Certutil tasks for troubleshooting certificates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for troubleshooting certificates

Certutil is a powerful tool for troubleshooting problems associated with certification authorities. You can use certutil to troubleshoot problems.

To view the syntax for a specific task, click a task:

  • To display the information stored in public key related files

  • To view CA database information and restrict the CA schema information that is displayed

  • To dump the serial numbers of the certificates in the database

  • To display CA registry settings

  • To set the CA registry to perform a certain action when a request arrives

  • To set CA registry settings

  • To delete a registry value

  • To display error message text for an error code in the local language

  • To verify that the server is running (ICertRequest interface)

  • To verify that the server is running (ICertAdmin interface)

  • To generate and display the cryptographic hash over a file

  • To dump the CA database schema

  • To display all key container names that are available to the current user

  • To provide a PKCS#10 request file to an Entrust CA for cross-certification

  • To reassociate a private key with its certificate

  • To verify that the URLs in the AIA and CDP extensions are valid and correct

  • To check a certificate on a smart card

  • To view templates that are installed locally

  • To determine what CSP is used for a key pair

Syntax

certutil -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p Password] [FileName]

Parameters
  • -dump
    Dumps configuration information or files.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -p Password
    Specifies a password.
  • FileName
    Specifies the file name of the configuration file that you want to display.
  • -?
    Displays a list of certutil commands.

To view CA database information and restrict the CA schema information that is displayed

Syntax

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName**\CAName] [-restrict** RestrictionList] [-out ColumnList] [RequestID]

Parameters
  • -view
    Dumps the certification authority database view.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
  • -restrict RestrictionList
    Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.
  • -out ColumnList
    Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.
  • RequestID
    Specifies the request identifier number.
  • -?
    Displays a list of certutil commands.
Remarks

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • Used without parameters, certutil displays a list of your CA configuration strings.

Examples

To list the subject e-mail names from all certificates issued from a CA named Myentrootca that is located on Cacomputer1, type:

certutil -config cacomputer1\myentrootca -view -out request.email

To restrict the rows displayed to those with request identifiers greater than 10,000 and then display only the request disposition from a CA named Myentrootca, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid>10,000"

To view only the last row, type:

Certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $"

To view only the second to last row, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $ - 1"

To view the subject e-mail names for all requests made to a CA, type:

certutil -view -out email

To display the numeric request identifiers of certificates based on the User template, type:

certutil -view -restrict "Certificate Template=User" -out requestid

To display the numeric request identifiers of certificates based on the template object identifier, 1.2.3.4.5.5.6.6.6.6.5.6, type:

certutil -view -restrict "Certificate Template=1.2.3.4.5.5.6.6.6.6.5.6" -out requestid

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To view e-mail of the users who made the request for a template named MyTemplate and to also view when the request was issued, type:

certutil -config cacomputer1\myentrootca -view -out email -restrict "CertificateTemplate == myTemplate, Disposition == 20"

To dump the serial numbers of the certificates in the database

Syntax

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName**\CAName] [-restric** RestrictionList] [-out ColumnList] [{disposition==20 | disposition==21}] "serialnumber,requestid"

Parameters
  • -view
    Dumps the certification authority database view.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -restrict RestrictionList
    Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.
  • -out ColumnList
    Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.
  • disposition==20
    Specifies DB_DISP_ISSUED.
  • disposition==21
    Specifies DB_DISP_REVOKED.
  • "serialnumber,requestid"
    Specifies to display all serial numbers and request identifier numbers.
  • -?
    Displays a list of certutil commands.
Remarks

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To display CA registry settings

Syntax

certutil -getreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit |template}] [**\**ProgID] **\**RegistryValueName

Parameters
  • -getreg
    Displays registry information.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • ca
    Specifies the CA registry key.
  • restore
    Specifies the RESTORE registry key.
  • policy
    Specifies the POLICYMODULE registry key.
  • exit
    Specifies the EXITMODE registry key.
  • template
    Specifies the TEMPLATE registry key.
  • \ ProgID
    Specifies the registry subkey name of the policy or exit module.
  • \ RegistryValueName
    Specifies a particular value within the registry key.
  • -?
    Displays a list of certutil commands.
Remarks

  • Restore is only available during restore mode.

  • If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

Examples

To display information about the active CA, type:

certutil -getreg Active

To display the common name of the CA, type:

certutil -getreg ca\CommonName

To display information about what disposition action the policy module will take, type:

certutil -getreg Policy\RequestDisposition

To set the CA registry to perform a certain action when a request arrives

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] policy\requestdisposition [{0 | 1 | 2 | 3}]

Parameters
  • -setreg
    Sets or edits the registry key value.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • policy\requestdisposition
    Specifies the policy module and the disposition request ID.

  • { 0| 1| 2| 3}
    Adds a process to a pending request specified by one of values described in the following table.

    Value Description

    0

    Places the incoming request in a pending state.

    1

    Issues the incoming request.

    2

    Denies the incoming request.

    3

    Takes action based on the disposition request attribute provided with the incoming request.
  • -?
    Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

To set CA registry settings

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [**\ProgID]\**RegistryValueName

Parameters
  • -setreg
    Sets or edits registry information.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • ca
    Specifies the CA registry key.
  • restore
    Specifies the RESTORE registry key.
  • policy
    Specifies the POLICYMODULE registry key.
  • exit
    Specifies the EXITMODE registry key.
  • \ ProgID
    Specifies the registry subkey name of the policy or exit module.
  • \ RegistryValueName
    Specifies a particular value within the registry key.
  • -?
    Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Remarks

  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

  • Restore is only available when you are running certutil in restore mode.

  • If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

  • You can modify specific flags within the DWORD registry by using -setreg.

Examples

To set the request disposition to one, type:

certutil /setreg policy\requestdisposition 1

To set the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype +0x100

To reset the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype -0x100

To delete a registry value

Syntax

certutil -delreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [**\**ProgID] **\**RegistryValueName

Parameters
  • -delreg
    Deletes the registry value.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • ca
    Specifies the CA registry key.
  • restore
    Specifies the RESTORE registry key.
  • policy
    Specifies the POLICYMODULE registry key.
  • exit
    Specifies the EXITMODE registry key.
  • template
    Specifies the TEMPLATE registry key.
  • \ ProgID
    Specifies the registry subkey name of the policy or exit module.
  • \ RegistryValueName
    Specifies any CA registry value.
  • -?
    Displays a list of certutil commands.
Remarks

  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

  • Restore is only available during backup and restore modes.

  • If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

To display error message text for an error code in the local language

Syntax

certutil -error ErrorCode

Parameters
  • -error
    Displays error code message text in the local language, which is specified by the Locale registry key.
  • ErrorCode
    Specifies the error code that you want to view in the local language.
  • -?
    Displays a list of certutil commands.
Remarks

  • For ErrorCode, you can use signed or unsigned decimal format, or hexadecimal format with a leading 0x.

  • You can use this command to decode errors received from the Certification Authority snap-in.

To verify that the server is running (ICertRequest interface)

Syntax

certutil -ping [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

Parameters
  • -ping
    Pings the Certificate Services ICertRequest interface.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
  • -?
    Displays a list of certutil commands.
Remarks

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To verify that the server is running (ICertAdmin interface)

Syntax

certutil -pingadmin [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

Parameters
  • -pingadmin
    Pings the Certificate Services ICertAdmin interface.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
  • -?
    Displays a list of certutil commands.
Remarks

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • To determine whether you have successfully completed this command, make sure that the user has administrative access to the server.

To generate and display the cryptographic hash over a file

Syntax

certutil -hashfile [-gmt] [-seconds] [-v] InFile

Parameters
  • -hashfile
    Generates and displays cryptographic hash over a file.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • InFile
    Specifies the file for which you want to display the hash.
  • -?
    Displays a list of certutil commands.

To dump the CA database schema

Syntax

certutil -schema [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [{Ext | Attib | CRL}]

Parameters
  • -config ConfigString
    Processes the operation by using the CA specified in the configuration string (that is, ConfigString). Without this option, the default CA processes the request.
  • -schema
    Dumps the CA database schema.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • Ext
    Displays the schema for Ext table.
  • Attib
    Displays the schema for Attib table.
  • CRL
    Displays the schema for the certificate revocation list (CRL).
  • -?
    Displays a list of certutil commands.
Remarks

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To view the CA database schema, type:

certutil -schema

To display all key container names that are available to the current user

Syntax

certutil -key [-user] [-gmt] [-seconds] [-silent] [-v] [CSPName] [*]

Parameters
  • -key
    Displays the key containers for the local computer.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -v
    Specifies verbose output.
  • CSPName
    Specifies the cryptographic service provider (CSP) for which you want to display the key containers.
  • *
    Displays the key containers for all of the CSPs.
  • -?
    Displays a list of certutil commands.
Remarks

To provide a PKCS#10 request file to an Entrust CA for cross-certification

Syntax

certutil -split [-gmt] [-seconds] [-v] CMC**.req**

Parameters
  • -split
    Analyzes each binary (ASN.1-encoded) object in a certificate request file, and then saves each object to a separate blob file.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • CMC .req
    Specifies the Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC) file that you want to analyze.
  • -?
    Displays a list of certutil commands.
Remarks

  • For more information about creating a CMS request from the root certificate by using the certreq –policy command, see Certreq in Related Topics. In Certreq, see the "To construct a cross-certification or qualified subordination request from an existing CA certificate or request" task.

  • If possible, when you construct a request from an existing certificate, you should run the certreq –policy command on a computer that has the input certificate's private key installed. If the private key is unavailable (as is usually the case for cross-certifying non-Microsoft CAs), the PKCS #10 file is NULL-signed and the outer CMS is also NULL-signed. A NULL-signed PKCS#10 is unacceptable to most non-Microsoft CAs.

To reassociate a private key with its certificate

Syntax

certutil -repairstore [{-cspCSPName[-f]}] [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [{ca | my| root | spc}] CertIndex

Parameters
  • -repairstore
    Repairs the key provider information in the ca store.
  • -csp
    Uses only the cryptographic service provider (CSP) specified to locate and repair the key.
  • CSPName
    Specifies the name of the CSP to use.
  • -f
    Used with -csp to locate a key when necessary to force searching for the key using the specified CSP.
  • -enterprise
    Uses the local computer Enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • ca
    Specifies certificates in the Intermediate Certification Authorities store.
  • my
    Specifies certificates issued to the local computer.
  • root
    Specifies certificates in the Trusted Root Certification Authorities store.
  • spc
    Specifies software publisher certificates.
  • CertIndex
    Specifies the Secure Hash Algorithm (SHA-1) certificate hash, serial number, or certificate index identifier.
  • -?
    Displays a list of certutil commands.
Remarks
  • If the certificate is located in the HKEY_LOCAL_MACHINE certificate store, do not use -user.

To verify that the URLs in the AIA and CDP extensions are valid and correct

Syntax

certutil -url[-f] [-gmt] [-seconds] [-split] [-v] CertFile**.crt**

Parameters
  • -url
    Verifies certificate or certificate revocation list (CRL) URLs.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • CertFile .crt
    Specifies the certificate file.
  • -?
    Displays a list of certutil commands.
Remarks
  • To make sure that the URLs are valid and point to the appropriate CRLs or issuing CA certificates, you can use this command to check the Authority Information Access (AIA) and CRL Distribution Points (CDPs) extensions, and then dereference the URLs inside these extensions.

To check a certificate on a smart card

Syntax

certutil -scinfo [-gmt] [-seconds] [-silent] [-split] [-v] [ReaderName]

Parameters
  • -scinfo
    Displays smart card information.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • ReaderName
    Specifies the name of the smart card reader.
  • -?
    Displays a list of certutil commands.

To view templates that are installed locally

Syntax

certutil -template [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] TemplateName

Parameters
  • -template
    Displays the specified template.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -ut
    Displays the user templates.
  • -mt
    Displays the computer templates.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • TemplateName
    Specifies the name of the template that you want to view.
  • -?
    Displays a list of certutil commands.

To determine what CSP is used for a key pair

Syntax

certutil PFXfile .pfx

Parameters
  • PFXfile .pfx
    Specifies a file with a .pfx extension.
  • -?
    Displays a list of certutil commands.
Remarks

  • After you import the .pfx file, you can display the HKEY_CURRENT_USER "My" store using the following syntax:

    certutil /user /store my [CertIndex]

    This command displays each certificate key's cryptographic service provider (CSP) as Provider=xxx.

  • In place of CertIndex, you can specify the decimal, the zero-based certificate store index number, the common name, the Secure Hash Algorithm (SHA-1), or the public key SHA-1.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview