Certutil tasks for troubleshooting certificates

certutil -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p Password] [FileName]

-dump

Dumps configuration information or files.

-f

Overwrites existing files or keys.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-p Password

Specifies a password.

FileName

Specifies the file name of the configuration file that you want to display.

-?

Displays a list of certutil commands.

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName\CAName] [-restrict RestrictionList] [-out ColumnList] [RequestID]

-view

Dumps the certification authority database view.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-silent

Uses a silent flag to acquire CryptContext.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-config CAMachineName \ CAName

-restrict RestrictionList

Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.

-out ColumnList

Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.

RequestID

Specifies the request identifier number.

-?

Displays a list of certutil commands.

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  
  
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  
  
• Used without parameters, certutil displays a list of your CA configuration strings.
  
  

To list the subject e-mail names from all certificates issued from a CA named Myentrootca that is located on Cacomputer1, type:

certutil -config cacomputer1\myentrootca -view -out request.email

To restrict the rows displayed to those with request identifiers greater than 10,000 and then display only the request disposition from a CA named Myentrootca, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid>10,000"

To view only the last row, type:

Certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $"

To view only the second to last row, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $ - 1"

To view the subject e-mail names for all requests made to a CA, type:

certutil -view -out email

To display the numeric request identifiers of certificates based on the User template, type:

certutil -view -restrict "Certificate Template=User" -out requestid

To display the numeric request identifiers of certificates based on the template object identifier, 1.2.3.4.5.5.6.6.6.6.5.6, type:

certutil -view -restrict "Certificate Template=1.2.3.4.5.5.6.6.6.6.5.6" -out requestid

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To view e-mail of the users who made the request for a template named MyTemplate and to also view when the request was issued, type:

certutil -config cacomputer1\myentrootca -view -out email -restrict "CertificateTemplate == myTemplate, Disposition == 20"

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName\CAName] [-restric RestrictionList] [-out ColumnList] [{disposition==20 | disposition==21}] "serialnumber,requestid"

-view

Dumps the certification authority database view.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-silent

Uses a silent flag to acquire CryptContext.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-config CAMachineName \ CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-restrict RestrictionList

Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.

-out ColumnList

Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.

disposition==20

Specifies DB_DISP_ISSUED.

disposition==21

Specifies DB_DISP_REVOKED.

"serialnumber,requestid"

Specifies to display all serial numbers and request identifier numbers.

-?

Displays a list of certutil commands.

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  
  
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  
  

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

certutil -getreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit |template}] [\ProgID] \RegistryValueName

-getreg

Displays registry information.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

ca

Specifies the CA registry key.

restore

Specifies the RESTORE registry key.

policy

Specifies the POLICYMODULE registry key.

exit

Specifies the EXITMODE registry key.

template

Specifies the TEMPLATE registry key.

\ ProgID

Specifies the registry subkey name of the policy or exit module.

\ RegistryValueName

Specifies a particular value within the registry key.

-?

Displays a list of certutil commands.

• Restore is only available during restore mode.
  
  
• If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.
  
  

To display information about the active CA, type:

certutil -getreg Active

To display the common name of the CA, type:

certutil -getreg ca\CommonName

To display information about what disposition action the policy module will take, type:

certutil -getreg Policy\RequestDisposition

certutil -setreg [-user] [-gmt] [-seconds] [-v] policy\requestdisposition [{0 | 1 | 2 | 3}]

-setreg

Sets or edits the registry key value.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

policy\requestdisposition

Specifies the policy module and the disposition request ID.

{ 0| 1| 2| 3}

Adds a process to a pending request specified by one of values described in the following table.

 

Value	Description
0	Places the incoming request in a pending state.
1	Issues the incoming request.
2	Denies the incoming request.
3	Takes action based on the disposition request attribute provided with the incoming request.

-?

Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
  
  

Note

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
  
  

certutil -setreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [\ProgID]\RegistryValueName

-setreg

Sets or edits registry information.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

ca

Specifies the CA registry key.

restore

Specifies the RESTORE registry key.

policy

Specifies the POLICYMODULE registry key.

exit

Specifies the EXITMODE registry key.

\ ProgID

Specifies the registry subkey name of the policy or exit module.

\ RegistryValueName

Specifies a particular value within the registry key.

-?

Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
  
  

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
  
  
• Restore is only available when you are running certutil in restore mode.
  
  
• If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.
  
  
• You can modify specific flags within the DWORD registry by using -setreg.
  
  

To set the request disposition to one, type:

certutil /setreg policy\requestdisposition 1

To set the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype +0x100

To reset the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype -0x100

certutil -delreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [\ProgID] \RegistryValueName

-delreg

Deletes the registry value.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

ca

Specifies the CA registry key.

restore

Specifies the RESTORE registry key.

policy

Specifies the POLICYMODULE registry key.

exit

Specifies the EXITMODE registry key.

template

Specifies the TEMPLATE registry key.

\ ProgID

Specifies the registry subkey name of the policy or exit module.

\ RegistryValueName

Specifies any CA registry value.

-?

Displays a list of certutil commands.

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
  
  
• Restore is only available during backup and restore modes.
  
  
• If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.
  
  

certutil -error ErrorCode

-error

Displays error code message text in the local language, which is specified by the Locale registry key.

ErrorCode

Specifies the error code that you want to view in the local language.

-?

Displays a list of certutil commands.

• For ErrorCode, you can use signed or unsigned decimal format, or hexadecimal format with a leading 0x.
  
  
• You can use this command to decode errors received from the Certification Authority snap-in.
  
  

certutil -ping [-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

-ping

Pings the Certificate Services ICertRequest interface.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

-config CAMachineName \ CAName

-?

Displays a list of certutil commands.

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  
  
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  
  

certutil -pingadmin [-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

-pingadmin

Pings the Certificate Services ICertAdmin interface.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

-config CAMachineName \ CAName

-?

Displays a list of certutil commands.

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  
  
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  
  
• To determine whether you have successfully completed this command, make sure that the user has administrative access to the server.
  
  

certutil -hashfile [-gmt] [-seconds] [-v] InFile

-hashfile

Generates and displays cryptographic hash over a file.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

InFile

Specifies the file for which you want to display the hash.

-?

Displays a list of certutil commands.

certutil -schema [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [{Ext | Attib | CRL}]

-config ConfigString

Processes the operation by using the CA specified in the configuration string (that is, ConfigString). Without this option, the default CA processes the request.

-schema

Dumps the CA database schema.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-config CAMachineName \ CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

Ext

Displays the schema for Ext table.

Attib

Displays the schema for Attib table.

CRL

Displays the schema for the certificate revocation list (CRL).

-?

Displays a list of certutil commands.

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  
  
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  
  

To view the CA database schema, type:

certutil -schema

certutil -key [-user] [-gmt] [-seconds] [-silent] [-v] [CSPName] [*]

-key

Displays the key containers for the local computer.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-silent

Uses a silent flag to acquire CryptContext.

-v

Specifies verbose output.

CSPName

Specifies the cryptographic service provider (CSP) for which you want to display the key containers.

*

Displays the key containers for all of the CSPs.

-?

Displays a list of certutil commands.

• RSA is the default CSP for the Windows Server 2003 family. To specify an alternate CSP provider, use the CSPName command-line option. For more information about RSA, see the RSA Labs Web site. Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
  
  

certutil -split [-gmt] [-seconds] [-v] CMC.req

-split

Analyzes each binary (ASN.1-encoded) object in a certificate request file, and then saves each object to a separate blob file.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

CMC .req

Specifies the Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC) file that you want to analyze.

-?

Displays a list of certutil commands.

• For more information about creating a CMS request from the root certificate by using the certreq –policy command, see Certreq in Related Topics. In Certreq, see the "To construct a cross-certification or qualified subordination request from an existing CA certificate or request" task.
  
  
• If possible, when you construct a request from an existing certificate, you should run the certreq –policy command on a computer that has the input certificate's private key installed. If the private key is unavailable (as is usually the case for cross-certifying non-Microsoft CAs), the PKCS #10 file is NULL-signed and the outer CMS is also NULL-signed. A NULL-signed PKCS#10 is unacceptable to most non-Microsoft CAs.
  
  

certutil -repairstore [{-cspCSPName[-f]}] [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [{ca | my| root | spc}] CertIndex

-repairstore

Repairs the key provider information in the ca store.

-csp

Uses only the cryptographic service provider (CSP) specified to locate and repair the key.

CSPName

Specifies the name of the CSP to use.

-f

Used with -csp to locate a key when necessary to force searching for the key using the specified CSP.

-enterprise

Uses the local computer Enterprise registry certificate store.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

ca

Specifies certificates in the Intermediate Certification Authorities store.

my

Specifies certificates issued to the local computer.

root

Specifies certificates in the Trusted Root Certification Authorities store.

spc

Specifies software publisher certificates.

CertIndex

Specifies the Secure Hash Algorithm (SHA-1) certificate hash, serial number, or certificate index identifier.

-?

Displays a list of certutil commands.

• If the certificate is located in the HKEY_LOCAL_MACHINE certificate store, do not use -user.
  
  

certutil -url[-f] [-gmt] [-seconds] [-split] [-v] CertFile.crt

-url

Verifies certificate or certificate revocation list (CRL) URLs.

-f

Overwrites existing files or keys.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

CertFile .crt

Specifies the certificate file.

-?

Displays a list of certutil commands.

• To make sure that the URLs are valid and point to the appropriate CRLs or issuing CA certificates, you can use this command to check the Authority Information Access (AIA) and CRL Distribution Points (CDPs) extensions, and then dereference the URLs inside these extensions.
  
  

certutil -scinfo [-gmt] [-seconds] [-silent] [-split] [-v] [ReaderName]

-scinfo

Displays smart card information.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-silent

Uses a silent flag to acquire CryptContext.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

ReaderName

Specifies the name of the smart card reader.

-?

Displays a list of certutil commands.

certutil -template [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] TemplateName

-template

Displays the specified template.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-ut

Displays the user templates.

-mt

Displays the computer templates.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

TemplateName

Specifies the name of the template that you want to view.

-?

Displays a list of certutil commands.

certutil PFXfile .pfx

PFXfile .pfx

Specifies a file with a .pfx extension.

-?

Displays a list of certutil commands.

• After you import the .pfx file, you can display the HKEY_CURRENT_USER "My" store using the following syntax:
  
  certutil /user /store my [CertIndex]
  
  This command displays each certificate key's cryptographic service provider (CSP) as Provider=xxx.
  
  
• In place of CertIndex, you can specify the decimal, the zero-based certificate store index number, the common name, the Secure Hash Algorithm (SHA-1), or the public key SHA-1.