Certutil tasks for backing up and restoring certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for backing up and restoring certificates

Certification authorities should be backed up regularly and restored when necessary to provide their services. You can use certutil to perform these tasks.

To view the syntax for a specific task, click a task:

  • To back up Certificate Services

  • To back up a CA database

  • To back up the CA certificate and keys

  • To restore the CA database, certificates, and keys

  • To restore the CA database

  • To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file

  • To dump the CA database schema, for example, column names, types, and max sizes

To back up Certificate Services

Syntax

certutil -backup[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory[incremental] [keeplog]

Parameters
  • -backup
    Backs up Certificate Services.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -p Password
    Specifies a password.
  • BackupDirectory
    Specifies the backup directory.
  • incremental
    Implements an incremental backup instead of a full backup.
  • keeplog
    Preserves database log files.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

  • If you do not specify keeplog, certutil-backup combines the database log files into a single log file that is retained upon the successful completion of -backup.

  • If you do not specify incremental, certutil-backup performs a full backup.

  • You can use the -f option to overwrite existing files in BackupDirectory.

Examples

To back up keys and certificates for a CA named EnterpriseCA, type:

certutil –p p@ssw23 f:\Backup2\EnterpriseCA

certutil -p p@ssw23 f:\Backup2\EnterpriseCA incremental

certutil -p p@ssw23 f:\Backup2\EnterpriseCA keeplog

To back up a CA database

Syntax

certutil -backupdb[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\**CAName] BackupDirectory[[incremental] [keeplog]]

Parameters
  • -backupdb
    Backs up the Certificate Services database.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • BackupDirectory
    Specifies the backup directory.
  • incremental
    Implements an incremental backup instead of a full backup.
  • keeplog
    Preserves database log files.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • You can run this command locally or remotely. The server and the CA must be running. Typically, administrators use this command to perform infrequent full backups followed by frequent incremental backups. Each backup must be made into a separate directory tree. Starting with the most recent full backup, all backups are required to correctly restore the database.

  • If you do not specify keeplog, certutil-backup combines the database log files into a single log file that is retained upon the successful completion of -backup.

  • If you do not specify incremental, certutil-backup performs a full backup.

  • You can use the -f option to overwrite existing files in BackupDirectory.

To back up the CA certificate and keys

Syntax

certutil -backupkey[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory

Parameters
  • -backupkey
    Backs up the Certificate Services certificate and private key.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -p Password
    Specifies a password.
  • BackupDirectory
    Specifies the backup directory.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

  • You can use the -f option to overwrite existing files in BackupDirectory.

To restore the CA database, certificates, and keys

Syntax

certutil -restore[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory

Parameters
  • -restore
    Restores the CA database, certificates, and keys from the specified BackupDirectory.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -p Password
    Specifies a password.
  • BackupDirectory
    Specifies the backup directory from which you want to restore the CA database, certificates, and keys.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

To restore the CA database

Syntax

certutil -restoredb[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\**CAName] BackupDirectory

Parameters
  • -restoredb
    Restores CA database from the specified BackupDirectory.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • BackupDirectory
    Specifies the backup directory from which you want to restore the CA database.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The CA server and must not be running. You can run this command locally or remotely.

  • To restore a full backup and incremental backups, you must restore the full backup first, and then restore all subsequent incremental backups in any order. To overwrite the existing server database files with the full restore, use -f. Do not start the server until all backups are restored.

  • When you start the CA server, you initiate database recovery. If you successfully start the CA server (that is, as recorded in the application event log), this indicates restore and recovery were completed successfully. If the server fails to start after you run -restore, you receive an error code. For more information if -restore fails, you can also view the RESTOREINPROGRESS registry key.

To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file

Syntax

certutil -restorekey[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory|PFXFile

Parameters
  • -restorekey
    Restores Certificate Services certificate and private key from the specified BackupDirectory or PKCS #12PFXFile.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -p Password
    Specifies a password.
  • BackupDirectory
    Specifies the backup location of the PKCS #12 PFX file.
  • PFXFile
    Specifies the PKCS #12 PFX file.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.

To dump the CA database schema, for example, column names, types, and max sizes

Syntax

certutil -schema[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\**CAName] [{ext | attib | crl}]

Parameters
  • -schema
    Dumps the CA database schema.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • ext
    Displays the schema for Ext table.
  • attib
    Displays the schema for Attib table.
  • crl
    Displays the schema for the certificate revocation list (CRL).
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To view the CA database schema, type:

certutil -schema

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview