Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.

Posts on this page:

Original URL:
Post name: A simple way to set the certutil -config option
Original author: MS2065 [MSFT]
Posting date: 2007-05-12T14:07:00+00:00

When you are performing an operation on a remote CA, certutil requires the config string as input parameter. The common way to find out the config string is to run a certutil -dump command, list all available CAs in the Active Directory forest and copy/past the config parameter from the dump into the new command-line.

There is a much simpler way to set the config string in certutil. Just use a dash as config string and certutil will show a selection dialog with all CAs that are registered in your Active Directory forest.

For example to verify the responsiveness of a remote CA, run the following command and select the target CA from the list of available CAs.

certutil –config - -ping

Original URL:
Post name: Manually publishing a CA certificate or CRL into a LDAP store
Original author: MS2065 [MSFT]
Posting date: 2007-04-13T05:27:00+00:00

The CA is automatically publishing its own certificates and related CRLs into Active Directory if a LDAP reference is configured in the CA property “Extensions”.

If you are using a different LDAP server (such as Microsoft ADAM) to make the CA certificate and CRL available, certificates and CRLs must be published manually. The easiest way to do that is with certutil.

Perform the following command to publish the CRL manually into a LDAP-store.

certutil –addstore "LDAP://[server]/[DN]?certificateRevocationList?base?objectclass=cRLDistributionPoint" [CRL-File]

Replace [server] with the name of the LDAP server where you have write permissions.
Replace [DN] with the path that you have used in the CA configuration.
Replace [CRL-File] with the file name of the CRL that you want to publish.

Here is the command to publish a CA certificate manually:

certutil –addstore "LDAP://[server]/[DN]?cACertificate?base?objectClass=certificationAuthority" [cert-file]

To manually publish a CA certificate or CRL into Active Directory you should still use certutil –dspublish instead of certutil –addstore.

Original URL:
Post name: How to find out the max size of certificate attributes
Original author: MS2065 [MSFT]
Posting date: 2007-02-26T02:52:00+00:00

The other day I was asked how many subject alternate names will fit into a single certificate. I asked myself what the best way would be to find out. After a short time of thinking I decided to look at the schema defintion of the CA database. The schema will tell for sure how many characters fit into a certain attribute because the database has to store every attribute for a certificate or a request.

So the answer is pretty simple here: There is no limit how many items fit into an attribute but there is a limit regarding the total size.

To determine the max size of a certificate attribut, just run the following command on the CA computer:

certutil -schema

The output shows information about the max. sizes. Once you have this information, just count the number of characters for an attribute in your certificate request an you know if it fits.


Original URL:
Post name: How to manually set the archive flag for certifictes
Original author: MS2065 [MSFT]
Posting date: 2007-02-22T11:19:00+00:00

If you have to select a certain certificate for authentication for example, you may wonder why several certificates are presented by the UI. Internet Explorer may offer several client authentication certificates while securely connecting to a web site or Outlook presents a number of certificates that can be used for eMail encryption.

One reason for such behavior could be that unnecessarily multiple certificates are available in your certificate store. Multiple certificates for the same purpose can exist if old certificates are not properly archived when new certificates are enrolled. Autoenrollment takes care of the archival process but when certificates are manually enrolled, old certificates are not flagged as archived.

Instead of deleting certificates (what you should never do with encryption certificates) you can just archive them. Unfortunately, the Certificates MMC snap-in provides no way to set the archive flag for a certificate. Therefore, install and use CAPICOM to set the flag for a given certificate with a script. The following script can be used as a sample to archive certificates. CAPICOM is fully documented on

Option Explicit


Dim oArgs
Dim oStore, oCertificates

Set oArgs = Wscript.Arguments
if oArgs.Count <> 1 then
 wscript.echo "Must specify the certificate thumbprint as argument"
 wscript.quit 1
end if

Set oStore = CreateObject("CAPICOM.Store")


Set oCertificates = oStore.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SHA1_HASH, oArgs(0))

if oCertificates.Count = 1 then
 oCertificates(1).Archived = false
end if


Set oCertificates = Nothing
Set oStore = Nothing

The script requires the thumbprint of the certificate to be archived as command-line parameter, for example

cscript archivecert.vbs “be 46 c0 95 ea 4f b7”

To un-archive existing certificates, just change the line oCertificates(1).Archive=false to oCertificates(1).Archive=true.

To archive a certificate, use Notepad to create a text file Archive.inf that has the following content:

19 = Empty

To remove the archive bit from a certificate, use Notepad to create an INF file that has the following content:

19 =

Then run the following command at a command line for each cert to be archived:

certutil –repairstore –user my [CertificateThumbprint] Archive.inf

In the above command, you can also use a comma-separated list of CertificateThumbprints, if you prefer. If you copy/paste the thumbprint and it includes space characters, the thumbprint must be included in double quotes.

Once a certificate is flagged as archived, it does not appear in the certificates MMC snap-in unless the Archived certificates option is set. Also the certificate selection dialogs in Internet Explorer and Outlook do not show archived certificates.

To show archived certificates with the certificates MMC snap-in do the following:

1. Open the certificates MMC snap-in

2. Select the Certificates – Current User container in the left pane

3. From the menu chose View and then Options

4. Mark the option Archived certificates and click OK.

Original URL:
Post name: How to download the most current CA certificate from a certificate web enrollment station
Original author: MS2065 [MSFT]
Posting date: 2007-02-10T19:08:00+00:00

In some cases, you might want to download the most current CA certificate from a web enrollment station. Use the following URL to do so:

Replace with the DNS computer name of your web enrollment station. The renewal=-1 parameter indicates that the latest certificate is targeted. The index of the renewal parameter refers to the CA certificate that is actually downloaded. 0 would be the CA certificate that was generated during CA setup. 1 is the CA certificate after the first renewal and so on.