Appendix C: Useful Commands

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following commands are available with certutil.exe in the Windows Server 2003 Administration Tools pack in performing key archival and recovery functions.

  • certutil –ImportKMS accepts a *.pfx, *.epf, or a KMS export file, and archives the contents in the CA database.

  • certutil –ConvertEPF converts a *.pfx (PKCS #12) file to a *.epf-formatted file for import into Outlook.

    • certutil –ConvertEPF and –MergePFX are similar in that they both accept a comma-separated list of input files that are merged and placed in the output file. Input files for both commands may be *.pfx files, *.epf files, or a mixture of the two.

    • The –cast parameter should be used to specify the CAST encryption algorithm.

    • The –silent option may be specified to suppress the UI.

  • certutil –ImportPFX accepts a *.pfx or a *.epf file, and installs the certificates and keys into the HKLM (local machine) MY store. If the –User parameter is specified, the key and certificate will be imported into the HKCU (user profile) MY store. The CSP to be used may also be overridden by specifying the name with the –csp parameter.

  • certutil –getkey retrieves the archived private key recovery BLOB from the CA database.

  • certutil –recoverkey recovers the archived private key.

  • certutil –verifykeys verifies the private/public key pair.