The Certutil.exe Command Line Tool

Published: October 7, 2009

Updated: May 24, 2010

Applies To: Windows Server 2008 R2

You use the Certutil.exe command line tool to display information about the digital certificates that are installed on a DirectAccess client, DirectAccess server, or intranet resource.

The following is an example of the output from the certutil –store my command on the DirectAccess client in the DirectAccess test lab (

================ Certificate 0 ================
Serial Number: 61b96b4300000000000b
Issuer: CN=corp-DC1-CA, DC=corp, DC=contoso, DC=com
 NotBefore: 8/28/2009 11:57 AM
 NotAfter: 8/28/2010 11:57 AM
Certificate Template Name (Certificate Type): Machine
Non-root Certificate
Template: Machine, Computer
Cert Hash(sha1): d2 48 b0 ac d0 75 d2 17 d3 a2 52 73 03 fb 6d 93 05 d6 c5 9c
  Key Container = 7658bfbea27b8a8b1a912b2792198aa7_81cb8b83-9acb-41a0-a19f-615d9
  Simple container name: le-Machine-e4918f29-7e62-48c3-a958-445f367d773d
  Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.

To determine the subject, enhanced key usage (EKU), and certificate revocation list (CRL) distribution points fields of installed certificates for DirectAccess troubelshooting, use the certutil -v –store my > cert.txt command and then view the contents of the Cert.txt file.

Community Additions