Export (0) Print
Expand All

Certutil tasks for troubleshooting certificates

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for troubleshooting certificates

Certutil is a powerful tool for troubleshooting problems associated with certification authorities. You can use certutil to troubleshoot problems.

To view the syntax for a specific task, click a task:

To display the information stored in public key related files

Syntax

certutil -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p Password] [FileName]

Parameters
-dump
Dumps configuration information or files.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-p Password
Specifies a password.

FileName
Specifies the file name of the configuration file that you want to display.

-?
Displays a list of certutil commands.

To view CA database information and restrict the CA schema information that is displayed

Syntax

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName\CAName] [-restrict RestrictionList] [-out ColumnList] [RequestID]

Parameters
-view
Dumps the certification authority database view.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName

-restrict RestrictionList
Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.

-out ColumnList
Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.

RequestID
Specifies the request identifier number.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • Used without parameters, certutil displays a list of your CA configuration strings.

Examples

To list the subject e-mail names from all certificates issued from a CA named Myentrootca that is located on Cacomputer1, type:

certutil -config cacomputer1\myentrootca -view -out request.email

To restrict the rows displayed to those with request identifiers greater than 10,000 and then display only the request disposition from a CA named Myentrootca, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid>10,000"

To view only the last row, type:

Certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $"

To view only the second to last row, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $ - 1"

To view the subject e-mail names for all requests made to a CA, type:

certutil -view -out email

To display the numeric request identifiers of certificates based on the User template, type:

certutil -view -restrict "Certificate Template=User" -out requestid

To display the numeric request identifiers of certificates based on the template object identifier, 1.2.3.4.5.5.6.6.6.6.5.6, type:

certutil -view -restrict "Certificate Template=1.2.3.4.5.5.6.6.6.6.5.6" -out requestid

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To view e-mail of the users who made the request for a template named MyTemplate and to also view when the request was issued, type:

certutil -config cacomputer1\myentrootca -view -out email -restrict "CertificateTemplate == myTemplate, Disposition == 20"

To dump the serial numbers of the certificates in the database

Syntax

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName\CAName] [-restric RestrictionList] [-out ColumnList] [{disposition==20 | disposition==21}] "serialnumber,requestid"

Parameters
-view
Dumps the certification authority database view.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-restrict RestrictionList
Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.

-out ColumnList
Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.

disposition==20
Specifies DB_DISP_ISSUED.

disposition==21
Specifies DB_DISP_REVOKED.

"serialnumber,requestid"
Specifies to display all serial numbers and request identifier numbers.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To display CA registry settings

Syntax

certutil -getreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit |template}] [\ProgID] \RegistryValueName

Parameters
-getreg
Displays registry information.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

ca
Specifies the CA registry key.

restore
Specifies the RESTORE registry key.

policy
Specifies the POLICYMODULE registry key.

exit
Specifies the EXITMODE registry key.

template
Specifies the TEMPLATE registry key.

\ ProgID
Specifies the registry subkey name of the policy or exit module.

\ RegistryValueName
Specifies a particular value within the registry key.

-?
Displays a list of certutil commands.

Remarks
  • Restore is only available during restore mode.

  • If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

Examples

To display information about the active CA, type:

certutil -getreg Active

To display the common name of the CA, type:

certutil -getreg ca\CommonName

To display information about what disposition action the policy module will take, type:

certutil -getreg Policy\RequestDisposition

To set the CA registry to perform a certain action when a request arrives

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] policy\requestdisposition [{0 | 1 | 2 | 3}]

Parameters
-setreg
Sets or edits the registry key value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

policy\requestdisposition
Specifies the policy module and the disposition request ID.

{ 0| 1| 2| 3}
Adds a process to a pending request specified by one of values described in the following table.

 

Value Description

0

Places the incoming request in a pending state.

1

Issues the incoming request.

2

Denies the incoming request.

3

Takes action based on the disposition request attribute provided with the incoming request.

-?
Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

To set CA registry settings

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [\ProgID]\RegistryValueName

Parameters
-setreg
Sets or edits registry information.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

ca
Specifies the CA registry key.

restore
Specifies the RESTORE registry key.

policy
Specifies the POLICYMODULE registry key.

exit
Specifies the EXITMODE registry key.

\ ProgID
Specifies the registry subkey name of the policy or exit module.

\ RegistryValueName
Specifies a particular value within the registry key.

-?
Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Remarks
  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

  • Restore is only available when you are running certutil in restore mode.

  • If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

  • You can modify specific flags within the DWORD registry by using -setreg.

Examples

To set the request disposition to one, type:

certutil /setreg policy\requestdisposition 1

To set the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype +0x100

To reset the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype -0x100

To delete a registry value

Syntax

certutil -delreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [\ProgID] \RegistryValueName

Parameters
-delreg
Deletes the registry value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

ca
Specifies the CA registry key.

restore
Specifies the RESTORE registry key.

policy
Specifies the POLICYMODULE registry key.

exit
Specifies the EXITMODE registry key.

template
Specifies the TEMPLATE registry key.

\ ProgID
Specifies the registry subkey name of the policy or exit module.

\ RegistryValueName
Specifies any CA registry value.

-?
Displays a list of certutil commands.

Remarks
  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

  • Restore is only available during backup and restore modes.

  • If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

To display error message text for an error code in the local language

Syntax

certutil -error ErrorCode

Parameters
-error
Displays error code message text in the local language, which is specified by the Locale registry key.

ErrorCode
Specifies the error code that you want to view in the local language.

-?
Displays a list of certutil commands.

Remarks
  • For ErrorCode, you can use signed or unsigned decimal format, or hexadecimal format with a leading 0x.

  • You can use this command to decode errors received from the Certification Authority snap-in.

To verify that the server is running (ICertRequest interface)

Syntax

certutil -ping [-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters
-ping
Pings the Certificate Services ICertRequest interface.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To verify that the server is running (ICertAdmin interface)

Syntax

certutil -pingadmin [-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters
-pingadmin
Pings the Certificate Services ICertAdmin interface.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • To determine whether you have successfully completed this command, make sure that the user has administrative access to the server.

To generate and display the cryptographic hash over a file

Syntax

certutil -hashfile [-gmt] [-seconds] [-v] InFile

Parameters
-hashfile
Generates and displays cryptographic hash over a file.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

InFile
Specifies the file for which you want to display the hash.

-?
Displays a list of certutil commands.

To dump the CA database schema

Syntax

certutil -schema [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [{Ext | Attib | CRL}]

Parameters
-config ConfigString
Processes the operation by using the CA specified in the configuration string (that is, ConfigString). Without this option, the default CA processes the request.

-schema
Dumps the CA database schema.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

Ext
Displays the schema for Ext table.

Attib
Displays the schema for Attib table.

CRL
Displays the schema for the certificate revocation list (CRL).

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To view the CA database schema, type:

certutil -schema

To display all key container names that are available to the current user

Syntax

certutil -key [-user] [-gmt] [-seconds] [-silent] [-v] [CSPName] [*]

Parameters
-key
Displays the key containers for the local computer.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-v
Specifies verbose output.

CSPName
Specifies the cryptographic service provider (CSP) for which you want to display the key containers.

*
Displays the key containers for all of the CSPs.

-?
Displays a list of certutil commands.

Remarks

To provide a PKCS#10 request file to an Entrust CA for cross-certification

Syntax

certutil -split [-gmt] [-seconds] [-v] CMC.req

Parameters
-split
Analyzes each binary (ASN.1-encoded) object in a certificate request file, and then saves each object to a separate blob file.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

CMC .req
Specifies the Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC) file that you want to analyze.

-?
Displays a list of certutil commands.

Remarks
  • For more information about creating a CMS request from the root certificate by using the certreq –policy command, see Certreq in Related Topics. In Certreq, see the "To construct a cross-certification or qualified subordination request from an existing CA certificate or request" task.

  • If possible, when you construct a request from an existing certificate, you should run the certreq –policy command on a computer that has the input certificate's private key installed. If the private key is unavailable (as is usually the case for cross-certifying non-Microsoft CAs), the PKCS #10 file is NULL-signed and the outer CMS is also NULL-signed. A NULL-signed PKCS#10 is unacceptable to most non-Microsoft CAs.

To reassociate a private key with its certificate

Syntax

certutil -repairstore [{-cspCSPName[-f]}] [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [{ca | my| root | spc}] CertIndex

Parameters
-repairstore
Repairs the key provider information in the ca store.

-csp
Uses only the cryptographic service provider (CSP) specified to locate and repair the key.

CSPName
Specifies the name of the CSP to use.

-f
Used with -csp to locate a key when necessary to force searching for the key using the specified CSP.

-enterprise
Uses the local computer Enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

ca
Specifies certificates in the Intermediate Certification Authorities store.

my
Specifies certificates issued to the local computer.

root
Specifies certificates in the Trusted Root Certification Authorities store.

spc
Specifies software publisher certificates.

CertIndex
Specifies the Secure Hash Algorithm (SHA-1) certificate hash, serial number, or certificate index identifier.

-?
Displays a list of certutil commands.

Remarks
  • If the certificate is located in the HKEY_LOCAL_MACHINE certificate store, do not use -user.

To verify that the URLs in the AIA and CDP extensions are valid and correct

Syntax

certutil -url[-f] [-gmt] [-seconds] [-split] [-v] CertFile.crt

Parameters
-url
Verifies certificate or certificate revocation list (CRL) URLs.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

CertFile .crt
Specifies the certificate file.

-?
Displays a list of certutil commands.

Remarks
  • To make sure that the URLs are valid and point to the appropriate CRLs or issuing CA certificates, you can use this command to check the Authority Information Access (AIA) and CRL Distribution Points (CDPs) extensions, and then dereference the URLs inside these extensions.

To check a certificate on a smart card

Syntax

certutil -scinfo [-gmt] [-seconds] [-silent] [-split] [-v] [ReaderName]

Parameters
-scinfo
Displays smart card information.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

ReaderName
Specifies the name of the smart card reader.

-?
Displays a list of certutil commands.

To view templates that are installed locally

Syntax

certutil -template [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] TemplateName

Parameters
-template
Displays the specified template.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-ut
Displays the user templates.

-mt
Displays the computer templates.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

TemplateName
Specifies the name of the template that you want to view.

-?
Displays a list of certutil commands.

To determine what CSP is used for a key pair

Syntax

certutil PFXfile .pfx

Parameters
PFXfile .pfx
Specifies a file with a .pfx extension.

-?
Displays a list of certutil commands.

Remarks
  • After you import the .pfx file, you can display the HKEY_CURRENT_USER "My" store using the following syntax:

    certutil /user /store my [CertIndex]

    This command displays each certificate key's cryptographic service provider (CSP) as Provider=xxx.

  • In place of CertIndex, you can specify the decimal, the zero-based certificate store index number, the common name, the Secure Hash Algorithm (SHA-1), or the public key SHA-1.

Formatting legend

 

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft