Using the Certificate Services Command-Line Programs

  • Article

Windows 2000 Server provides the following three command-line programs for Certificate Services:

  • CertUtil.exe

  • CertReq.exe

  • CertSvr.exe

These command-line programs provide extended functionality and control of certificate services. The use of the command line is primarily intended for developers and knowledgeable certification authority administrators.

For more information about the command-line programs, see Certificate Services Help.

CertUtil.exe

You can use CertUtil.exe to perform the following tasks:

  • Dump certificate services configuration information, certificate requests, certificates, or certificate revocation lists to files.

  • Get the certification authority (CA) configuration string.

  • Retrieve the CA signing certificate.

  • Revoke certificates.

  • Publish or retrieve a certificate revocation list.

  • Determine if a certificate is valid or if the encoding length is incompatible with old enrollment controls.

  • Verify one or all levels of a certificate chain.

  • Resubmit or deny pending requests.

  • Set attributes or an integer or string value extension for a pending request.

  • Verify a public/private key set.

  • Decode files that are based on hexadecimal or base 64.

  • Encode files to base 64.

  • Shut down the Certificate Services server.

  • Display the database schema.

  • Convert a Certificate Server version 1.0 database to a Windows 2000 Certificate Services version 2.0 database.

  • Back up and restore the CA keys and database.

  • Display certificates in a certificate store.

  • Display error message text for a specified error code.

  • Import issued certificates that are missing from the database.

  • Set and display certification authority registry settings.

  • Create or remove Certificate Services Web virtual roots and file shares.

CertReq.exe

You can use CertReq.exe to request certificates from a certification authority. CertReq submits certificate requests by using PKCS 10 certificate request files and PKCS 7 certificate renewal files. You also can use the advanced options on the Web Enrollment Support pages to submit certificate requests by using PKCS 10 and PKCS 7 files.

CertSrv.exe

CertSrv.exe is the server engine program that is run when the Certification Authority service starts. For troubleshooting purposes only, you can run CertSrv as a stand-alone application in a command prompt window. When CertSrv is running in the diagnostics mode, it displays a log of its actions in the console window. You can start CertSrv as a service through Services in Control Panel.