The Certutil.exe Command Line Tool

  • Article

Updated: May 24, 2010

Applies To: Windows Server 2008 R2

You use the Certutil.exe command line tool to display information about the digital certificates that are installed on a DirectAccess client, DirectAccess server, or intranet resource.

The following is an example of the output from the certutil –store my command on the DirectAccess client in the DirectAccess test lab (https://go.microsoft.com/fwlink/?Linkid=150613).

================ Certificate 0 ================
Serial Number: 61b96b4300000000000b
Issuer: CN=corp-DC1-CA, DC=corp, DC=contoso, DC=com
 NotBefore: 8/28/2009 11:57 AM
 NotAfter: 8/28/2010 11:57 AM
Subject: CN=CLIENT2.corp.contoso.com
Certificate Template Name (Certificate Type): Machine
Non-root Certificate
Template: Machine, Computer
Cert Hash(sha1): d2 48 b0 ac d0 75 d2 17 d3 a2 52 73 03 fb 6d 93 05 d6 c5 9c
  Key Container = 7658bfbea27b8a8b1a912b2792198aa7_81cb8b83-9acb-41a0-a19f-615d9
d8a0337
  Simple container name: le-Machine-e4918f29-7e62-48c3-a958-445f367d773d
  Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.

To determine the subject, enhanced key usage (EKU), and certificate revocation list (CRL) distribution points fields of installed certificates for DirectAccess troubelshooting, use the certutil -v –store my > cert.txt command and then view the contents of the Cert.txt file.