Home
> Commands A-M
> Commands Ca-Cg
CERTUTIL troubleshooting
Description
| Syntax
| Parameters
| Switches
| Related
| Notes
| Examples
| Errorlevels
| Availability
Certutil tasks for troubleshooting certificates.
Certutil is a powerful tool for troubleshooting
problems associated with certification authorities.
You can use certutil to troubleshoot problems.
Syntax
CERTUTIL
[-dump]
[/?]
To display the information stored in public key related files:
CERTUTIL
-dump
[-f]
[-gmt]
[-seconds]
[-split]
[-v]
[-p password]
file_name
To view CA database information and restrict the CA schema information that is displayed:
CERTUTIL
-view
[-gmt]
[-seconds]
[-silent]
[-split]
[-v]
[-config machine\user]
[-restrict restriction_list]
[-out column_list]
[request_id]
To dump the serial numbers of the certificates in the database:
CERTUTIL
-view
[-gmt]
[-seconds]
[-silent]
[-split]
[-v]
[-config machine\user]
[-restrict restriction_list]
[-out column_list]
[disposition]
["serialnumber,requestid"]
To display CA registry settings:
CERTUTIL
-getreg
[-user]
[-gmt]
[-seconds]
[-v]
registry_key
[\program_id]
[\registry_value_name]
To set the CA registry to perform a certain action when a request arrives:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
policy\request_distribution
[request_value]
To set CA registry settings:
CERTUTIL
-setreg
[-user]
[-gmt]
[-seconds]
[-v]
registry_key
[\program_id]
\registry_value_name
To delete a registry value:
CERTUTIL
-delreg
[-user]
[-gmt]
[-seconds]
[-v]
registry_key
[\program_id]
\registry_value_name
To display error message text for an error code in the local language:
CERTUTIL
-error
error_code
To verify that the server is running (ICertRequest interface):
CERTUTIL
-ping
[-gmt]
[-seconds]
[-v]
[-config machine\user]
To verify that the server is running (ICertAdmin interface):
CERTUTIL
-pingadmin
[-gmt]
[-seconds]
[-v]
[-config machine\user]
To generate and display the cryptographic hash over a file:
CERTUTIL
-hashfile
[-gmt]
[-seconds]
[-v]
input_file
To dump the CA database schema:
CERTUTIL
-schema
[-gmt]
[-seconds]
[-v]
[-config machine\user]
[dump_type]
To display all key container names that are available to the current user:
CERTUTIL
-key
[-user]
[-gmt]
[-seconds]
[-silent]
[-v]
[-config machine\user]
[csp_name]
[ * ]
To display all key container names that are available to the current user:
CERTUTIL
-split
[-gmt]
[-seconds]
[-v]
cmc_file.REQ
To reassociate a private key with its certificate:
CERTUTIL
-repairstore
[-csp
[csp_name]
[-f]]
[-enterprise]
[-user]
[-gmt]
[-seconds]
[-split]
[-v]
[certificate_store]
certificate_index
To verify that the URLs in the AIA and CDP extensions are valid and correct:
CERTUTIL
-url
[-f]
[-gmt]
[-seconds]
[-split]
[-v]
certificate_file.CRT
To check a certificate on a smart card:
CERTUTIL
-scinfo
[-gmt]
[-seconds]
[-silent]
[-split]
[-v]
reader_name
To view templates that are installed locally:
CERTUTIL
-template
[-user]
[-ut]
[-mt]
[-gmt]
[-seconds]
[-v]
template_name
To determine what CSP is used for a key pair:
CERTUTIL
pfx_file.PFX
Parameters
- cmc_file.REQ
(NT2003)
- Specifies the Cryptographic Message Syntax (CMS)
request (this protocol is also known as CMC) file that
you want to analyze.
- For more information about creating a CMS request
from the root certificate by using the
certreq
-policy.
- If possible, when you construct a request from an
existing certificate, you should run the
certreq
-policy on a
computer that has the input certificate's private key
installed. If the private key is unavailable (as is
usually the case for cross-certifying non-Microsoft
CAs), the PKCS #10 file is NULL-signed and the outer
CMS is also NULL-signed. A NULL-signed PKCS #10 is
unacceptable to most non-Microsoft CAs.
- certificate_file.CRT
(NT2003)
- Specifies the certificate file.
- certificate_index
(NT2003)
- Specifies the Secure Hash Algorithm (SHA-1)
certificate hash, serial number, or certificate index
identifier.
- certificate_store
(NT2003)
- One of:
- ca Specifies certificates in the Intermediate Certification Authorities store
- my Specifies certificates issued to the local computer
- root Specifies certificates in the Trusted Root Certification Authorities store
- spc Specifies software publisher certificates
- csp_name
(NT2003)
- Specifies the cryptographic service provider (CSP)
for which you want to display the key containers.
- RSA is the default CSP for the Windows Server
2003 family.
- disposition
(NT2003)
- One of:
- disposition==20 Specifies DB_DISP_ISSUED
- disposition==21 Specifies DB_DISP_REVOKED
- dump_type
(NT2003)
- Specifies one of:
- ext Displays the schema for Ext table
- attib Displays the schema for Attib table
- crl Displays the schema for the certificate revocation list (CRL)
- error_code
(NT2003)
- Specifies the error code that you want to view in
the local language.
- Can use signed or unsigned decimal format, or
hexadecimal format with a leading 0x.
- file_name
(NT2003)
- Specifies the file name of the configuration file
that you want to display.
- input_file
(NT2003)
- Specifies the file for which you want to display
the hash.
- pfx_file.pfx
(NT2003)
- Specifies a file with a .pfx extension.
- policy\request_distribution
(NT2003)
- Specifies the policy module and the disposition
request ID.
- \program_id
(NT2003)
- Specifies the registry subkey name of the policy
or exit module.
- If omitted, uses the default policy module,
CertificateAuthority_MicrosoftDefault.Policy.
- reader_name
(NT2003)
- Specifies the name of the smart card reader.
- registry_key
(NT2003)
- Specifies one of these registry keys:
- ca Specifies the CA registry key
- exit Specifies the EXITMODE registry key
- policy Specifies the POLICYMODULE registry key
- restore Specifies the RESTORE registry key. Available only during restore mode
- template Specifies the TEMPLATE registry key
- registry_value_name
(NT2003)
- Specifies a particular value within the registry
key.
- request_id
(NT2003)
- Specifies the request identifier number.
- Must be in decimal format
(or hexadecimal format with a leading 0x).
- request_value
(NT2003)
- Adds a process to a pending request specified by
one of values described:
- 0 Places the incoming request in a pending state
- 1 Issues the incoming request
- 2 Denies the incoming request
- 3 Takes action based on the disposition request
attribute provided with the incoming request.
- *
(NT2003)
- Displays the key containers for all of the CSPs.
- "serialnumber,requestid"
(NT2003)
- Specifies to display all serial numbers and
request identifier numbers.
- template_name
(NT2003)
- Specifies the name of the template that you want
to view.
Switches
- /?
(NT2003)
- Display help.
- -config machine\user
(NT2003)
- Processes the operation by using the CA specified
in the machine/user configuration string.
- You must specify the machine or user in -config.
Otherwise, the Select Certificate Authority dialog box
appears and displays a list of all CAs that are available.
- If you use "-config -", the operation is processed
using the default CA.
- -csp
(NT2003)
- Uses only the cryptographic service provider (CSP)
specified to locate and repair the key.
- -delreg
(NT2003)
- Deletes the registry value.
- -dump
(NT2003)
- Dumps configuration information or files.
- -enterprise
(NT2003)
- Uses the local computer Enterprise registry
certificate store.
- -error
(NT2003)
- Displays error code message text in the local
language, which is specified by the Locale registry
key.
- You can use this command to decode errors received
from the Certification Authority snap-in.
- -f
(NT2003)
- Overwrites existing files or keys.
- -getreg
(NT2003)
- Displays registry information.
- -gmt
(NT2003)
- Displays time as Greenwich mean time.
- -hashfile
(NT2003)
- Generates and displays cryptographic hash over a
file.
- -key
(NT2003)
- Displays the key containers for the local
computer.
- -mt
(NT2003)
- Displays the computer templates.
- -out column_list
(NT2003)
- Specifies a comma-separated column list.
- -p password
(NT2003)
- Specifies a password.
- The maximum length allowed for a PFX file password
is 32 characters.
- -ping
(NT2003)
- Pings the Certificate Services ICertRequest
interface.
- -pingadmin
(NT2003)
- Pings the Certificate Services ICertAdmin
interface.
- To determine whether you have successfully
completed this command, make sure that the user has
administrative access to the server.
- -repairstore
(NT2003)
- Repairs the key provider information in the ca
store.
- -restrict restriction_list
(NT2003)
- Restricts which rows from the schema are displayed.
Specifies a comma-separated restriction list.
- -schema
(NT2003)
- Dumps the CA database schema.
- -scinfo
(NT2003)
- Displays smart card information.
- -seconds
(NT2003)
- Displays time with seconds and milliseconds.
- -setreg
(NT2003)
- Sets or edits the registry key value.
- -silent
(NT2003)
- Uses a silent flag to acquire CryptContext.
- -split
(NT2003)
- Splits the embedded Abstract Syntax Notation One
(ASN.1) elements, and saves them to files.
- -split
(NT2003)
- Analyzes each binary (ASN.1-encoded) object in a
certificate request file, and then saves each object
to a separate blob file.
- -template
(NT2003)
- Displays the specified template.
- -url
(NT2003)
- Verifies certificate or certificate revocation
list (CRL) URLs.
- To make sure that the URLs are valid and point to
the appropriate CRLs or issuing CA certificates, you
can use this to check the Authority Information Access
(AIA) and CRL Distribution Points (CDPs) extensions,
and then dereference the URLs inside these extensions.
- -user
(NT2003)
- Uses the HKEY_CURRENT_USER keys or certificate
store.
- If the certificate is located in the
HKEY_LOCAL_MACHINE certificate store, do not use.
- -ut
(NT2003)
- Displays the user templates.
- -v
(NT2003)
- Specifies verbose output.
- -view
(NT2003)
- Dumps the certification authority database view.
Related
CERTUTIL backup/restore
CERTUTIL configure
CERTUTIL decode/encode
CERTUTIL certificates
CERTUTIL CRLs
CERTUTIL manage
CERTUTIL archival/recovery
Notes
none.
Examples
none.
Errorlevels
none.
Availability
- External
-
- DOS
-
none
- Windows
-
none
- Windows NT
-
NT2003
Last Updated: 2003/07/28
Direct corrections or suggestions to:
Rick Lively