Home > Commands A-M > Commands Ca-Cg

CERTUTIL configure


Description | Syntax | Parameters | Switches | Related | Notes | Examples | Errorlevels | Availability

Certutil tasks for configuring a Certification Authority (CA).


Syntax

CERTUTIL [-capropinfo] [/?]

To display CA property type information:
To display the configuration string for a CA:
CERTUTIL {-capropinfo | -getconfig} [-gmt] [-seconds] [-v] [-config machine\user]

To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server:
CERTUTIL -vroot [-gmt] [-seconds] [-v] [-delete]

To display CA information:
CERTUTIL -cainfo [-f] [-gmt] [-seconds] [-split] [-v] [-config machine\user] [info_name]

To change the length of the validity period for certificates issued from a CA:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\name | \ca}] \ValidityPeriod time_value

CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\name | \ca}] \ValidityPeriodUnits unit_value

To force a CA to include expired certificates in future base and delta CRLs:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] ca\ca_value_name}] +CRLF_PUBLISH_EXPIRED_CERT_CRLS

To configure a CA to issue certificates beyond the default two year limit:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] ca\ValidityPeriod "years"

CERTUTIL -setreg ca\ValidityPeriodUnits "2"

To increase the session limit on the CA database:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] dbsessioncount value

To disable or restore the enforcement of the distinguished name length on the CA:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] ca\ENFORCEX500NAMELENGTHS value

To add extensions to a certificate that will be issued by the CA:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] policy\enablerequestextensionlist extension_value extension_oid


Parameters
\ca (NT2003)
Specifies the default CA on the local computer.
ca\ (NT2003)
Specifies the CA registry key.
ca_value_name (NT2003)
Specifies the registry value name.
+CRLF_PUBLISH_EXPIRED_CERT_CRLS (NT2003)
Specifies the new numeric or string registry value.
If a numeric registry value starts with a plus sign (+) or a dash (-), the bits specified in the new value are set or cleared in the existing registry value.
If a string registry value starts with a plus sign (+) or a dash (-) and the existing value is a REG_MULTI_SZ value, the string value is either added to or removed from the existing registry value.
dbsessioncount value (NT2003)
Specifies the new session limit of value.
ENFORCEX500NAMELENGTHS value (NT2003)
Specifies the path to the REG_DWORD\ENFORCEX500NAMELENGTHS registry value.
extension_oid (NT2003)
Specifies the object identifier of the extension.
extension_value (NT2003)
List of request extensions that enable policy module:
info_name (NT2003)
Specifies the CA information that you want to display. Use one of:
ErrorCode
Specifies the error code retrieved from the error message.
Index
Identifies a unique element from the InfoName table.
HKLM\system\currentcontrolset\services\certsvc\configuration (NT2003)
Specifies the path to the \ValidityPeriod and \ValidityPeriodUnits registry keys.
\name (NT2003)
Specifies the name of the CA.
\ValidityPeriod time_value (NT2003)
Sets the period of time that you want the certificate to be valid:
\ValidityPeriodUnits unit_value (NT2003)
\ValidityPeriod numeric value.

Switches
/? (NT2003)
Display help.
-cainfo (NT2003)
Displays CA information.
-capropinfo (NT2003)
Displays CA property type information.
-config machine\user (NT2003)
Processes the operation by using the CA specified in the machine/user configuration string.
You must specify the machine or user in -config. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use "-config -", the operation is processed using the default CA.
-delete (NT2003)
Deletes the virtual roots for the Certificate Services Web server.
-f (NT2003)
Overwrites existing files or keys.
-getconfig (NT2003)
Retrieves the default configuration string.
-gmt (NT2003)
Displays time as Greenwich mean time.
-seconds (NT2003)
Displays time with seconds and milliseconds.
-setreg (NT2003)
Sets or edits the registry key value.
-split (NT2003)
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
-v (NT2003)
Specifies verbose output.
-user (NT2003)
Uses the HKEY_CURRENT_USER keys or certificate store.
-vroot (NT2003)
Creates the virtual roots for the Certificate Services Web server.

Related

CERTUTIL configure
CERTUTIL decode/encode
CERTUTIL certificates
CERTUTIL CRLs
CERTUTIL manage
CERTUTIL archival/recovery
CERTUTIL troubleshooting


Notes

none.


Examples

none.


Errorlevels

none.


Availability
External
DOS
none
Windows
none
Windows NT
NT2003

Last Updated: 2003/07/28
Direct corrections or suggestions to: Rick Lively