Export (0) Print
Expand All

Certutil tasks for managing CRLs

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for managing CRLs

You can use certutil to view, produce, and configure the certificate revocation list (CRL) information for a certification authority.

To view the syntax for a specific task, click a task:

To retrieve a CRL

Syntax

certutil -getcrl [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] OutFile [Index] [delta]

Parameters
-getcrl
Retrieves the certificate revocation list (CRL).

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

OutFile
Specifies the file to which you want to send the output.

Index
Specifies the index identifier number.

delta
Retrieves a delta CRL.

-?
Displays a list of certutil commands.

Remarks
  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. If you do not have the appropriate authority, use -cainfo to retrieve CRLs.

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To retrieve the most recently published base CRL, MyMostRecentCRL.crl, type:

certutil -getcrl MyMostRecentCRL.crl

To retrieve the third CRL, MyThirdCRL.crl type:

certutil -getcrl MyThirdCRL.crl 3

To retrieve the most recently published delta CRL, MyMostRecentDelta.crl, type:

certutil -getcrl MyMostRecentDelta.crl delta

To retrieve the fifth delta CRL, MyFifthDelta.crl, type:

certutil -getcrl MyFifthDelta.crl 5 delta

To publish the current CRL

Syntax

certutil -crl [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [DD:HH] [delta]

Parameters
-crl
Publishes a new certificate revocation list (CRL).

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

DD : HH
Specifies the length of the CRL life in days and hours.

delta
Publishes a delta CRL only.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The CRL is written to the file specified by OutFileResult, or, if you use a minus sign (-), it is written to the default Web location.

  • The expiration date is set to be one day and one hour from the time of publication to facilitate a daily publishing schedule.

To publish a certificate or CRL to Active Directory

Syntax

certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] [{CertFile | CRL}] [{ntauthca | rootca | subca | crossca | kra | user | machine}]

Parameters
-dsPublish
Publishes a new certificate to the CA object in Active Directory.

-f
Overwrites existing files or keys.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

CertFile
Specifies the certificate that you want to use.

CRL
Specifies the certificate revocation list that you want to use.

ntauthca
Specifies that the certificate is to be published to the NTAuth store.

rootca
Specifies that the certificate is to be published to the root CA store.

subca
Specifies that the certificate is to be published to the subordinate CA store.

crossca
Specifies that the certificate is to be published to the cross-certified CA store.

kra
Specifies that the certificate is to be published to the key recovery agent store.

user
Specifies that the certificate is to be published to the user store.

machine
Specifies that the certificate is to be published to the computer store.

-?
Displays a list of certutil commands.

Remarks
  • If a CA issues certificates for smart card logon, you need to publish the certificate to NTAuth.

To add certificates to the NTAuth store

Syntax

certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] NewCert ntauthca

Parameters
-dspublish
Publishes a new certificate or certificate revocation list (CRL) to the CA object in Active Directory.

-f
Overwrites existing files or keys.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

NewCert
Specifies the certificate that you want to publish.

ntauthca
Specifies that the certificate is to be published to the NTAuth store.

-?
Displays a list of certutil commands.

Remarks
  • You must have Enterprise Administrator access to use this command.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft