CERTUTIL certificates

Certutil tasks for managing certificates.

Syntax

CERTUTIL [-verify] [/?]

To validate that the certificate was issued by a specific CA:
CERTUTIL -verify [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-split] [-v] certificate_file [signature_file]

To verify the validity of a certificate:
CERTUTIL -isvalid [-gmt] [-seconds] [-v] [-config machine\user] {serial_number | certificate_hash}

To install the CA certificate:
CERTUTIL -installcert [-f] [-gmt] [-seconds] [-v] [-config machine\user] [certificate_file2]

To request a renewal CA certificate:
CERTUTIL -renewcert [-f] [-gmt] [-seconds] [-v] [-config machine\user] [reusekeys] request_file

To delete keys from the HKEY_LOCAL_MACHINE root store:
CERTUTIL -delkey [-user] [-gmt] [-seconds] [-silent] [-v] key_container_name [csp_name]

To add Netscape-compatible Web-based revocation check extensions to every issued certificate:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] policy\revocation_type { + | - } REVEXT_ASPENABLE

To retrieve the CA signing certificate and save it to a file:
CERTUTIL -ca.cert [-f] [-gmt] [-seconds] [-split] [-v] [-config machine\user] certificate_output_file [index]

To retrieve the CA signing certificate and chain and save it to a PKCS #7 file:
CERTUTIL -ca.chain [-f] [-gmt] [-seconds] [-split] [-v] [-config machine\user] certificate_chain_output_file [index]

To import a certificate into the server database:
CERTUTIL -importcert [-f] [-gmt] [-seconds] [-v] [-config machine\user] certificate_file

To display the certificates in the Local Machine certificate store:
CERTUTIL -store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc dc_name] certificate_store_name [certificate_id [output_file]]

To add a certificate or CRL to a local trusted root CA store:
CERTUTIL -addstore [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc dc_name] root input_file

To view/delete certificate stores:
CERTUTIL [{-viewstore | -viewdelstore}] [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc dc_name] certificate_type [certificate_index]

To verify all certificates in a store:
CERTUTIL -verifystore [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [-dc dc_name] certificate_store_name [certificate_id

To delete a certificate from the HKEY_LOCAL_MACHINE root store:
CERTUTIL -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc dc_name] root [certificate_index]

To delete a certificate from the HKEY_CURRENT_USER root store:
CERTUTIL -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc dc_name] root [-user] [certificate_index]

Parameters

certificate_chain_output_file (NT2003)

Writes the CA signing certificate to the PKCS #7 file.

certificate_file (NT2003)

Specifies the certificate.

Must contain a single certificate, not a PKCS #7 certification chain.

certificate_file2 (NT2003)

Specifies the CA signature certificate that contains the public key used to verify digital signatures.

A PKCS #7 certification chain is the preferred content. However, an X.509 v3 certificate is accepted if all of the certificates that will be used to form the chain are already installed on the local computer.

certificate_hash (NT2003)

Specifies the certificate.

certificate_id (NT2003)

Specifies a certificate or certificate revocation list (CRL).

Can be a serial number, a Secure Hash Algorithm (SHA-1) certificate, CRL, certificate trust list (CTL), or public key hash, a numeric certificate index, a numeric CRL index, a numeric CTL index, a certificate subject common name or a CRL issuer common name. Many of these might result in multiple matches.

certificate_index (NT2003)

Specifies a certificate or certificate revocation list (CRL) match token.

To determine the certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of:

Dump a certificate store that contains the old certificate by: CERTUTIL -store [-user] root
Save the old certificate to a file and dump the file: CERTUTIL file.cer

certificate_store_name (NT2003)

Specifies one of:

ca Specifies certificates in the Intermediate Certification Authorities store
my Specifies certificates issued to the current user
root Specifies certificates in the Trusted Root Certification Authorities store
spc Specifies software publisher certificates
user_created_store Specifies the name of a user-created certificate store

certificate_type (NT2003)

Specifies one of:

ca Displays certificates in the Intermediate Certification Authorities store
my Displays certificates issued to the local computer
root Displays certificates in the Trusted Root Certification Authorities store
spc Displays software publisher certificates

certificate_output_file (NT2003)

Specifies the CA file to which you want to write.

csp_name (NT2003)

Specifies the cryptographic service provider (CSP).

index (NT2003)

Specifies the CA certificate that you want to retrieve. The default is the most current CA.

input_file (NT2003)

Specifies the file name of the certificate or certificate revocation list (CRL).

key_container_name (NT2003)

Specifies the container name of the key.

+

- (NT2003)

Sets (+) or resets (-) the flag.

output_file (NT2003)

Specifies the file to which you want to write the displayed certificate information.

policy\revocation_type (NT2003)

Specifies the policy module and the certificate revocation configuration.

request_file (NT2003)

Specifies the file to which you want to save the renewal request.

reusekeys (NT2003)

Specifies to reuse the existing keys.

serial_number (NT2003)

Specifies the certificate hash of the certificate.

Must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. A leading 0x is not allowed.

signature_file (NT2003)

Specifies the CA signature certificate that contains the public key used to verify digital signatures.

Must contain a single certificate, not a PKCS #7 certification chain.

If you do not specify, the certification chain for certificate_file is constructed by using certificates installed on the computer, and all certificates in the chain are verified and checked to see if they have been revoked.

Switches

/? (NT2003)

Display help.

-addstore (NT2003)

Adds a certificate to a certificate store.

-ca.cert (NT2003)

Retrieves the CA signing certificate.

The public key contained in this certificate is used to verify digital signatures on certificates issued by the CA.

-ca.chain (NT2003)

Retrieves the CA signing certificate and chain.

-config machine\user (NT2003)

Processes the operation by using the CA specified in the machine/user configuration string.

You must specify the machine or user in -config. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

If you use "-config -", the operation is processed using the default CA.

-dc dc_name (NT2003)

Targets a specific domain controller.

-delkey (NT2003)

Deletes a private key from the host computer.

Deletes a User or Machine private key. After it is deleted, any of the following might apply:

If it was not previously backed up or archived, the deleted key will be irretreivable.
If the deleted key was used for a certificate server signing key, the CA will be disabled and will not be able to issue new CRLs, which will effectively invalidate all of the certificates issued by the CA when the existing CRLs expire. You can replace other signing keys by re-enrolling for a new key and certificate.
If the deleted key was used for encrypting e-mail, previously received e-mail might be unreadable, unless you can recover it from a key management system like Key Management Service (KMS).
If the deleted key was used for encrypting files, an administrator with the appropriate credentials to create a Key Recovery Agent account might need to intervene and decrypt each file individually for the affected user.
Use -user to delete keys from the HKEY_CURRENT_USER root store.

-delstore (NT2003)

Deletes a certificate from the specified store.

Valid only for deleting certificates and CRLs. You must use -delkey to delete keys.

-enterprise (NT2003)

Uses the local computer's enterprise registry certificate store.

-f (NT2003)

Overwrites existing files or keys.

-gmt (NT2003)

Displays time as Greenwich mean time.

-importcert (NT2003)

Imports a certificate file into the database.

You can use this option to make a certificate revocable if it is inadvertently lost from the database, which could be due to restoring a database from an incomplete backup of the database. Note that the server must have issued the certificate.

-installcert (NT2003)

Installs a CA certificate.

Also completes subordinate CA certificate installation for a subordinate CA that generated a request, but has not yet received and installed its CA certificate.

Also allows installation of a requested renewal CA certificate.

-isvalid (NT2003)

Determines whether the certificate is valid.

-renewcert (NT2003)

Renews the CA certificate.

If an online parent CA does not exist or if it does not immediately issue a renewal CA certificate, use the -installcert command to complete the renewal certificate installation when the certificate is available.

-seconds (NT2003)

Displays time with seconds and milliseconds.

-setreg (NT2003)

Sets or edits the registry key value.

-silent (NT2003)

Uses a silent flag to acquire CryptContext.

-split (NT2003)

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-store (NT2003)

Displays the certificates in the specified certificate store.

-user (NT2003)

Uses the HKEY_CURRENT_USER keys or certificate store.

Use to display certificate stores for the current user instead of the local computer.

-v (NT2003)

Specifies verbose output.

-verify (NT2003)

Verifies the certificate chain.

Also verifies the revocation status of the certificate_file certificate. If certificate_file does not contain information on how to check revocation or if the necessary URLs or CRLs are not available, an error occurs.

-verifystore (NT2003)

Verifies the certificate in a store.

Verifies the associated private keys (that is, if they exist), and verifies each certificate by building a chain from the installed CA and root certificates and verifies all certificates in the chain to make sure they are still valid and have not been revoked.

-viewdelstore (NT2003)

Deletes a certificate from the certificate store.

If you do not close the user interface and you use -viewdelstore, you delete the selected certificate from the certificate store.

-viewstore (NT2003)

Views a certificate in the certificate store.

By default opens the HKLM "CA" store. You can override this default to display any user or enterprise store by specifying -user or -enterprise.

Notes

The user interface does not support saving certificates to files. You can run the following to display all certificates, select the one you want, and then save it to a file:

    CERTUTIL -viewstore -enterprise NTAuth *.file.cer

The local NTAuth store is the result of the last Group Policy download from the Active Directory NTAuth store. It is the store used by smart card logon, so viewing this store can be useful when troubleshooting smart card logon failures.

Examples

none.

Errorlevels

none.

Availability

External

DOS: none
Windows: none
Windows NT: NT2003

Last Updated: 2003/07/28
Direct corrections or suggestions to: Rick Lively