Certutil tasks for backing up and restoring certificates
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Certification authorities should be backed up regularly and restored when necessary to provide their services. You can use certutil to perform these tasks.
To view the syntax for a specific task, click a task:
To back up Certificate Services
To back up a CA database
To back up the CA certificate and keys
To restore the CA database, certificates, and keys
To restore the CA database
To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file
To dump the CA database schema, for example, column names, types, and max sizes
certutil -backup[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory[incremental] [keeplog]
- -backup
Backs up Certificate Services.
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- -p Password
Specifies a password.
- BackupDirectory
Specifies the backup directory.
- incremental
Implements an incremental backup instead of a full backup.
- keeplog
Preserves database log files.
- -?
Displays a list of certutil commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
If you do not specify keeplog, certutil-backup combines the database log files into a single log file that is retained upon the successful completion of -backup.
If you do not specify incremental, certutil-backup performs a full backup.
You can use the -f option to overwrite existing files in BackupDirectory.
To back up keys and certificates for a CA named EnterpriseCA, type:
certutil –p p@ssw23 f:\Backup2\EnterpriseCA
certutil -p p@ssw23 f:\Backup2\EnterpriseCA incremental
certutil -p p@ssw23 f:\Backup2\EnterpriseCA keeplog
certutil -backupdb[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\**CAName] BackupDirectory[[incremental] [keeplog]]
- -backupdb
Backs up the Certificate Services database.
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- BackupDirectory
Specifies the backup directory.
- incremental
Implements an incremental backup instead of a full backup.
- keeplog
Preserves database log files.
- -?
Displays a list of certutil commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
You can run this command locally or remotely. The server and the CA must be running. Typically, administrators use this command to perform infrequent full backups followed by frequent incremental backups. Each backup must be made into a separate directory tree. Starting with the most recent full backup, all backups are required to correctly restore the database.
If you do not specify keeplog, certutil-backup combines the database log files into a single log file that is retained upon the successful completion of -backup.
If you do not specify incremental, certutil-backup performs a full backup.
You can use the -f option to overwrite existing files in BackupDirectory.
certutil -backupkey[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory
- -backupkey
Backs up the Certificate Services certificate and private key.
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- -p Password
Specifies a password.
- BackupDirectory
Specifies the backup directory.
- -?
Displays a list of certutil commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
You can use the -f option to overwrite existing files in BackupDirectory.
certutil -restore[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory
- -restore
Restores the CA database, certificates, and keys from the specified BackupDirectory.
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- -p Password
Specifies a password.
- BackupDirectory
Specifies the backup directory from which you want to restore the CA database, certificates, and keys.
- -?
Displays a list of certutil commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
certutil -restoredb[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\**CAName] BackupDirectory
- -restoredb
Restores CA database from the specified BackupDirectory.
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- BackupDirectory
Specifies the backup directory from which you want to restore the CA database.
- -?
Displays a list of certutil commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
The CA server and must not be running. You can run this command locally or remotely.
To restore a full backup and incremental backups, you must restore the full backup first, and then restore all subsequent incremental backups in any order. To overwrite the existing server database files with the full restore, use -f. Do not start the server until all backups are restored.
When you start the CA server, you initiate database recovery. If you successfully start the CA server (that is, as recorded in the application event log), this indicates restore and recovery were completed successfully. If the server fails to start after you run -restore, you receive an error code. For more information if -restore fails, you can also view the RESTOREINPROGRESS registry key.
certutil -restorekey[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\CAName] [-p**Password] BackupDirectory|PFXFile
- -restorekey
Restores Certificate Services certificate and private key from the specified BackupDirectory or PKCS #12PFXFile.
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- -p Password
Specifies a password.
- BackupDirectory
Specifies the backup location of the PKCS #12 PFX file.
- PFXFile
Specifies the PKCS #12 PFX file.
- -?
Displays a list of certutil commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
certutil -schema[-f] [-gmt] [-seconds] [-v] [-configCAMachineName**\**CAName] [{ext | attib | crl}]
- -schema
Dumps the CA database schema.
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- ext
Displays the schema for Ext table.
- attib
Displays the schema for Attib table.
- crl
Displays the schema for the certificate revocation list (CRL).
- -?
Displays a list of certutil commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
To view the CA database schema, type:
certutil -schema
Format | Meaning |
---|---|
Italic |
Information that the user must supply |
Bold |
Elements that the user must type exactly as shown |
Ellipsis (...) |
Parameter that can be repeated several times in a command line |
Between brackets ([]) |
Optional items |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one |
|
Code or program output |