CertUtil

CertUtil.exe can:

• Display Certificate Services configuration information or a file containing a request, a certificate, a PKCS #7, or certificate revocation list (CRL).
• Get the certification authority (CA) configuration string.
• Retrieve the CA signing certificate.
• Revoke certificates.
• Publish or retrieve a certificate revocation list (CRL).
• Determine if a certificate is valid or if the encoding length is incompatible with old enrollment controls.
• Verify one or all levels of a certification path.
• Resubmit or deny pending requests.
• Set attributes or an integer or string value extension for a pending request.
• Verify a public/private key set.
• Decode files based on hexadecimal or base 64.
• Encode files to base 64.
• Shut down the server.
• Display the database schema.
• Convert a Certificate Server 1.0 database to a Certificate Services 2.0 database.
• Backup and restore the CA keys and database.
• Display certificates in a certificate store.
• Display error message text for a specified error code.
• Import issued certificates that are missing from the database.
• Set and display certification authority registry settings.
• Create or remove Certificate Services Web virtual roots and file shares.

Syntax

Documentation regarding [options] in each entry is available at the end of this page.

certutil [options] -?

Displays the command options.

certutil [options] -7f CertFile

Checks the certificate specified by CertFile for 0x7f-length encodings. Avoiding 0x7f-length encodings ensures compatibility with old enrollment controls.

certutil [options] -decode InFile OutFileResult

Decodes the base 64-encode file specified by InFile and writes the result to OutFileResult.

certutil [options] -decodehex InFile OutFileResult

Decodes the hexadecimal-encoded file specified by InFile and writes the result to OutFileResult.

certutil [options] -dump

Dumps the certification authority's configuration information.

certutil [options] -encode InFile OutFileResult

Encodes the file specified by InFile to base 64 and writes the result to OutFileResult.

certutil [options] -error ErrorCode

Displays localized error message text for the specified error code. ErrorCode may be in signed or unsigned decimal format, or hexadecimal format with a leading 0x.

certutil [options] -getconfig

Gets the default configuration string for the certification authority and displays it.

certutil [options] -SetReg Policy\RevocationType [+|-]AspEnable

Using a plus sign (+) enables you to add Netscape-compatible Web-based revocation check extensions to every certificate issued by the CA. After running this command, you need to stop and restart the Certification Authority service for it to take effect. The revocation check extension contains a URL that points to a Web page that performs revocation checks. Revocation checking code passes the serial number of the certificate to the Web page as a parameter by appending the serial number to the URL in hexadecimal format. (See the certutil -IsValid and -Revoke command descriptions for an explanation of the serial number format.) The Web page calls the CA to verify that the serial number was issued by the CA and has not yet been revoked, and returns a zero (0) or one (1) to indicate the result. Using a minus sign (-) keeps the revocation-checking URL extension from being added to certificates that are issued (after the Certification Authority service is stopped and restarted).

certutil [options] -store [CertificateStoreName [CertIndex [OutputFile]]]

Displays the certificates in the Local Machine certificate store. If CertificateStoreName is not specified, the CA store is used. If CertIndex is specified, only the indexed certificate is displayed. If CertIndex and OutputFile are specified, the displayed certificate is written to OutputFile. Use the -user option to display certificate stores for the current user instead of the local computer.

certutil [options] -verify CertFile [CACertFile]

Verifies that the certificate specified by CertFile was issued using the CA certificate specified by CACertFile. Both files must contain a single certificate, not a PKCS #7 certificate. Also verifies the revocation status of the CertFile certificate. An error will occur if CertFile does not contain information on how to check revocation, or if the necessary URLs or CRLs are unavailable.

If CACertFile is not specified, then CertFile's certification path is constructed using certificates installed on the computer, and all certificates in the chain are verified and checked to see if they have been revoked.

certutil [options] -verifykeys KeyContainerName CACertFile

Verifies the public/private key set in the key container specified by KeyContainerName using the CA certificate specified by CACertFile.

certutil [options] -verifystore CertificateStoreName [CertIndex]

Similar to -store, but this command also verifies the associated private keys if they exist, and verifies each certificate by building a chain from the installed CA and root certificates and verifying all certificates in the chain to make sure they are still valid and have not been revoked.

certutil [options] -vroot [delete]

Creates or deletes the standard set of Certificate Services Web server virtual roots and file shares. Useful when IIS is installed after Certificate Services.

certutil [options] [-config ConfigString] -backup BackupDirectory [password [incremental] [KeepLog]]

Backs up the certification authority database, certificates, and keys to BackupDirectory. Specifying an asterisk for the PFX file password will cause it to be collected during program execution but not displayed on the screen. See also notes regarding -backupDB.

certutil [options] [-config ConfigString] -backupDB BackupDirectory [[incremental] [KeepLog]]

Backs up certification authority database to BackupDirectory. Use the -f option to overwrite existing files in BackupDirectory. The server must be running. This command may be executed remotely or locally. Normal use involves infrequent full backups, followed by frequent incremental backups. Each backup must be made into a separate directory tree. All backups starting with the most recent full backup will be required to correctly restore the database.

certutil [options] [-config ConfigString] -backupKey BackupDirectory [password]

Backs up certification authority certificate and keys to BackupDirectory. Specifying an asterisk for the PFX file password will cause it to be collected during program execution but not displayed on the screen. Specifying an asterisk for the PFX file password will cause it to be collected during program execution but not displayed on the screen.

certutil [options] [-config ConfigString] -ca.cert OutCASignatureCertFileResult

Retrieves the CA signing certificate and writes it to the file specified by OutCASignatureCertFileResult.

certutil [options] [-config ConfigString] -ca.chain OutCAsignatureCertChainFileResult

Retrieves the certification authority (CA) signing certificate and chain and writes it to a PKCS #7 file specified by OutCAsignatureCertChainFileResult.

certutil [options] [-config ConfigString] -ConvertMDB

After upgrading a Windows NT 4.0 server with Certificate Services 1.0 to Windows 2000 with Windows 2000 Certificate Services, this command migrates the old database records to the current database. The server must not be running. The command must be started locally on the server running Certificate Services. The CertSrv ODBC User DSN must still be accessible.

certutil [options] [-config ConfigString] -CRL [OutFileResult|-]

Publishes the current certificate revocation list (CRL). Optionally, the CRL is written to the file specified by OutFileResult, or to the default Web location if a minus sign (-) is specified. The expiration date is set to be one day and one hour from the time of publication to facilitate a daily publishing schedule.

certutil [options] [-config ConfigString] -databaselocations

Displays a list of tagged database files and database directories. Hexadecimal buffer offset and hexadecimal type tag are displayed on each line. See the Certificate Services backup API documentation and certbcli.h in the Microsoft Platform Software Development Kit for type tag definitions.

certutil [options] [-config ConfigString] -deny RequestId

Denies the pending certificate request specified by RequestId. RequestId must be in decimal format (or hexadecimal format with a leading 0x).

certutil [options] [-config ConfigString] -dynamicfilelist

Displays a list of dynamic files that must be backed up separately. Includes the server's local copy of the certificate revocation list (CRL). Hexadecimal buffer offset is displayed on each line.

certutil [options] [-config ConfigString] -GetCRL OutFileResult

Retrieves the most recently published CRL and writes it to the file specified by OutFileResult.

certutil [options] [-config ConfigString] -getreg [{ca|restore|policy|exit} [\ProgId] \RegistryValueName

Allows mnemonic display of certification authority registry values.

Some examples are:

certutil -getreg Active

certutil -getreg ca\LogLevel

certutil -getreg Policy\RevocationType

certutil [options] [-config ConfigString] -importcert Certfile [Flags]

Used to import a certificate into the server database. Useful for making a certificate revocable after it was inadvertently lost from the database, possibly due to database restore from an incomplete database backup. The certificate must have been issued by the server. Flags must be zero (0), if specified.

certutil [options] [-config ConfigString] -installcert [CACertFile]

Completes subordinate CA certificate installation for a subordinate CA installation that generated a request, but has not yet received and installed its CA certificate. A PKCS #7 certification path is the preferred content of CACertFile, although an X.509 certificate is accepted if all of the certificates that would be used to form the chain are already installed on the local computer. Also allows installation of a requested renewal CA certificate.

certutil [options] [-config ConfigString] -isvalid SerialNumber

Checks the certificate specified by SerialNumber to determine if it is valid. SerialNumber must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. No leading Ox is allowed.

certutil [options] [-config ConfigString] -ping

Verifies the server is running (via the ICertRequest interface). ConfigString may consist of just a computer name or DNS name. If the server is running, this command will report the CA name of the server.

certutil [options] [-config ConfigString] -pingadmin

Verifies the server is running (via the ICertAdmin interface), and that the user has minimal administrative access to the server.

certutil [options] [-config ConfigString] -renewCert [RequestFile]

Used to initiate requesting a renewal CA certificate. If an online parent CA does not exist or if it does not imediately issue a renewal CA certificate, use the -installCert command to complete the renewal certificate installation when the certificate is available.

certutil [options] [-config ConfigString] -restore BackupDirectory [password]

Restores certification authority database, certificates, and keys from BackupDirectory. Specifying an asterisk for the PFX file password will cause it to be collected during program execution but not displayed on the screen. See also -restoreDB notes.

certutil [options] [-config ConfigString] -restoreDB BackupDirectory

Restores certification authority database from BackupDirectory. The server must not be running. This command may be executed remotely or locally. Restoring a full backup plus incremental backups requires restoring the full backup first, followed by restoring all subsequent incremental backups in any order. Use the -f option for the full restore to overwrite existing server database files. The server must not be started until all backups are restored. Starting the server initiates database recovery. Successful start of the server as recorded in the Application Event Log indicates the restore and recovery successfully completed.

certutil [options] [-config ConfigString] -restoreKey BackupDirectory|PFXFile [password]

Restores certification authority certificate and keys from BackupDirectory or PKCS #12 PFXFile. Specifying an asterisk for the PFX file password will cause it to be collected during program execution but not displayed on the screen.

certutil [options] [-config ConfigString] -resubmit RequestId

Resubmits the pending certificate request specified by RequestId. RequestId must be in decimal format or hexadecimal format with a leading 0x.

certutil [options] [-config ConfigString] -revoke SerialNumber

Revokes the certificate specified by SerialNumber. SerialNumber must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. No leading Ox is allowed.

certutil [options] [-config ConfigString] -schema

Dumps the certification authority database schema, for example, column names, types, and max sizes.

certutil [options] [-config ConfigString] -setattributes RequestId AttributeString

Sets the named attributes specified by AttributeString in the certificate request specified by RequestId. RequestId must be in decimal format (or hexadecimal format with a leading 0x). The specified request must be in the pending state. The following is a valid example:

certutil -setattributes 123 attribname1:attribvalue1\nattribname2:37

certutil [options] [-config ConfigString] -setextension RequestId ExtensionName Flags Value

Sets the extension specified by ExtensionName in the certificate request specified by RequestId. RequestId must be in decimal format (or in hexdecimal format with a leading 0x). Flags must be set to zero (0) or one (1); a one makes the extension "critical." Value must be a string and will be interpreted as a long integer in decimal format if all characters are digits, or in hexadecimal format if it starts with a leading 0x and all the remaining characters are hexadecimal digits. The following is a valid example for a noncritical extension:

certutil -setextension 123 1.3.6.1.4.1.311.20.2 0 SubCA

The specified request must be in the pending state.

certutil [options] [-config ConfigString] -setreg [{ca|restore|policy|exit}\[ProgId]\RegistryValueName

Allows edits and mnemonic display of certification authority server registry values.

Examples:

certutil -setreg Policy\RevocationType -0x100

Turns off the 0x100 bit.

certutil -setreg Policy\RevocationType +0x100

Turns on the 0x100 bit.

certutil -setreg Policy\RequestDisposition 1

Overwrites existing value with 1.

certutil [options] [-config ConfigString] -shutdown

Shuts down the certification authority server, even if it was started in console mode

The CertUtil command options are: