Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Certutil tasks for managing a Certification Authority (CA)

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for managing a Certification Authority (CA)

You can use certutil to perform a number of CA management tasks.

To view the syntax for a specific task, click a task:

To display the information stored in public key related files

Syntax

certutil -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p Password] [File]

Parameters
-dump
Dumps configuration information or files.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-p Password
Specifies a password.

File
Specifies the file name of the configuration file that you want to display.

-?
Displays a list of certutil commands.

To restrict which rows from the CA schema are displayed when viewing CA database information

Syntax

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName\CAName] [-restrict RestrictionList] [-out ColumnList] [-out] [RequestID]

Parameters
-view
Dumps the certification authority database view.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-restrict RestrictionList
Restricts which rows from the schema are displayed. Specifies a comma-separated restriction list.

-out ColumnList
Specifies a comma-separated column list.

RequestID
Specifies the request identifier number.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To list the subject e-mail names from all certificates issued from a CA named Myentrootca that is located on Cacomputer1, type:

certutil -config cacomputer1\myentrootca -view -out request.email

To restrict the rows displayed to those with request identifiers greater than 10,000 and then display only the request disposition from a CA named Myentrootca, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid>10,000"

To view only the last row, type:

Certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $"

To view only the second to last row, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $ - 1"

To view the subject e-mail names for all requests made to a CA, type:

certutil -view -out email

To display the numeric request identifiers of certificates based on the User template, type:

certutil -view -restrict "Certificate Template=User" -out requestid

To display the numeric request identifiers of certificates based on the template object identifier, 1.2.3.4.5.5.6.6.6.6.5.6, type:

certutil -view -restrict "Certificate Template=1.2.3.4.5.5.6.6.6.6.5.6" -out requestid

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To view e-mail of the users who made the request for a template named MyTemplate and to also view when the request was issued, type:

certutil -config cacomputer1\myentrootca -view -out email -restrict "CertificateTemplate == myTemplate, Disposition == 20"

To display CA information

Syntax

certutil -cainfo [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [InfoName [{Index | ErrorCode}]]

Parameters
-cainfo
Displays CA information.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

InfoName
Specifies which information you want to display about the CA from one of the values in the following table.

 

Value Description

file

Displays information about the file version.

product

Displays the product version.

exitcount

Displays the exit module count.

exit [Index]

Displays the exit module description

policy

Displays the policy module description.

name

Displays the CA name.

sanitizedname

Displays the sanitized CA name.

sharedfolder

Displays the shared folder.

error1ErrorCode

Displays the localized error code message.

error2ErrorCode

Displays the localized error code message and the error code.

type

Displays the CA type.

info

Displays the CA information.

parent

Displays the parent CA.

certcount

Displays the CA certificate count.

xchgcount

Displays the CA exchange certificate count.

kracount

Displays the KRA certificate count.

kraused

Displays the KRA certificate used count.

propidmax

Displays maximum CA PropID.

certstate [Index]

Displays CA certificate status.

certstatuscode [Index]

Displays CA certificate verify status.

crlstate [Index]

Displays a CRL.

krastate [Index]

Displays a KRA certificate.

crossstate+ [Index]

Forward cross-certification.

crossstate- [Index]

Backward cross-certification.

cert [Index]

Displays a CA certificate.

certchain [Index]

Displays a CA certificate chain.

certcrlchain [Index]

Displays a CA certificate chain with CRLs.

xchg [Index]

Displays a CA exchange certificate.

xchgchain [Index]

Displays a CA exchange certificate chain.

xchgcrlchain [Index]

Displays a CA exchange certificate chain with CRLs.

kra [Index]

Displays a KRA certificate.

cross+ [Index]

Forward cross-certification.

cross- [Index]

Backwards cross-certification.

crl [Index]

Displays a base CRL.

deltacrl [Index]

Displays a Delta CRL.

crlstatus [Index]

Displays CRL Publish Status.

deltacrlstatus [Index]

Displays Delta CRL Publish Status.

dns

Displays the DNS name.

role

Displays Role Separation.

ads

Displays Advanced Server.

templates

Displays the templates.

Index
Identifies a unique element from the InfoName table.

ErrorCode
Specifies the error code retrieved from the error message.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To determine if a CA has not been renewed

Syntax

certutil -cainfo [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [certstate]

Parameters
-cainfo
Displays CA information.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

certstate
Returns a LONG containing a certificate state disposition.

-?
Displays a list of certutil commands.

To retrieve a template list from a CA

Syntax

certutil -cainfo [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] templates

Parameters
-cainfo
Displays CA information.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

templates
Specifies the templates InfoName argument.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To view a list of templates supported by the local CA

Syntax

certutil -catemplates [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] [-dc DCName] [Template]

Parameters
-catemplates
Displays CA templates.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-ut
Displays the user templates.

-mt
Displays the computer templates.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-dc DCName
Targets a specific domain controller.

Template
Specifies the template.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To display a list of tagged database files and database directories

Syntax

certutil -databaselocations [-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters
-databaselocations
Displays database locations.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The hexadecimal buffer offset and hexadecimal type tag are displayed on each line.

  • For information about type tag definitions, see Cryptography Functions.

To deny a certificate request

Syntax

certutil -deny [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] RequestID

Parameters
-deny
Denies the pending certificate request.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

RequestID
Specifies the request identifier number.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format or hexadecimal format with a leading 0x.

To publish a certificate or CRL to Active Directory

Syntax

certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] CertFile{ntauthca | rootca | subca | crossca | kra | user | machine}

certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] CRLFile [DSCDPContainer [DSCDPCN]]

Parameters
-dsPublish
Publishes a new certificate or CRL to the CA object in Active Directory.

-f
Overwrites existing files or keys.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

CertFile
Specifies the certificate.

ntauthca
Specifies that the certificate will be published to the NTAuth store.

rootca
Specifies that the certificate will be published to the root CA store.

subca
Specifies that the certificate will be published to the subordinate CA store.

crossca
Specifies that the certificate will be published to the cross-certified CA store.

kra
Specifies that the certificate will be published to the key recovery agent store.

user
Specifies that the certificate will be published to the user store.

machine
Specifies that the certificate will be published to the computer store.

CRLFile
Specifies the certificate revocation list.

DSCDPContainer
Specifies the Active Directory Certificate revocation list Distribution Point (CDP) container Common Name (CN), usually the CA computer name.

DSCDPCN
Specifies the Active Directory Certificate revocation list Distribution Point (CDP) object Common Name (CN), usually based on the sanitized CA short name and key index.

-?
Displays a list of certutil commands.

Remarks
  • You must be logged on as a computer administrator to complete this procedure.

  • Publishing the certificate of a CA to NTAuth is necessary if that CA issues certificates for smart card logon.

To add certificates to the NTAuth store

Syntax

certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] NewCert ntauthca

Parameters
-dspublish
Publishes a new certificate or CRL to the CA object that lives in Active Directory.

-f
Overwrites existing files or keys.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

NewCert
Specifies the certificate to be published.

ntauthca
Specifies that the certificate will be published to the NTAuth store.

-?
Displays a list of certutil commands.

Remarks
  • You must have Enterprise Administrator access to use this command.

To subordinate a Microsoft CA under a non-Microsoft CA

Syntax

certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] non-MicrosoftCert rootca

Parameters
-dspublish
Publishes a new certificate to the CA object in Active Directory.

-f
Overwrites existing files or keys.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

non-MicrosoftCert
Specifies a non-Microsoft certificate name.

rootca
Specifies that the certificate is to be published to the root CA store.

-?
Displays a list of certutil commands.

Remarks
  • You must be logged on as a computer administrator to complete this procedure.

To publish a cross-certificate to the Active Directory cross-certification store

Syntax

certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] CrossCert crossca

Parameters
-dspublish
Publishes a new certificate to the CA object in Active Directory.

-f
Overwrites existing files or keys.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

CrossCert
Specifies the cross-certificate file that you want to publish.

crossca
Specifies that the cross-certificate is to be published to the Active Directory CA object.

-?
Displays a list of certutil commands.

Remarks
  • You must be logged on as a computer administrator to complete this procedure.

To display a list of dynamic files that must be backed up separately

Syntax

certutil -dynamicfilelist [-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters
-dynamicfilelist
Displays dynamic file list.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • Includes the local copy of the certificate revocation list (CRL) on the server.

  • The hexadecimal buffer offset is displayed on each line.

To delete unwanted requests from the CA database

Syntax

certutil -deleterow [-f] [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] RowIDDate {request | cert | attribcrl}

Parameters
-deleterow
Deletes a row in the CA database.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

RowID
Specifies the request identifier of the row that you want to delete.

Date
Specifies a date restriction on which to query.

request
Specifies the request table.

cert
Specifies the certificate table.

ext
Specifies the certificate extensions table.

attrib
Specifies the attribute table.

crl
Specifies the certificate revocation list (CRL) table.

-?
Displays a list of certutil commands.

Remarks
  • When deleting more than one row with this command, you must be both a CA Administrator and a Certificate Manager to complete the task. The CA must not be configured to enforce role separation in this case. For more information about role-based administration, see Related Topics.

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • Using Date

    You can use the mm/dd/yyyy 00:00 date format, where 00:00 is standard time that must be designated as either AM or PM.

    If you specify Date without a time of day, Certutil.exe deletes all of the requests issued before the specified date, but it does not delete the requests issued on the specified date.

    If you delete rows by Date, Certutil.exe does not delete the CA certificate or the CA certificate chain rows. To delete the CA certificate and the CA certificate chain rows, you must delete rows by RowID.

    If Date occurs in the future, Certutil.exe fails and displays an invalid parameter error. Use -f to override the invalid parameter error.

  • You can use this command to delete "denial of service" errors.

Examples

To delete failed and pending requests last modified by January 22, 2001, type:

certutil -deleterow 1/22/2001 request

To delete all certificates that expired by January 22, 2001, type:

certutil -deleterow 1/22/2001 cert

To delete the certificate row, attributes and extensions for RequestID 37, type:

certutil -deleterow 37

To delete CRLs that expired by January 22, 2001, type:

certutil -deleterow 1/22/2001 crl

To add a display name that appears in the local language to a certificate template

Syntax

certutil -oid [-f] [-gmt] [-seconds] [-v] "TemplateOID"LocalizedFriendlyName [LanguageID]

Parameters
-oid
Defines a display name in a certificate template.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

" TemplateOID "
Specifies the object identifier of the certificate template, surrounded by quotation marks.

LocalizedFriendlyName
Specifies the display name that you want to add to the certificate template.

LanguageID
Sets the local language identifier for the specified object. LocalizedFriendlyName appears in the specified language.

-?
Displays a list of certutil commands.

Remarks
  • For the changes to take effect, you must restart the computer.

  • If you do not specify LanguageID, Certutil.exe uses the current system default, which is 1033.

  • LanguageID is a decimal representation of a hexadecimal local identifier (LCID) value. For more information about LCID values, see Table Appendix F Locale-Specific Code Page Information at the Microsoft Web Site.

Examples

To create a localized display name for the template "Client logon" on the Chinese Traditional language where "1.3.6.1.4.1.311.21.8.1557419691.1089984386.1082389667.3771302274.3689527714.2342735268" is the object identifier number (TemplateOID) and CHT is the Translated to Chinese display name (LocalizedFriendlyName) of the existing V2 Template, type:

certutil -oid "1.3.6.1.4.1.311.21.8.1557419691.1089984386.1082389667.3771302274.3689527714.2342735268" "CHT" 1028

Note

  • 1028 is the decimal representation of the hexadecimal value 0x0404, the LCID of Chinese Traditional language.

The output of the command looks like this:

certutil -oid "1.3.6.1.4.1.311.21.8.1557419691.1089984386.1082389667.3771302274.3689527714.2342735268" CHT 10281.3.6.1.4.1.311.21.8.1557419691.1089984386.1082389667.3771302274.3689527714.2342735268 -- Client LogonNo display namesLocalized name added to the Active Directory store.0: 1028,CHTCertUtil: -oid command completed successfully.

To revoke the certificate by serial number

Syntax

certutil -revoke [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] SerialNumber [Reason]

Parameters
-revoke
Revokes the certificate.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

SerialNumber
Specifies the serial number of the certificate that you want to revoke.

Reason
Specifies one of the following reason codes:

 

Reason code value Definition

0

Unspecified

1

Key compromise

2

CA compromise

3

Affiliation change

4

Superseded

5

Cessation of operation

6

Hold revocation

8

Remove from CRL

-1

Unrevoke

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • SerialNumber must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. No leading 0x is allowed.

  • The reason code value 6 is the only value that can be unrevoked.

  • Reason code 0 does not provide information about revocation reasons.

To set attributes on pending certificate requests

Syntax

certutil -setattributes [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] RequestID AttributeString

Parameters
-setattributes
Sets the attributes for the pending request.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

RequestID
Specifies the request identified by the request identifier.

AttributeString
Specifies the request attribute string to be set on the request identifier certificate.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format (or hexadecimal format with a leading 0x). The specified request must be in the pending state.

  • Use \n to separate multiple values in a string.

  • AttributeString requests the attribute name and value pairs. Separate names and value pairs with a colon. Multiple name and value pairs are separated by placing them on a new line. For example:

    "CertificateTemplate:User\nEmail:User@domain.com"

    Each "\n" sequence is converted to a new-line character.

To set the extension in the certificate request

Syntax

certutil -setextension [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] RequestID ExtensionName Flags {LongValue | DateValue | StringValue | @InFile}

Parameters
-setextension
Sets the extension for the pending request.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

RequestID
Specifies the numeric request identifier of a pending request.

ExtensionName
Specifies the ObjectID string of the extension.

Flags
Specifies one of the following flags:

 

Value Description

0

Sets the extension as noncritical.

1

Sets the extension as critical.

@ InFileValue
Specifies a string that is accepted in one of the following formats if the string meets the specified criteria: @InFileValue If the value starts with the @ symbol, the rest of the token is the file name containing binary data or an ASCII-text hexadecimal dump.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format or in hexadecimal format with a leading 0x.

  • If you have an existing request or certificate with the exact encoding of the extension that you want to add to a pending request, you can dump the request or certificate, along with the ASCII-text hexadecimal dump of each extension, to a file.

Examples

The following is a valid example for a noncritical extension:

certutil -setextension 123 1.3.6.1.4.1.311.20.2 0 Subcertification authority (CA)

The specified request must be in the pending state.

If you have an existing certificate, named MyCert.cer, with the exact encoding of the extension you want to add to a pending request, you can dump the request, along with the ASCII-text hexadecimal dump of each extension, by using the following command:

certutil -v mycert.cer

You can then copy the ASCII-text hexadecimal extension, 1.2.3.4.5, to a text file and then name that file Example.txt.

To add the 1.2.3.4.5 extension to the pending request with the numeric request identifier of 37, use the following command:

certutil -setextension 37 1.2.3.4.5 0 @example.txt

To issue the certificate, type:

certutil -resubmit 37

To retrieve the issued certificate, type:

certreq -retrieve 37 example.crt example.p7b

To resubmit a pending certificate request

Syntax

certutil -resubmit [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] RequestID

Parameters
-resubmit
Resubmits the pending request.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

RequestID
Specifies the request identifier number.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format or hexadecimal format with a leading 0x.

To shut down the CA server

Syntax

certutil -shutdown [-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters
-shutdown
Shuts down the CA server.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To verify a key set

Syntax

certutil -verifykeys [-gmt] [-silent] [-v] [-config CAMachineName\CAName] [KeyContainerName] [CACertFile]

Parameters
-verifykeys
Verifies the public and private keys for the specified CA.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

KeyContainerName
Specifies the key container name of the key to verify.

CACertFile
Specifies the CA signature certificate that contains the public key used to verify digital signatures.

-?
Displays a list of certutil commands.

Remarks
  • Used without parameters, certutil -verifykeys verifies each signing CA certificate against its private key.

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • You can run this command against local CAs or keys only.

To back up the CA certificate and keys

Syntax

certutil -backupkey [-f] [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] [-p Password] BackupDirectory

Parameters
-backupkey
Backs up the Certificate Services certificate and private key.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-p Password
Specifies a password.

BackupDirectory
Specifies the backup directory.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The maximum length allowed for a PFX file password is 32 characters.

  • You can use the -f option to overwrite existing files in BackupDirectory.

To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file

Syntax

certutil -restorekey [-f] [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] [-p Password] BackupDirectory\PFXFile

Parameters
-restorekey
Restores Certificate Services certificate and private key from the specified BackupDirectory or PKCS #12 PFXFile.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-p Password
Specifies a password.

BackupDirectory
Specifies the backup location of the PFX file.

PFXFile
Specifies the PKCS #12 PFX file.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The maximum length allowed for a PFX file password is 32 characters.

To add extensions to a certificate that will be issued by the CA

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] policy\enablerequestextensionlist[{0 | 1}] ExtensionOID

Parameters
-setreg
Sets or edits registry information.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

policy\enablerequestextensionlist+1
Sets the list of request extensions that enable policy module.

ExtensionOID
Specifies the object identifier of the extension.

0
Adds the extension to the list of request extensions that enable policy module.

1
Removes the extension from the list of request extensions that enable policy module.

-?
Displays a list of certutil commands.

Note

Formatting legend

 

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft. All rights reserved.