Home
> Commands A-M
> Commands Ca-Cg
CERTUTIL certificates
Description
| Syntax
| Parameters
| Switches
| Related
| Notes
| Examples
| Errorlevels
| Availability
Certutil tasks for managing certificates.
Syntax
CERTUTIL
[-verify]
[/?]
To validate that the certificate was issued by a specific CA:
CERTUTIL
-verify
[-f]
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-silent]
[-split]
[-v]
certificate_file
[signature_file]
To verify the validity of a certificate:
CERTUTIL
-isvalid
[-gmt]
[-seconds]
[-v]
[-config machine\user]
{serial_number
| certificate_hash}
To install the CA certificate:
CERTUTIL
-installcert
[-f]
[-gmt]
[-seconds]
[-v]
[-config machine\user]
[certificate_file2]
To request a renewal CA certificate:
CERTUTIL
-renewcert
[-f]
[-gmt]
[-seconds]
[-v]
[-config machine\user]
[reusekeys]
request_file
To delete keys from the HKEY_LOCAL_MACHINE root store:
CERTUTIL
-delkey
[-user]
[-gmt]
[-seconds]
[-silent]
[-v]
key_container_name
[csp_name]
To add Netscape-compatible Web-based revocation check extensions to every issued certificate:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
policy\revocation_type
{ +
| - }
REVEXT_ASPENABLE
To retrieve the CA signing certificate and save it to a file:
CERTUTIL
-ca.cert
[-f]
[-gmt]
[-seconds]
[-split]
[-v]
[-config machine\user]
certificate_output_file
[index]
To retrieve the CA signing certificate and chain and save it to a PKCS #7 file:
CERTUTIL
-ca.chain
[-f]
[-gmt]
[-seconds]
[-split]
[-v]
[-config machine\user]
certificate_chain_output_file
[index]
To import a certificate into the server database:
CERTUTIL
-importcert
[-f]
[-gmt]
[-seconds]
[-v]
[-config machine\user]
certificate_file
To display the certificates in the Local Machine certificate store:
CERTUTIL
-store
[-f]
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-silent]
[-v]
[-dc dc_name]
certificate_store_name
[certificate_id
[output_file]]
To add a certificate or CRL to a local trusted root CA store:
CERTUTIL
-addstore
[-f]
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-v]
[-dc dc_name]
root
input_file
To view/delete certificate stores:
CERTUTIL
[{-viewstore
| -viewdelstore}]
[-f]
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-v]
[-dc dc_name]
certificate_type
[certificate_index]
To verify all certificates in a store:
CERTUTIL
-verifystore
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-split]
[-v]
[-dc dc_name]
certificate_store_name
[certificate_id
To delete a certificate from the HKEY_LOCAL_MACHINE root store:
CERTUTIL
-delstore
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-v]
[-dc dc_name]
root
[certificate_index]
To delete a certificate from the HKEY_CURRENT_USER root store:
CERTUTIL
-delstore
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-v]
[-dc dc_name]
root
[-user]
[certificate_index]
Parameters
- certificate_chain_output_file
(NT2003)
- Writes the CA signing certificate to the PKCS #7
file.
- certificate_file
(NT2003)
- Specifies the certificate.
- Must contain a single certificate, not a PKCS #7
certification chain.
- certificate_file2
(NT2003)
- Specifies the CA signature certificate that
contains the public key used to verify digital signatures.
- A PKCS #7 certification chain is the preferred
content. However, an X.509 v3 certificate is accepted
if all of the certificates that will be used to form
the chain are already installed on the local computer.
- certificate_hash
(NT2003)
- Specifies the certificate.
- certificate_id
(NT2003)
- Specifies a certificate or certificate revocation
list (CRL).
- Can be a serial number, a Secure Hash Algorithm
(SHA-1) certificate, CRL, certificate trust list (CTL),
or public key hash, a numeric certificate index, a
numeric CRL index, a numeric CTL index, a certificate
subject common name or a CRL issuer common name. Many
of these might result in multiple matches.
- certificate_index
(NT2003)
- Specifies a certificate or certificate revocation list
(CRL) match token.
- To determine the certificate hash value, which is
the value following Cert Hash(sha1): in the certificate,
do one of:
- Dump a certificate store that contains the old
certificate by: CERTUTIL -store
[-user] root
- Save the old certificate to a file and dump the
file: CERTUTIL file.cer
- certificate_store_name
(NT2003)
- Specifies one of:
- ca Specifies certificates in the Intermediate Certification Authorities store
- my Specifies certificates issued to the current user
- root Specifies certificates in the Trusted Root Certification Authorities store
- spc Specifies software publisher certificates
- user_created_store Specifies the name of a user-created certificate store
- certificate_type
(NT2003)
- Specifies one of:
- ca Displays certificates in the Intermediate Certification Authorities store
- my Displays certificates issued to the local computer
- root Displays certificates in the Trusted Root Certification Authorities store
- spc Displays software publisher certificates
- certificate_output_file
(NT2003)
- Specifies the CA file to which you want to write.
- csp_name
(NT2003)
- Specifies the cryptographic service provider
(CSP).
- index
(NT2003)
- Specifies the CA certificate that you want to
retrieve. The default is the most current CA.
- input_file
(NT2003)
- Specifies the file name of the certificate or
certificate revocation list (CRL).
- key_container_name
(NT2003)
- Specifies the container name of the key.
- +
- -
(NT2003)
- Sets (+) or resets (-) the flag.
- output_file
(NT2003)
- Specifies the file to which you want to write the
displayed certificate information.
- policy\revocation_type
(NT2003)
- Specifies the policy module and the certificate
revocation configuration.
- request_file
(NT2003)
- Specifies the file to which you want to save the
renewal request.
- reusekeys
(NT2003)
- Specifies to reuse the existing keys.
- serial_number
(NT2003)
- Specifies the certificate hash of the certificate.
- Must be in hexadecimal format with an even number
of digits. A single zero (0) can be prefaced to a value
with an odd number of digits. A leading 0x is not allowed.
- signature_file
(NT2003)
- Specifies the CA signature certificate that
contains the public key used to verify digital signatures.
- Must contain a single certificate, not a PKCS #7
certification chain.
- If you do not specify, the certification chain for
certificate_file
is constructed by using certificates installed on the
computer, and all certificates in the chain are verified
and checked to see if they have been revoked.
Switches
- /?
(NT2003)
- Display help.
- -addstore
(NT2003)
- Adds a certificate to a certificate store.
- -ca.cert
(NT2003)
- Retrieves the CA signing certificate.
- The public key contained in this certificate is
used to verify digital signatures on certificates
issued by the CA.
- -ca.chain
(NT2003)
- Retrieves the CA signing certificate and chain.
- -config machine\user
(NT2003)
- Processes the operation by using the CA specified
in the machine/user configuration string.
- You must specify the machine or user in -config.
Otherwise, the Select Certificate Authority dialog box
appears and displays a list of all CAs that are available.
- If you use "-config -", the operation is processed
using the default CA.
- -dc dc_name
(NT2003)
- Targets a specific domain controller.
- -delkey
(NT2003)
- Deletes a private key from the host computer.
- Deletes a User or Machine private key.
After it is deleted, any of the following might apply:
- If it was not previously backed up or archived,
the deleted key will be irretreivable.
- If the deleted key was used for a certificate
server signing key, the CA will be disabled and will
not be able to issue new CRLs, which will effectively
invalidate all of the certificates issued by the CA
when the existing CRLs expire. You can replace other
signing keys by re-enrolling for a new key and
certificate.
- If the deleted key was used for encrypting e-mail,
previously received e-mail might be unreadable, unless
you can recover it from a key management system like
Key Management Service (KMS).
- If the deleted key was used for encrypting files,
an administrator with the appropriate credentials to
create a Key Recovery Agent account might need to
intervene and decrypt each file individually for the
affected user.
- Use -user to delete keys
from the HKEY_CURRENT_USER root store.
- -delstore
(NT2003)
- Deletes a certificate from the specified store.
- Valid only for deleting certificates and CRLs.
You must use -delkey
to delete keys.
- -enterprise
(NT2003)
- Uses the local computer's enterprise registry
certificate store.
- -f
(NT2003)
- Overwrites existing files or keys.
- -gmt
(NT2003)
- Displays time as Greenwich mean time.
- -importcert
(NT2003)
- Imports a certificate file into the database.
- You can use this option to make a certificate
revocable if it is inadvertently lost from the
database, which could be due to restoring a database
from an incomplete backup of the database. Note that
the server must have issued the certificate.
- -installcert
(NT2003)
- Installs a CA certificate.
- Also completes subordinate CA certificate
installation for a subordinate CA that generated a
request, but has not yet received and installed its
CA certificate.
- Also allows installation of a requested renewal
CA certificate.
- -isvalid
(NT2003)
- Determines whether the certificate is valid.
- -renewcert
(NT2003)
- Renews the CA certificate.
- If an online parent CA does not exist or if it
does not immediately issue a renewal CA certificate,
use the -installcert
command to complete the renewal certificate
installation when the certificate is available.
- -seconds
(NT2003)
- Displays time with seconds and milliseconds.
- -setreg
(NT2003)
- Sets or edits the registry key value.
- -silent
(NT2003)
- Uses a silent flag to acquire CryptContext.
- -split
(NT2003)
- Splits the embedded Abstract Syntax Notation One
(ASN.1) elements, and saves them to files.
- -store
(NT2003)
- Displays the certificates in the specified
certificate store.
- -user
(NT2003)
- Uses the HKEY_CURRENT_USER keys or certificate
store.
- Use to display certificate stores for the current
user instead of the local computer.
- -v
(NT2003)
- Specifies verbose output.
- -verify
(NT2003)
- Verifies the certificate chain.
- Also verifies the revocation status of the
certificate_file
certificate.
If certificate_file
does not contain information on how to check revocation
or if the necessary URLs or CRLs are not available,
an error occurs.
- -verifystore
(NT2003)
- Verifies the certificate in a store.
- Verifies the associated private keys (that is, if
they exist), and verifies each certificate by building
a chain from the installed CA and root certificates
and verifies all certificates in the chain to make
sure they are still valid and have not been revoked.
- -viewdelstore
(NT2003)
- Deletes a certificate from the certificate store.
- If you do not close the user interface and you use
-viewdelstore, you delete the selected certificate from
the certificate store.
- -viewstore
(NT2003)
- Views a certificate in the certificate store.
- By default opens the HKLM "CA" store. You can
override this default to display any user or
enterprise store by specifying -user
or -enterprise.
Related
CERTUTIL backup/restore
CERTUTIL configure
CERTUTIL decode/encode
CERTUTIL CRLs
CERTUTIL manage
CERTUTIL archival/recovery
CERTUTIL troubleshooting
Notes
The user interface does not support saving
certificates to files. You can run the following to
display all certificates, select the one you want, and
then save it to a file:
CERTUTIL -viewstore -enterprise NTAuth *.file.cer
The local NTAuth store is the result of the last
Group Policy download from the Active Directory NTAuth
store. It is the store used by smart card logon, so
viewing this store can be useful when troubleshooting
smart card logon failures.
Examples
none.
Errorlevels
none.
Availability
- External
-
- DOS
-
none
- Windows
-
none
- Windows NT
-
NT2003
Last Updated: 2003/07/28
Direct corrections or suggestions to:
Rick Lively