Home
> Commands A-M
> Commands Ca-Cg
CERTUTIL manage
Description
| Syntax
| Parameters
| Switches
| Related
| Notes
| Examples
| Errorlevels
| Availability
Certutil tasks for managing a Certification Authority (CA).
Syntax
CERTUTIL
[-dump]
[/?]
To display the information stored in public key related files:
CERTUTIL
-dump
[-f]
[-gmt]
[-seconds]
[-split]
[-v]
[-p password]
[configuration_file]
To restrict which rows from the CA schema are displayed when viewing CA database information:
CERTUTIL
-view
[-gmt]
[-seconds]
[-silent]
[-split]
[-v]
[-config machine\user]
[-restrict restriction_list]
[-out column_list]
[request_id]
To view a list of templates supported by the local CA:
CERTUTIL
-catemplates
[-user]
[-ut]
[-mt]
[-gmt]
[-seconds]
[-v]
[-config machine\user]
[-dc dc_name]
[template]
To display a list of tagged database files and database directories:
CERTUTIL
-databaselocations
[-gmt]
[-seconds]
[-v]
[-config machine\user]
To deny a certificate request:
CERTUTIL
-deny
[-gmt]
[-seconds]
[-v]
[-config machine\user]
[request_id]
To publish a certificate or CRL to Active Directory:
CERTUTIL
-dsPublish
[-f]
[-user]
[-gmt]
[-seconds]
[-v]
[-dc dc_name]
certificate_file
certificate_store
CERTUTIL
-dsPublish
[-f]
[-user]
[-gmt]
[-seconds]
[-v]
[-dc dc_name]
crl_file
[DSCDP_container
[DSCDP_object]]
To display a list of dynamic files that must be backed up separately:
CERTUTIL
-dynamicfilelist
[-gmt]
[-seconds]
[-v]
[-config machine\user]
To delete unwanted requests from the CA database:
CERTUTIL
-deleterow
[-f]
[-gmt]
[-seconds]
[-v]
[-config machine\user]
row_id
date
table
To add a display name that appears in the local language to a certificate template:
CERTUTIL
-oid
[-f]
[-gmt]
[-seconds]
[-v]
"template_oid"
local_friendly_name
[language_id]
To revoke the certificate by serial number:
CERTUTIL
-revoke
[-gmt]
[-seconds]
[-v]
[-config machine\user]
serial_number
[reason]
To set attributes on pending certificate requests:
CERTUTIL
-setattributes
[-gmt]
[-seconds]
[-v]
request_id
attribute_string
To set the extension in the certificate request:
CERTUTIL
-setextension
[-gmt]
[-seconds]
[-v]
request_id
expansion_name
flags
{long_value
| date_value
| string_value
| @in_file}
To resubmit a pending certificate request:
CERTUTIL
-resubmit
[-gmt]
[-seconds]
[-v]
[-config machine\user]
request_id
To shut down the CA server:
CERTUTIL
-shutdown
[-gmt]
[-seconds]
[-v]
[-config machine\user]
To verify a key set:
CERTUTIL
-verifykeys
[-gmt]
[-silent]
[-v]
[-config machine\user]
[key_container_name]
[certificate_file]
To back up the CA certificate and keys:
CERTUTIL
-backupkey
[-f]
[-gmt]
[-seconds]
[-v]
[-config machine\user]
[-p password]
backup_directory
To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file:
CERTUTIL
-restorekey
[-f]
[-gmt]
[-seconds]
[-v]
[-config machine\user]
[-p password]
backup_directory
\PFX_file
Parameters
- attribute_string
(NT2003)
- Specifies the request attribute string to be set
on the request identifier certificate.
- Use \n to separate multiple values in a string.
- Requests the attribute name and value pairs.
Separate names and value pairs with a colon.
Multiple name and value pairs are separated by placing
them on a new line.
- backup_directory
(NT2003)
- Specifies the backup directory.
- You can use the -f to
overwrite existing files in backup_directory.
- expansion_name
(NT2003)
- ?
- certificate_file
(NT2003)
- Specifies the certificate.
- Specifies the CA signature certificate that
contains the public key used to verify digital signatures.
- certificate_store
(NT2003)
- Specifies the certificate will be published to:
- crossca cross-certified CA store
- kra key recovery agent store
- machine computer store
- ntauthca NTAuth store
- rootca root CA store
- subca subordinate CA store
- user user store
- configuration_file
(NT2003)
- Specifies the file name of the configuration file
that you want to display.
- crl_file
(NT2003)
- Specifies the certificate revocation list.
- date
(NT2003)
- Specifies a date restriction on which to query.
- You can use the mm/dd/yyyy 00:00 date format, where
00:00 is standard time that must be designated as either
AM or PM.
- If you specify Date without a time of day, deletes
all of the requests issued before the specified date,
but it does not delete the requests issued on the
specified date.
- If you delete rows by Date, does not delete the CA
certificate or the CA certificate chain rows. To delete
the CA certificate and the CA certificate chain rows, you
must delete rows by row_id.
- If Date occurs in the future, fails and displays an
invalid parameter error. Use -f to
override the invalid parameter error.
- date_value
(NT2003)
- ?
- DSCDP_container
(NT2003)
- Specifies the Active Directory Certificate
revocation list Distribution Point (CDP) container
Common Name (CN), usually the CA computer name.
- DSCDP_object
(NT2003)
- Specifies the Active Directory Certificate
revocation list Distribution Point (CDP) object Common
Name (CN), usually based on the sanitized CA short name
and key index.
- extension_name
(NT2003)
- Specifies the ObjectID string of the extension.
- flags
(NT2003)
- Sets the extension:
- @in_file
(NT2003)
- Specifies a string that is accepted in one of the
following formats if the string meets the specified
criteria: @In_File
If the value starts with the @ symbol, the
rest of the token is the file name containing binary data
or an ASCII-text hexadecimal dump.
- key_container_name
(NT2003)
- Specifies the key container name of the key to
verify.
- language_id
(NT2003)
- Sets the local language identifier for the
specified object.
local_friendly_name
appears in the specified language.
- Decimal representation of a
hexadecimal local identifier (LCID) value.
- If you do not specify, uses the current
system default, which is 1033.
- local_friendly_name
(NT2003)
- Specifies the display name that you want to add
to the certificate template.
- long_value
(NT2003)
- ?
- reason
(NT2003)
- Specifies one of:
- 0 Unspecified (does not provide information about revocation reasons)
- 1 Key compromise
- 2 CA compromise
- 3 Affiliation change
- 4 Superseded
- 5 Cessation of operation
- 6 Hold revocation (CANNOT be revoked)
- 8 Remove from CRL
- -1 Unrevoke
- PFX_file
(NT2003)
- ies the PKCS #12 PFX file.
- request_id
(NT2003)
- Specifies the request identifier number.
- Must be in decimal format
(or hexadecimal format with a leading 0x).
- row_id
(NT2003)
- Specifies the request identifier of the row that
you want to delete.
- serial_number
(NT2003)
- Specifies the serial number of the certificate
that you want to revoke.
- Must be in hexadecimal format with an even number
of digits. A single zero (0) can be prefaced to a
value with an odd number of digits.
No leading 0x is allowed.
- string_value
(NT2003)
- ?
- table
(NT2003)
- One of:
- request request table
- cert certificate table
- ext certificate extensions table
- attrib attribute table
- crl certificate revocation list (CRL) table
- template
(NT2003)
- Specifies the template.
- "template_oid"
(NT2003)
- Specifies the object identifier of the certificate
template.
Switches
- /?
(NT2003)
- Display help.
- -backupkey
(NT2003)
- Backs up the Certificate Services certificate and
private key.
- -catemplates
(NT2003)
- Displays CA templates.
- -config machine\user
(NT2003)
- Processes the operation by using the CA specified
in the machine/user configuration string.
- You must specify the machine or user in -config.
Otherwise, the Select Certificate Authority dialog box
appears and displays a list of all CAs that are available.
- If you use "-config -", the operation is processed
using the default CA.
- -databaselocations
(NT2003)
- Displays database locations.
- The hexadecimal buffer offset and hexadecimal type
tag are displayed on each line.
- -dc dc_name
(NT2003)
- Targets a specific domain controller.
- -deleterow
(NT2003)
- Deletes a row in the CA database.
- You can use this to delete "denial of service"
errors.
- When deleting more than one row with this command,
you must be both a CA Administrator and a Certificate
Manager to complete the task. The CA must not be
configured to enforce role separation in this case.
- -deny
(NT2003)
- Denies the pending certificate request.
- -dsPublish
(NT2003)
- Publishes a new certificate or CRL to the CA object
in Active Directory.
- You must be logged on as a computer administrator
to complete this procedure.
- -dump
(NT2003)
- Dumps configuration information or files.
- -dynamicfilelist
(NT2003)
- Displays dynamic file list.
- Includes the local copy of the certificate
revocation list (CRL) on the server.
- The hexadecimal buffer offset is displayed on
each line.
- -f
(NT2003)
- Overwrites existing files or keys.
- -gmt
(NT2003)
- Displays time as Greenwich mean time.
- -mt
(NT2003)
- Displays the computer templates.
- -oid
(NT2003)
- Defines a display name in a certificate template.
- -out column_list
(NT2003)
- Specifies a comma-separated column list.
- -p password
(NT2003)
- Specifies a password.
- The maximum length allowed for a PFX file password
is 32 characters.
- -restrict restriction_list
(NT2003)
- Restricts which rows from the schema are displayed.
Specifies a comma-separated restriction list.
- -restorekey
(NT2003)
- Restores Certificate Services certificate and
private key from the specified
backup_directory
or PKCS #12 PFXFile.
- -resubmit
(NT2003)
- Issue certificates from a pending request, it does not resubmit.
(TechNet article)
- -revoke
(NT2003)
- Revokes the certificate.
- -seconds
(NT2003)
- Displays time with seconds and milliseconds.
- -setattributes
(NT2003)
- Sets the attributes for the pending request.
- -setextension
(NT2003)
- Sets the extension for the pending request.
- -shutdown
(NT2003)
- Shuts down the CA server.
- -silent
(NT2003)
- Uses a silent flag to acquire CryptContext.
- -split
(NT2003)
- Splits the embedded Abstract Syntax Notation One
(ASN.1) elements, and saves them to files.
- -user
(NT2003)
- Uses the HKEY_CURRENT_USER keys or certificate
store.
- -ut
(NT2003)
- Displays the user templates.
- -v
(NT2003)
- Specifies verbose output.
- -verifykeys
(NT2003)
- Verifies the public and private keys for the
specified CA.
- -view
(NT2003)
- Dumps the certification authority database view.
Related
CERTUTIL backup/restore
CERTUTIL configure
CERTUTIL decode/encode
CERTUTIL certificates
CERTUTIL CRLs
CERTUTIL archival/recovery
CERTUTIL troubleshooting
Notes
none.
Examples
none.
Errorlevels
none.
Availability
- External
-
- DOS
-
none
- Windows
-
none
- Windows NT
-
NT2003
Last Updated: 2005/07/01
Direct corrections or suggestions to:
Rick Lively