The Certutil.exe Command Line Tool
Published: October 7, 2009
Updated: May 24, 2010
Applies To: Windows Server 2008 R2
You use the Certutil.exe command line tool to display information about the digital certificates that are installed on a DirectAccess client, DirectAccess server, or intranet resource.
The following is an example of the output from the certutil –store my command on the DirectAccess client in the DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613).
================ Certificate 0 ================ Serial Number: 61b96b4300000000000b Issuer: CN=corp-DC1-CA, DC=corp, DC=contoso, DC=com NotBefore: 8/28/2009 11:57 AM NotAfter: 8/28/2010 11:57 AM Subject: CN=CLIENT2.corp.contoso.com Certificate Template Name (Certificate Type): Machine Non-root Certificate Template: Machine, Computer Cert Hash(sha1): d2 48 b0 ac d0 75 d2 17 d3 a2 52 73 03 fb 6d 93 05 d6 c5 9c Key Container = 7658bfbea27b8a8b1a912b2792198aa7_81cb8b83-9acb-41a0-a19f-615d9 d8a0337 Simple container name: le-Machine-e4918f29-7e62-48c3-a958-445f367d773d Provider = Microsoft RSA SChannel Cryptographic Provider Private key is NOT exportable Encryption test passed CertUtil: -store command completed successfully.
To determine the subject, enhanced key usage (EKU), and certificate revocation list (CRL) distribution points fields of installed certificates for DirectAccess troubelshooting, use the certutil -v –store my > cert.txt command and then view the contents of the Cert.txt file.