Certutil tasks for configuring a Certification Authority (CA)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for configuring a Certification Authority (CA)

You can use certutil to perform a number of CA configuration tasks.

To view the syntax for a specific task, click a task:

• To display CA property type information

• To display the configuration string for a CA

• To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server

• To display CA information

• To determine whether a CA has been renewed

• To change the length of the validity period for certificates issued from a CA

• To force a CA to include expired certificates in future base and delta CRLs

• To configure a CA to issue certificates beyond the default two year limit

• To increase the session limit on the CA database

• To disable or restore the enforcement of the distinguished name length on the CA

To display CA property type information

Syntax

certutil -capropinfo[-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

Parameters

• -capropinfo
  Displays CA property type information.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To display the configuration string for a CA

Syntax

certutil -getconfig[-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

Parameters

• -getconfig
  Retrieves the default configuration string.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server

Syntax

certutil -vroot[-gmt] [-seconds] [-v] [delete]

Parameters

• -vroot
  Creates the virtual roots for the Certificate Services Web server.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• delete
  Deletes the virtual roots for the Certificate Services Web server.

• -?
  Displays a list of certutil commands.

Remarks

• If active server pages (ASP) is not enabled, this command enables ASP.

• If you installed the CA Web enrollment pages before installing IIS, the required virtual roots are not created. To create the virtual roots after installing IIS, at a command prompt, type:

  "certutil -vroot"

  This command does not install the Web enrollment pages. Instead, it creates the IIS virtual roots that point to the Web enrollment pages, CA certificate, certificate revocation lists (CRLs), and enrollment controls (that is, xenroll.dll and scrdenrl.dll).

To display CA information

Syntax

certutil -cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [InfoName]

Parameters

• -cainfo
  Displays CA information.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• InfoName
  Specifies the CA information that you want to display. Use one of the values in the following table.

<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>file</strong></p></td>
<td><p>Displays information about the file version.</p></td>
</tr>
<tr class="even">
<td><p><strong>product</strong></p></td>
<td><p>Displays the product version.</p></td>
</tr>
<tr class="odd">
<td><p><strong>exitcount</strong></p></td>
<td><p>Displays the exit module count.</p></td>
</tr>
<tr class="even">
<td><p><strong>exit</strong> [<em>Index</em>]</p></td>
<td><p>Displays the exit module description.</p></td>
</tr>
<tr class="odd">
<td><p><strong>policy</strong></p></td>
<td><p>Displays the policy module description.</p></td>
</tr>
<tr class="even">
<td><p><strong>name</strong></p></td>
<td><p>Displays the CA name.</p></td>
</tr>
<tr class="odd">
<td><p><strong>sanitizedname</strong></p></td>
<td><p>Displays the sanitized CA name.</p></td>
</tr>
<tr class="even">
<td><p><strong>sharedfolder</strong></p></td>
<td><p>Displays the shared folder.</p></td>
</tr>
<tr class="odd">
<td><p><strong>error1</strong><em>ErrorCode</em></p></td>
<td><p>Displays the error code message in the local language. For <em>ErrorCode</em>, specify the error code that you want to retrieve.</p></td>
</tr>
<tr class="even">
<td><p><strong>error2</strong><em>ErrorCode</em></p></td>
<td><p>Displays the error code message and the error code in the local language. For <em>ErrorCode</em>, specify the error code that you want to retrieve.</p></td>
</tr>
<tr class="odd">
<td><p><strong>type</strong></p></td>
<td><p>Displays the CA type.</p></td>
</tr>
<tr class="even">
<td><p><strong>info</strong></p></td>
<td><p>Displays the CA info.</p></td>
</tr>
<tr class="odd">
<td><p><strong>parent</strong></p></td>
<td><p>Displays the parent CA.</p></td>
</tr>
<tr class="even">
<td><p><strong>certcount</strong></p></td>
<td><p>Displays the CA certificate count.</p></td>
</tr>
<tr class="odd">
<td><p><strong>xchgcount</strong></p></td>
<td><p>Displays the CA Exchange certificate count.</p></td>
</tr>
<tr class="even">
<td><p><strong>kracount</strong></p></td>
<td><p>Displays the number of key recovery agent (KRA) certificates.</p></td>
</tr>
<tr class="odd">
<td><p><strong>kraused</strong></p></td>
<td><p>Displays the number of KRA certificate that are being used.</p></td>
</tr>
<tr class="even">
<td><p><strong>propidmax</strong></p></td>
<td><p>Displays maximum CA PropID.</p></td>
</tr>
<tr class="odd">
<td><p><strong>certstate</strong> [<em>Index</em>]</p></td>
<td><p>Displays CA certificate status.</p></td>
</tr>
<tr class="even">
<td><p><strong>certstatuscode</strong> [<em>Index</em>]</p></td>
<td><p>Displays CA certificate verification status.</p></td>
</tr>
<tr class="odd">
<td><p><strong>crlstate</strong> [<em>Index</em>]</p></td>
<td><p>Displays a certificate revocation list (CRL).</p></td>
</tr>
<tr class="even">
<td><p><strong>krastate</strong> [<em>Index</em>]</p></td>
<td><p>Displays a KRA certificate.</p></td>
</tr>
<tr class="odd">
<td><p><strong>crossstate+</strong> [<em>Index</em>]</p></td>
<td><p>Forward cross-certification.</p></td>
</tr>
<tr class="even">
<td><p><strong>crossstate-</strong> [<em>Index</em>]</p></td>
<td><p>Backward cross-certification.</p></td>
</tr>
<tr class="odd">
<td><p><strong>cert</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA certificate.</p></td>
</tr>
<tr class="even">
<td><p><strong>certchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA certificate chain.</p></td>
</tr>
<tr class="odd">
<td><p><strong>certcrlchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA certificate chain with CRLs.</p></td>
</tr>
<tr class="even">
<td><p><strong>xchg</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA exchange certificate.</p></td>
</tr>
<tr class="odd">
<td><p><strong>xchgchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA exchange certificate chain.</p></td>
</tr>
<tr class="even">
<td><p><strong>xchgcrlchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA exchange certificate chain with CRLs.</p></td>
</tr>
<tr class="odd">
<td><p><strong>kra</strong> [<em>Index</em>]</p></td>
<td><p>Displays a KRA certificate.</p></td>
</tr>
<tr class="even">
<td><p><strong>cross+</strong> [<em>Index</em>]</p></td>
<td><p>Forward cross-certification.</p></td>
</tr>
<tr class="odd">
<td><p><strong>cross-</strong> [<em>Index</em>]</p></td>
<td><p>Backwards cross-certification.</p></td>
</tr>
<tr class="even">
<td><p><strong>crl</strong> [<em>Index</em>]</p></td>
<td><p>Displays a base CRL.</p></td>
</tr>
<tr class="odd">
<td><p><strong>deltacrl</strong> [<em>Index</em>]</p></td>
<td><p>Displays a delta CRL.</p></td>
</tr>
<tr class="even">
<td><p><strong>crlstatus</strong> [<em>Index</em>]</p></td>
<td><p>Displays CRL publish status.</p></td>
</tr>
<tr class="odd">
<td><p><strong>deltacrlstatus</strong> [<em>Index</em>]</p></td>
<td><p>Displays delta CRL publish status.</p></td>
</tr>
<tr class="even">
<td><p><strong>dns</strong></p></td>
<td><p>Displays the DNS name.</p></td>
</tr>
<tr class="odd">
<td><p><strong>role</strong></p></td>
<td><p>Displays role separation.</p></td>
</tr>
<tr class="even">
<td><p><strong>ads</strong></p></td>
<td><p>Displays Advanced Server.</p></td>
</tr>
<tr class="odd">
<td><p><strong>templates</strong></p></td>
<td><p>Displays the templates.</p></td>
</tr>
</tbody>
</table>

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To display CA information, type:

certutil -cainfo

To display a CA certificate state disposition, type:

certutil -cainfo certstate

To display CRL information, type:

certutil -cainfo crlstate

To determine whether a CA has been renewed

Syntax

certutil -cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [certstate]

Parameters

• -cainfo
  Displays CA information.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• certstate
  Returns a LONG containing a certificate state disposition.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• If the CA's index is greater than 0, the CA certificate has been renewed. The command output displays the index information.

• If one of the older CA certificates expires and is regenerated by using the existing key, CRLs are not published for that CA key. If the CA has never been renewed for a new key, this prevents CRL generation. If you generate and publish a new CRL, you will not solve this problem, but you can use the CRL to help confirm the condition. To force the generation and publication a CRL, type:

  certutil -crl

• The update for this condition is provided in Windows 2000 Service Pack 3.

Examples

To display a CA certificate state disposition, type:

certutil -cainfo certstate

To change the length of the validity period for certificates issued from a CA

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriod{"days" | "weeks" | "months" | "years"}

certutil -setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriodUnits"UnitValue"

Parameters

• -setreg
  Sets or edits the registry key value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• HKLM\system\currentcontrolset\services\certsvc\configuration\
  Specifies the path to the ValidityPeriod and ValidityPeriodUnits registry keys.

• CAName
  Specifies the name of the CA.

• ca
  Specifies the default CA on the local computer.

• \ValidityPeriod{ "days"| "weeks"| "months"| "years"}
  Sets the period of time that you want the certificate to be valid. Specify days, weeks, months, or years. Wrap the time period in quotation marks.

• \ValidityPeriodUnits " UnitValue "
  Sets the numeric value for ValidityPeriod.

• -?
  Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

Examples

You can set an enterprise qualified subordinate CA to have a different certificate validity period than the parent CA. On the CA computer that is issuing the subordinate CA certificate, type the following commands to set the validity period to three months:

certutil -setreg ca\ValidityPeriod "months"

certutil -setreg ca\ValidityPeriodUnits "3"

To force a CA to include expired certificates in future base and delta CRLs

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] ca\CRLFlags+CRLF_PUBLISH_EXPIRED_CERT_CRLS

Parameters

• -setreg
  Sets or edits the registry key value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• ca
  Specifies the CA registry key.

• CRLFlags
  Specifies the registry value name.

• CRLF_PUBLISH_EXPIRED_CERT_CRLS
  Specifies the new numeric or string registry value.

• -?
  Displays a list of certutil commands.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

• With this command, you can verify the revocation status of a time-stamped certificate that has expired.

• If a numeric registry value starts with a plus sign (+) or a dash (-), the bits specified in the new value are set or cleared in the existing registry value.

• If a string registry value starts with a plus sign (+) or a dash (-) and the existing value is a REG_MULTI_SZ value, the string value is either added to or removed from the existing registry value.

To configure a CA to issue certificates beyond the default two year limit

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] ca\ValidityPeriod"years"

certutil -setreg ca\ValidityPeriodUnits "2"

Parameters

• -setreg
  Sets or edits the registry key value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• ca\ValidityPeriod "years"
  Sets the validity length of the certificate to years.

• ca\ValidityPeriodUnits "2"
  Sets the "years" validity period value to two.

• -?
  Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

To increase the session limit on the CA database

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] dbsessioncount 30

Parameters

• -setreg
  Sets or edits the registry key value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• dbsessioncount 30
  Specifies the new session limit.

• -?
  Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

To disable or restore the enforcement of the distinguished name length on the CA

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] ca\ENFORCEX500NAMELENGTHS {0 | 1}

Parameters

• -setreg
  Sets or edits the specified registry value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• ca \ ENFORCEX500NAMELENGTHS
  Specifies the path to the REG_DWORD\ENFORCEX500NAMELENGTHS registry value.

• { 0| 1}
  Specifies whether to disable (specify 0) or restore (specify 1) the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value.

• -?
  Displays a list of certutil commands.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

• Use this command in situations where the existing subject is okay, but the request is rejected by the certificate server.

Examples

To disable the organizational unit length enforcement on the server, type:

certutil -setreg ca\enforceX500namelengths 0

To restore the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value, type:

certutil -setreg ca\enforceX500namelengths 1

Formatting legend

Format	Meaning
Italic	Information that the user must supply
Bold	Elements that the user must type exactly as shown
Ellipsis (...)	Parameter that can be repeated several times in a command line
Between brackets ([])	Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd}	Set of choices from which the user must choose only one
Courier font	Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview