Home
> Commands A-M
> Commands Ca-Cg
CERTUTIL configure
Description
| Syntax
| Parameters
| Switches
| Related
| Notes
| Examples
| Errorlevels
| Availability
Certutil tasks for configuring a Certification Authority (CA).
Syntax
CERTUTIL
[-capropinfo]
[/?]
To display CA property type information:
To display the configuration string for a CA:
CERTUTIL
{-capropinfo
| -getconfig}
[-gmt]
[-seconds]
[-v]
[-config machine\user]
To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server:
CERTUTIL
-vroot
[-gmt]
[-seconds]
[-v]
[-delete]
To display CA information:
CERTUTIL
-cainfo
[-f]
[-gmt]
[-seconds]
[-split]
[-v]
[-config machine\user]
[info_name]
To change the length of the validity period for certificates issued from a CA:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
HKLM\system\currentcontrolset\services\certsvc\configuration[{\name
| \ca}]
\ValidityPeriod time_value
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
HKLM\system\currentcontrolset\services\certsvc\configuration[{\name
| \ca}]
\ValidityPeriodUnits unit_value
To force a CA to include expired certificates in future base and delta CRLs:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
ca\ca_value_name}]
+CRLF_PUBLISH_EXPIRED_CERT_CRLS
To configure a CA to issue certificates beyond the default two year limit:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
ca\ValidityPeriod "years"
CERTUTIL
-setreg
ca\ValidityPeriodUnits "2"
To increase the session limit on the CA database:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
dbsessioncount value
To disable or restore the enforcement of the distinguished name length on the CA:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
ca\ENFORCEX500NAMELENGTHS value
To add extensions to a certificate that will be issued by the CA:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
policy\enablerequestextensionlist
extension_value
extension_oid
Parameters
- \ca
(NT2003)
- Specifies the default CA on the local computer.
- ca\
(NT2003)
- Specifies the CA registry key.
- ca_value_name
(NT2003)
- Specifies the registry value name.
- +CRLF_PUBLISH_EXPIRED_CERT_CRLS
(NT2003)
- Specifies the new numeric or string registry value.
- If a numeric registry value starts with a plus
sign (+) or a dash (-), the bits specified in the new
value are set or cleared in the existing registry value.
- If a string registry value starts with a plus sign
(+) or a dash (-) and the existing value is a
REG_MULTI_SZ value, the string value is either added to
or removed from the existing registry value.
- dbsessioncount value
(NT2003)
- Specifies the new session limit of value.
- ENFORCEX500NAMELENGTHS value
(NT2003)
- Specifies the path to the REG_DWORD\ENFORCEX500NAMELENGTHS registry value.
- 0 disable default registry value
- 1 restore default registry value
- extension_oid
(NT2003)
- Specifies the object identifier of the extension.
- extension_value
(NT2003)
- List of request extensions that enable policy module:
- 0 Adds the extension
- 1 Removes the extension
- info_name
(NT2003)
- Specifies the CA information that you want to
display. Use one of:
- ads Displays Advanced Server
- cert [Index] Displays a CA certificate
- certchain [Index] Displays a CA certificate chain
- certcount Displays the CA certificate count
- certcrlchain [Index] Displays a CA certificate chain with CRLs
- certstate [Index] Displays CA certificate status. 0 NOT renewed
- certstatuscode [Index] Displays CA certificate verification status
- crl [Index] Displays a base CRL
- crlstate [Index] Displays a certificate revocation list (CRL)
- crlstatus [Index] Displays CRL publish status
- cross- [Index] Backwards cross-certification
- cross+ [Index] Forward cross-certification
- crossstate- [Index] Backward cross-certification
- crossstate+ [Index] Forward cross-certification
- deltacrl [Index] Displays a delta CRL
- deltacrlstatus [Index] Displays delta CRL publish status
- dns Displays the DNS name
- error1 ErrorCode Displays the error code message in the local language. For ErrorCode, specify the error code that you want to retrieve
- error2 ErrorCode Displays the error code message and the error code in the local language. For ErrorCode, specify the error code that you want to retrieve
- exit [Index] Displays the exit module description
- exitcount Displays the exit module count
- file Displays information about the file version
- info Displays the CA info
- kra [Index] Displays a KRA certificate
- kracount Displays the number of key recovery agent (KRA) certificates
- krastate [Index] Displays a KRA certificate
- kraused Displays the number of KRA certificate that are being used
- name Displays the CA name
- parent Displays the parent CA
- policy Displays the policy module description
- product Displays the product version
- propidmax Displays maximum CA PropID
- role Displays role separation
- sanitizedname Displays the sanitized CA name
- sharedfolder Displays the shared folder
- templates Displays the templates
- type Displays the CA type
- xchg [Index] Displays a CA exchange certificate
- xchgchain [Index] Displays a CA exchange certificate chain
- xchgcount Displays the CA Exchange certificate count
- xchgcrlchain [Index] Displays a CA exchange certificate chain with CRLs
- ErrorCode
- Specifies the error code retrieved from the error message.
- Index
- Identifies a unique element from the InfoName table.
- HKLM\system\currentcontrolset\services\certsvc\configuration
(NT2003)
- Specifies the path to the
\ValidityPeriod and
\ValidityPeriodUnits
registry keys.
- \name
(NT2003)
- Specifies the name of the CA.
- \ValidityPeriod time_value
(NT2003)
- Sets the period of time that you want the
certificate to be valid:
- "days"
- "weeks"
- "months"
- "years"
- \ValidityPeriodUnits unit_value
(NT2003)
- \ValidityPeriod
numeric value.
Switches
- /?
(NT2003)
- Display help.
- -cainfo
(NT2003)
- Displays CA information.
- -capropinfo
(NT2003)
- Displays CA property type information.
- -config machine\user
(NT2003)
- Processes the operation by using the CA specified
in the machine/user configuration string.
- You must specify the machine or user in -config.
Otherwise, the Select Certificate Authority dialog box
appears and displays a list of all CAs that are available.
- If you use "-config -", the operation is processed
using the default CA.
- -delete
(NT2003)
- Deletes the virtual roots for the Certificate
Services Web server.
- -f
(NT2003)
- Overwrites existing files or keys.
- -getconfig
(NT2003)
- Retrieves the default configuration string.
- -gmt
(NT2003)
- Displays time as Greenwich mean time.
- -seconds
(NT2003)
- Displays time with seconds and milliseconds.
- -setreg
(NT2003)
- Sets or edits the registry key value.
- -split
(NT2003)
- Splits the embedded Abstract Syntax Notation One
(ASN.1) elements, and saves them to files.
- -v
(NT2003)
- Specifies verbose output.
- -user
(NT2003)
- Uses the HKEY_CURRENT_USER keys or certificate
store.
- -vroot
(NT2003)
- Creates the virtual roots for the Certificate
Services Web server.
Related
CERTUTIL configure
CERTUTIL decode/encode
CERTUTIL certificates
CERTUTIL CRLs
CERTUTIL manage
CERTUTIL archival/recovery
CERTUTIL troubleshooting
Notes
none.
Examples
none.
Errorlevels
none.
Availability
- External
-
- DOS
-
none
- Windows
-
none
- Windows NT
-
NT2003
Last Updated: 2003/07/28
Direct corrections or suggestions to:
Rick Lively