Certutil tasks for managing CRLs

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for managing CRLs

You can use certutil to view, produce, and configure the certificate revocation list (CRL) information for a certification authority.

To view the syntax for a specific task, click a task:

  • To retrieve a CRL

  • To publish the current CRL

  • To publish a certificate or CRL to Active Directory

  • To add certificates to the NTAuth store

To retrieve a CRL

Syntax

certutil -getcrl [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] OutFile [Index] [delta]

Parameters
  • -getcrl
    Retrieves the certificate revocation list (CRL).
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • OutFile
    Specifies the file to which you want to send the output.
  • Index
    Specifies the index identifier number.
  • delta
    Retrieves a delta CRL.
  • -?
    Displays a list of certutil commands.
Remarks

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. If you do not have the appropriate authority, use -cainfo to retrieve CRLs.

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To retrieve the most recently published base CRL, MyMostRecentCRL.crl, type:

certutil -getcrl MyMostRecentCRL.crl

To retrieve the third CRL, MyThirdCRL.crl type:

certutil -getcrl MyThirdCRL.crl 3

To retrieve the most recently published delta CRL, MyMostRecentDelta.crl, type:

certutil -getcrl MyMostRecentDelta.crl delta

To retrieve the fifth delta CRL, MyFifthDelta.crl, type:

certutil -getcrl MyFifthDelta.crl 5 delta

To publish the current CRL

Syntax

certutil -crl [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [DD:HH] [delta]

Parameters
  • -crl
    Publishes a new certificate revocation list (CRL).
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • DD : HH
    Specifies the length of the CRL life in days and hours.
  • delta
    Publishes a delta CRL only.
  • -?
    Displays a list of certutil commands.
Remarks

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The CRL is written to the file specified by OutFileResult, or, if you use a minus sign (-), it is written to the default Web location.

  • The expiration date is set to be one day and one hour from the time of publication to facilitate a daily publishing schedule.

To publish a certificate or CRL to Active Directory

Syntax

certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] [{CertFile | CRL}] [{ntauthca | rootca | subca | crossca | kra | user | machine}]

Parameters
  • -dsPublish
    Publishes a new certificate to the CA object in Active Directory.
  • -f
    Overwrites existing files or keys.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • CertFile
    Specifies the certificate that you want to use.
  • CRL
    Specifies the certificate revocation list that you want to use.
  • ntauthca
    Specifies that the certificate is to be published to the NTAuth store.
  • rootca
    Specifies that the certificate is to be published to the root CA store.
  • subca
    Specifies that the certificate is to be published to the subordinate CA store.
  • crossca
    Specifies that the certificate is to be published to the cross-certified CA store.
  • kra
    Specifies that the certificate is to be published to the key recovery agent store.
  • user
    Specifies that the certificate is to be published to the user store.
  • machine
    Specifies that the certificate is to be published to the computer store.
  • -?
    Displays a list of certutil commands.
Remarks
  • If a CA issues certificates for smart card logon, you need to publish the certificate to NTAuth.

To add certificates to the NTAuth store

Syntax

certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] NewCert ntauthca

Parameters
  • -dspublish
    Publishes a new certificate or certificate revocation list (CRL) to the CA object in Active Directory.
  • -f
    Overwrites existing files or keys.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • NewCert
    Specifies the certificate that you want to publish.
  • ntauthca
    Specifies that the certificate is to be published to the NTAuth store.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must have Enterprise Administrator access to use this command.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview