoreName: Certificate store name. See -store. 
    InFile: Certificate or CRL file to add to store. 

  Delete certificate from store
  CertUtil [Options] -delstore CertificateStoreName CertId
    Options:  [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

    CertificateStoreName: Certificate store name. See -store.
    CertId: Certificate or CRL match token. See -store. 

  Verify certificate in store
  CertUtil [Options] -verifystore CertificateStoreName [CertId]
    Options:  [-f] [-v] [-enterprise] [-user]  [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]

    CertificateStoreName: Certificate store name. See -store.
    CertId: Certificate or CRL match token. See -store.

  Repair key association or update certificate properties or key security descriptor
  CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]
    Options:   [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]

    CertificateStoreName: Certificate store name. See -store.
    CertIdList:  comma separated list of Certificate or CRL match tokens. See -store CertId description.
    PropertyInfFile -- INF file containing external properties:

  Dump certificate store
  CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]]
    Options:   [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

    CertificateStoreName: Certificate store name.
    CertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate,
            CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric
            CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key,
            signature or extension ObjectId, a certificate subject Common Name, an e-mail address,
            UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU
            or Application Policies ObjectId, or a CRL issuer Common Name.
            Many of these may result in multiple matches.
    OutputFile: file to save matching cert 
    Use -user to access a user store instead of a machine store. 
    Use -enterprise to access a machine enterprise store. 
    Use -service to access a machine service store. 
    Use -grouppolicy to access a machine group policy store.

  Delete certificate from store
  CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]] 
    Options:   [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

    CertificateStoreName: Certificate store name.
    CertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate,
            CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric
            CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key,
            signature or extension ObjectId, a certificate subject Common Name, an e-mail address,
            UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU
            or Application Policies ObjectId, or a CRL issuer Common Name.
            Many of these may result in multiple matches.
    OutputFile: file to save matching cert 
    Use -user to access a user store instead of a machine store. 
    Use -enterprise to access a machine enterprise store. 
    Use -service to access a machine service store. 
    Use -grouppolicy to access a machine group policy store.

  Publish certificate or CRL to Active Directory
  CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
    Options:   [-f] [-v] [-user] [-dc DCName]

  CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]] [-f] [-user] [-dc DCName]
    Options:   [-f] [-v] [-user] [-dc DCName]

    CertFile: certificate file to publish
    NTAuthCA: Publish cert to DS Enterprise store
    RootCA:  Publish cert to DS Trusted Root store
    SubCA:   Publish CA cert to DS CA object
    CrossCA: Publish cross cert to DS CA object
    KRA:     Publish cert to DS Key Recovery Agent object
    User:    Publish cert to User DS object
    Machine: Publish cert to Machine DS object
    CRLFile: CRL file to publish
    DSCDPContainer: DS CDP container CN, usually the CA machine name
    DSCDPCN: DS CDP object CN, usually based on the sanitized CA short name and key index
    Use -f to create DS object.

  Display AD templates
  CertUtil [Options] -ADTemplate [Template] 
    Options:   [-f] [-v] [-user] [-ut] [-mt] [-dc DCName]

  Display Enrollment Policy templates 
  CertUtil [Options] -Template [Template] 
    Options:   [-f] [-v] [-user] [-dc DCName] [-user] [-silent] [-PolicyServer URLOrId]
     [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  Display CAs for template
  CertUtil [Options] -TemplateCAs Template
    Options:   [-f] [-v] [-user] [-dc DCName]

  Display templates for CA
  CertUtil [Options] -CATemplates [Template] 
    Options:   [-f] [-v] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]

  Set, Verify or Delete CA site names
  CertUtil [Options] -SetCASites [set] [Sitename]
  CertUtil [Options] -SetCASites verify [Sitename]
  CertUtil [Options] -SetCASites delete
    Options:   [-f] [-v] [-config Machine\CAName] [-dc DCName]

   Use the -config option to target a single CA (Default is all CAs)
   Sitename is allowed only when targeting a single CA 
   Use -f to override validation errors for the specified Sitename
   Use -f to delete all CA site names

  Display, add or delete enrollment server URLs associated with a CA 
  CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]]
  CertUtil [Options] -enrollmentServerURL URL delete 
    Options:   [-f] [-config Machine\CAName] [-dc DCName]

    AuthenticationType: Specify one of the following client authentication methods while adding a URL
                        Kerberos:  Use Kerberos SSL credentials
                        UserName:  Use named account for SSL credentials
                        ClientCertificate: Use X.509 Certificate SSL credentials
                        Anonymous: Use anonymous SSL credentials
    delete: deletes the specified URL associated with the CA
    Priority: defaults to '1' if not specified when adding a URL
    Modifiers -- Comma separated list of one or more of the following:
                 AllowRenewalsOnly:    Only renewal requests can be submitted to this CA via this URL
                 AllowKeyBasedRenewal: Allow use of a certificate that has no associated account in the AD.
                             This applies only with ClientCertificate and AllowRenewalsOnly Mode

  Display AD CAs
  CertUtil [Options] -ADCA [CAName]
    Options:   [-f] [-split] [-dc DCName]

  Display Enrollment Policy CAs
  CertUtil [Options] -CA [CAName | TemplateName]
    Options:   [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] 
     [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  Display Enrollment Policy
  CertUtil [Options] -Policy 
    Options:   [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous]
     [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

  Display or delete Enrollment Policy Cache entries
  CertUtil [Options] -PolicyCache [delete] 
    Options:   [-f] [-user] [-PolicyServer URLOrId]

    delete: delete Policy Server cache entries 
        -f: use -f to delete all cache entries

  Display, add or delete Credential Store entries
  CertUtil [Options] -CredStore [URL]

  CertUtil [Options] -CredStore URL add 

  CertUtil [Options] -CredStore URL delete

    Options:   [-f] [-user] [-silent] [-Anonymous] [-Kerberos]
        [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

       URL: target URL. Use * to match all entries. Use https://machine* to match a URL prefix.
       add: add a Credential Store entry. SSL credentials must also be specified.
    delete: delete Credential Store entries
        -f: use -f to overwrite an entry or to delete multiple entries. 

  Install default certificate templates
  CertUtil [Options] -InstallDefaultTemplates 
    Options:   [-f] [-v] [-dc DCName]

  Display or delete URL cache entries
  CertUtil [Options] -URLCache [URL | CRL | * [delete]]
    Options:   [-f] [-v] [-split]

     URL: Cached URL
     CRL: Operate on all cached CRL URLs only
       *: Operate on all cached URLs
  delete: Delete relevant URLs from the current user's local cache
     Use -f to force fetching a specific URL and updating the cache.
     -v : Will display the whole IE internet history and cache file locations (…\Content.IE5…)

  Pulse autoenrollment events
  CertUtil [Options] -pulse 
    Options:   [-v] [-user]

  Display Active Directory computer object information
  CertUtil [Options] -MachineInfo DomainName\MachineName$ 
    Options:   [-v] 

  Display domain controller information
  CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]
    Options:   [-f] [-v] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

     Default is to display DC certs without verification.

  Display Enterprise CA information
  CertUtil [Options] -EntInfo DomainName\MachineName$
    Options:   [-f] [-v] [-user]

  Display CA information
  CertUtil [Options] -TCAInfo [DomainDN | -]
    Options:   [-f] [-v] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

  Display smart card information
  CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]]
    Options:   [-v] [-silent] [-split] [-urlfetch] [-t Timeout]

    CRYPT_DELETEKEYSET: Delete all keys on the smart card 

  Manage smart card root certificates
  CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName]

  CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName]

  CertUtil [Options] -SCRoots view [InputRootFile | ReaderName]

  CertUtil [Options] -SCRoots delete [ReaderName] 

    Options:   [-f] [-split] [-p Password]

  Verify public/private key set
  CertUtil [Options] -verifykeys [KeyContainerName CACertFile]
    Options:   [-f] [-v] [-user] [-silent] [-config Machine\CAName]

    KeyContainerName: key container name of the key to verify. Defaults to machine keys. Use -user for user keys.
    CACertFile: signing or encryption certificate file
    If no arguments are specified, each signing CA cert is verified against its private key.
    This operation can only be performed against a local CA or local keys. 

  Verify certificate, CRL or chain
  CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]]

  CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]]

  CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile]

  CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile]

    Options:   [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout]

    CertFile:           Certificate to verify Application
    PolicyList:         optional comma separated list of required Application Policy ObjectIds
    IssuancePolicyList: optional comma separated list of required Issuance Policy ObjectIds
    CACertFile:         optional issuing CA certificate to verify against 
    CrossedCACertFile:  optional certificate cross-certified by CertFile
    CRLFile:            CRL to verify IssuedCertFile: optional issued certificate covered by CRLFile
    DeltaCRLFile:       optional delta CRL

    If ApplicationPolicyList is specified, chain building is restricted to chains valid for
    the specified Application Policies.
    If IssuancePolicyList is specified, chain building is restricted to chains valid for the
    specified Issuance Policies.
    If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile.
    If CACertFile is not specified, CertFile is used to build and verify a full chain.
    If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile
    are verified against CertFile.
    If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile.
    If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.

  Verify AuthRoot or Disallowed Certificates CTL
  CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile] 
    Options:   [-f] [-user] [-split]

    CTLObject: Identifies the CTL to verify:
        AuthRootWU: read AuthRoot CAB and matching certificates from the URL cache.
                    Use -f to download from Windows Update instead.
      DisallowedWU: read Disallowed Certificates CAB and disallowed certificate store file from the URL cache.
                    Use -f to download from Windows Update instead.
          AuthRoot: read registry cached AuthRoot CTL. Use with -f and a CertFile
                    that is not already trusted to force updating the registry cached AuthRoot
                    and Disallowed Certificate CTLs.
        Disallowed: read registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.
       CTLFileName: file or http: path to CTL or CAB

    CertDir: folder containing certificates matching CTL entries. An http: folder path must
             end with a path separator. If a folder is not specified with AuthRoot or Disallowed,
             multiple locations will be searched for matching certificates: local certificate stores,
             crypt32.dll resources and the local URL cache. Use -f to download from Windows Update when necessary.
             Otherwise defaults to the same folder or web site as the CTLObject.
    CertFile: file containing certificate(s) to verify. Certificates will be matched against CTL entries,
              and match results displayed. Suppresses most of the default output.

  Re-sign CRL or certificate
  CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [StartDate+dd:hh]
     [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile] [-nullsign]

  CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [#HashAlgorithm]
     [+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm]  [-nullsign] 

    Options:   [-f] [-silent] [-Cert CertId]

    InFileList:  comma separated list of Certificate or CRL files to modify and re-sign
    SerialNumber: Serial number of certificate to create. Validity period and other options must not be present.
    CRL:         Create an empty CRL. Validity period and other options must not be present.
    OutFileList: comma separated list of modified Certificate or CRL output files.
                 The number of files must match InFileList.
    StartDate+dd:hh: new validity period: optional date plus; optional days and hours validity period;
                     If both are specified, use a plus sign (+) separator.
                     Use "now[+dd:hh]" to start at the current time. Use "never" to have no expiration date (for CRLs only).
    SerialNumberList: comma separated serial number list to add or remove
    ObjectIdList:     comma separated extension ObjectId list to remove
    @ExtensionFile:   INF file containing extensions to update or remove:
    HashAlgorithm:    Name of the hash algorithm preceded by a # sign 
    AlternateSignatureAlgorithm: alternate Signature algorithm specifier

    A minus sign causes serial numbers and extensions to be removed. A plus  sign causes serial numbers to be added to a CRL.
    When removing items  from a CRL, the list may contain both serial numbers and ObjectIds.
    A  minus sign before AlternateSignatureAlgorithm causes the legacy  signature format to be used.
    A plus sign before  AlternateSignatureAlgorithm causes the alternature signature format to  be used.
    If AlternateSignatureAlgorithm is not specified then the  signature format in the certificate or CRL is used.

  Create/delete web virtual roots and file shares
  CertUtil [Options] -vroot [delete]

  Create/delete web virtual roots for OCSP web proxy
  CertUtil [Options] -vocsproot [delete]

  Add an Enrollment Server application
  CertUtil [Options] -addEnrollmentServer Kerberos | UserName | ClientCertificate [AllowRenewalsOnly] [AllowKeyBasedRenewal]
    Options:   [-f] [-config Machine\CAName]

    Add an Enrollment Server application and application pool if necessary, for the specified CA.
    This command does not install binaries or packages.
    One of the following authentication methods with which the client connects to a Certificate Enrollment Server.

      Kerberos: Use Kerberos SSL credentials
      UserName: Use named account for SSL credentials
      ClientCertificate: Use X.509 Certificate SSL credentials
      AllowRenewalsOnly: Only renewal requests can be submitted to this CA via this URL
      AllowKeyBasedRenewal -- Allows use of a certificate that has no associated account in the AD.
                              This applies only with ClientCertificate and AllowRenewalsOnly mode.

  Delete an Enrollment Server application
  CertUtil [Options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate
    Options:   [-f] [-config Machine\CAName]

    Delete an Enrollment Server application and application pool if necessary, for the specified CA.
    This command does not remove binaries or packages.
    One of the following authentication methods with which the client connects to a Certificate Enrollment Server.

      Kerberos: Use Kerberos SSL credentials
      UserName: Use named account for SSL credentials
      ClientCertificate: Use X.509 Certificate SSL credentials

  Add a Policy Server application
  CertUtil [Options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

    Add a policy server application and application pool if necessary.
    This command does not install binaries or packages.
    One of the following authentication methods with which the client connects to a Certificate Policy Server.

      Kerberos: Use Kerberos SSL credentials
      UserName: Use named account for SSL credentials
      ClientCertificate: Use X.509 Certificate SSL credentials
      KeyBasedRenewal: Only policies that contain KeyBasedRenewal templates are returned to the client.
                       This flag applies only for UserName and ClientCertificate authentication.

  Delete a Policy Server application
  CertUtil [Options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

    Delete a policy server application and application pool if necessary.
    This command does not remove binaries or packages.
    One of the following authentication methods with which the client connects to a Certificate Policy Server.

      Kerberos: Use Kerberos SSL credentials
      UserName: Use named account for SSL credentials
      ClientCertificate: Use X.509 Certificate SSL credentials
      KeyBasedRenewal:   KeyBasedRenewal policy server

  Display ObjectId or set display name
  CertUtil [Options] -oid ObjectId [DisplayName | delete [LanguageId [Type]]] [-f]

  CertUtil [Options] -oid GroupId

  CertUtil [Options] -oid AlgId | AlgorithmName [GroupId] [-f]

     ObjectId -- ObjectId to display or to add display name
     GroupId -- decimal GroupId number for ObjectIds to enumerate
     AlgId -- hexadecimal AlgId for ObjectId to look up
     AlgorithmName -- Algorithm Name for ObjectId to look up
     DisplayName -- Display Name to store in DS
     delete -- delete display name
     LanguageId -- Language Id (defaults to current: 1033)
     Type -- DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy
     Use -f to create DS object. 

  Display error code message text
  CertUtil [-v] -error ErrorCode


  Display registry value
  CertUtil [Options] -getreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryValueName] 
    Options:   [-f] [-user] [-GroupPolicy] [-config Machine\CAName]

    ca:   Use CA's registry key
    restore: Use CA's restore registry key
    policy:  Use policy module's registry key
    exit:    Use first exit module's registry key
    template: Use template registry key (use -user for user templates)
    enroll:  Use enrollment registry key (use -user for user context)
    chain:   Use chain configuration registry key
    PolicyServers: Use Policy Servers registry key
    ProgId:  Use policy or exit module's ProgId (registry subkey name)
    RegistryValueName: registry value name (use "Name*" to prefix match)

  Set registry value
  CertUtil [Options] -setreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]]
     [RegistryValueName] Value
    Options:   [-f] [-user] [-GroupPolicy] [-config Machine\CAName]

    ca:   Use CA's registry key
    restore: Use CA's restore registry key
    policy:  Use policy module's registry key
    exit:    Use first exit module's registry key
    template: Use template registry key (use -user for user templates)
    enroll:  Use enrollment registry key (use -user for user context)
    chain:   Use chain configuration registry key
    PolicyServers: Use Policy Servers registry key
    ProgId:  Use policy or exit module's ProgId (registry subkey name)
    RegistryValueName: registry value name (use "Name*" to prefix match)
    Value: new numeric, string or date registry value or filename.
      If a numeric value starts with "+" or "-", the bits specified in the new
      value are set or cleared in the existing registry value. If a string value
      starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the
      string is added to or removed from the existing registry value.
      To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string
      value. If the value starts with "@", the rest of the value is the name of
      the file containing the hexadecimal text representation of a binary value.
      If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh]
      -- an optional date plus or minus optional days and hours.
      If both are specified, use a plus sign (+) or minus sign (-) separator.
      Use "now+dd:hh" for a date relative to the current time.
      Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

  Delete registry value
  CertUtil [Options] -delreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]]
     [RegistryValueName]
    Options:   [-f] [-user] [-GroupPolicy] [-config Machine\CAName]

    ca:   Use CA's registry key
    restore: Use CA's restore registry key
    policy:  Use policy module's registry key
    exit:    Use first exit module's registry key
    template: Use template registry key (use -user for user templates)
    enroll:  Use enrollment registry key (use -user for user context)
    chain:   Use chain configuration registry key
    PolicyServers: Use Policy Servers registry key
    ProgId:  Use policy or exit module's ProgId (registry subkey name)
    RegistryValueName: registry value name (use "Name*" to prefix match)

  Import user keys and certificates into server database for key archival
  CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId] 
    Options:   [-f] [-v] [-silent] [-split] [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]]

    UserKeyAndCertFile -- Data file containing user private keys and certificates to be archived.
       This can be any of the following:
       Exchange Key Management Server (KMS) export file
       PFX file
    CertId: KMS export file decryption certificate match token. See -store.
    Use -f to import certificates not issued by the CA.

  Import a certificate file into the database 
  CertUtil [Options] -ImportCert Certfile [ExistingRow] 
    Options:   [-f] [-v] [-config Machine\CAName]

    Use ExistingRow to import the certificate in place of a pending request for
    the same key. Use -f to import certificates not issued by the CA. The CA may also need
    to be configured to support foreign certificate import: certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN 

  Retrieve archived private key recovery blob, generate a recovery script, or recover archived keys 
  CertUtil [Options] -GetKey SearchToken [RecoveryBlobOutFile]

  CertUtil [Options] -GetKey SearchToken script OutputScriptFile

  CertUtil [Options] -GetKey SearchToken retrieve | recover OutputFileBaseName

    Options:   [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password]
                  [-ProtectTo SAMNameAndSIDList] [-csp Provider]

    script: generate a script to retrieve and recover keys
           (default behavior if multiple matching recovery candidates are found, or if
            the output file is not specified).
    retrieve: retrieve one or more Key Recovery Blobs (default behavior if exactly one
             matching recovery candidate is found, and if the output file is specified)
    recover: retrieve and recover private keys in one step (requires Key Recovery Agent
             certificates and private keys)
    SearchToken: Used to select the keys and certificates to be recovered.
                 any of the following:
                 Certificate Common Name
                 Certificate Serial Number
                 Certificate SHA-1 hash (thumbprint)
                 Certificate KeyId SHA-1 hash (Subject Key Identifier)
                 Requester Name (domain\user)
                 UPN (user@domain)

    RecoveryBlobOutFile: output file containing a certificate chain and an associated private key,
              still encrypted to one or more Key Recovery Agent certificates.
    OutputScriptFile: output file containing a batch script to retrieve and recover private keys.
    OutputFileBaseName: output file base name. For retrieve, any extension is truncated and a
              certificate-specific string and the .rec extension are appended for each key recovery blob.
              Each file contains a certificate chain and an associated private key, still encrypted to
              one or more Key Recovery Agent certificates. For recover, any extension is truncated and
              the .p12 extension is appended.
              Contains the recovered certificate chains and associated private keys, stored as a PFX file.

  Recover archived private key
  CertUtil [Options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]]
    Options:   [-f] [-user] [-silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout]

  Merge PFX files
  CertUtil [Options] -MergePFX PFXInFileList PFXOutFile [ExtendedProperties]
    Options:   [-f] [-user] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]

    PFXInFileList: Comma separated PFX input file list
    PFXOutFile: PFX output file
    ExtendedProperties: Include extended properties

    The password specified on the command line is a comma separated password list.
    If more than one password is specified, the last password is used for the output file.
    If only one password is provided or if the last password is "*", the user will be prompted for
    the output file password.

  Convert PFX files to EPF file
  CertUtil [Options] -ConvertEPF PFXInFileList EPFOutFile [cast | cast-] [V3CACertId][,Salt] 
    Options:   [-f] [-split] [-p Password] [-csp Provider]

    PFXInFileList: Comma separated PFX input file list
    EPF: EPF output file
    cast: Use CAST 64 encryption
    cast-: Use CAST 64 encryption (export)
    V3CACertId: V3 CA Certificate match token. See -store CertId description.
    Salt: EPF output file salt string

    The password specified on the command line is a comma separated password list.
    If more than one password is specified, the last password is used for the output file.
    If only one password is provided or if the last password is "*", the user will be prompted for
    the output file password.

OPTIONS
These options must be entered on the command line before the main Verb

      -nullsign     Use hash of data as signature
      -f            Force overwrite
      -enterprise   Use local machine Enterprise registry certificate store
      -user         Use HKEY_CURRENT_USER keys or certificate store
      -GroupPolicy  Use Group Policy certificate store
      -ut           Display user templates
      -mt           Display machine templates
      -Unicode      Write redirected output in Unicode
      -UnicodeText  Write output file in Unicode
      -gmt          Display times as GMT
      -seconds      Display times with seconds and milliseconds
      -silent       Use silent flag to acquire crypt context
      -split        Split embedded ASN.1 elements, and save to files
      -v            Verbose operation
      -privatekey   Display password and private key data
      -pin PIN      Smart Card PIN
      -urlfetch     Retrieve and verify AIA Certs and CDP CRLs
      -config Machine\CAName  CA and computer name string
      -PolicyServer URLOrId   Policy Server URL or Id. For selection U/I, use -PolicyServer.
                    For all Policy Servers, use -PolicyServer *
      -Anonymous    Use anonymous SSL credentials
      -Kerberos     Use Kerberos SSL credentials
      -ClientCertificate ClientCertId   Use X.509 Certificate SSL credentials. For selection U/I, use -clientCertificate.
      -UserName UserName   Use named account for SSL credentials. For selection U/I, use -UserName.
      -Cert CertId   Signing certificate
      -dc DCName   Target a specific Domain Controller
      -restrict RestrictionList   Comma separated Restriction List. Each restriction consists
                    of a column name, a relational operator and a constant integer, string or date.
                    One column name may be preceded by a plus or minus sign to indicate the sort order.
                    Examples:  "RequestId = 47"    "+RequesterName >= a, RequesterName < b"
                               "-RequesterName > DOMAIN, Disposition = 21"
      -out ColumnList   Comma separated Column List
      -p Password   Password
      -ProtectTo SAMNameAndSIDList   Comma separated SAM Name/SID List
      -csp Provider   Provider
      -t Timeout    URL fetch timeout in milliseconds
      -symkeyalg SymmetricKeyAlgorithm[,KeyLength]   Name of Symmetric Key Algorithm with
                    optional key length, example: AES,128 or 3DES

To use Certutil.exe on a Windows XP client, install the Windows Server 2003 Administration Tools Pack.

Bugs

There are a few small documentation bugs/inconsistencies between the command-line help (Certutil -?) and the various MSDN help pages.

Certutil is sensitive to the order of command-line parameters.

Examples

View the configuration settings for the CA:

certutil -dump
certutil -getreg
certutil -getreg CA

Copy a certificate revocation list (CRL) to a file:

certutil -getcrl F:\ss64.crl

Purge local policy cache (Certificate Enrollment Policy Web Services):

certutil -f -policyserver * -policycache delete

View the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store:

certutil -enterprise -viewstore Root

Stop Certificate Services

certutil -shutdown

Convert a hex-encoded file to a binary executable. This is primarily intended for converting X.509 certificates from a human-readable format (.asn) into a computer-readable format (.bin):

certutil -decodehex hex.dat ss64.exe

“And yet I do observe that audiences which used to be deeply affected by the inspiring sternness of the music of Livius and Naevius, now leap up and twist their necks and turn their eyes in time with our modern tunes” ~ Cicero (De Legibus II.39 c. 50 BCE) on the evils of modern music.

Related:

CERTREQ - Request certificate from a certification authority
Q889250 - How to decommission a Windows enterprise certification authority and remove all related objects from Windows Server 2003.
How Certificate Revocation Works - TechNet


© Copyright SS64.com 1999-2013
Some rights reserved