CERTUTIL troubleshooting

Certutil tasks for troubleshooting certificates.

Certutil is a powerful tool for troubleshooting problems associated with certification authorities. You can use certutil to troubleshoot problems.

Syntax

CERTUTIL [-dump] [/?]

To display the information stored in public key related files:
CERTUTIL -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p password] file_name

To view CA database information and restrict the CA schema information that is displayed:
CERTUTIL -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config machine\user] [-restrict restriction_list] [-out column_list] [request_id]

To dump the serial numbers of the certificates in the database:
CERTUTIL -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config machine\user] [-restrict restriction_list] [-out column_list] [disposition] ["serialnumber,requestid"]

To display CA registry settings:
CERTUTIL -getreg [-user] [-gmt] [-seconds] [-v] registry_key [\program_id] [\registry_value_name]

To set the CA registry to perform a certain action when a request arrives:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] policy\request_distribution [request_value]

To set CA registry settings:
CERTUTIL -setreg [-user] [-gmt] [-seconds] [-v] registry_key [\program_id] \registry_value_name

To delete a registry value:
CERTUTIL -delreg [-user] [-gmt] [-seconds] [-v] registry_key [\program_id] \registry_value_name

To display error message text for an error code in the local language:
CERTUTIL -error error_code

To verify that the server is running (ICertRequest interface):
CERTUTIL -ping [-gmt] [-seconds] [-v] [-config machine\user]

To verify that the server is running (ICertAdmin interface):
CERTUTIL -pingadmin [-gmt] [-seconds] [-v] [-config machine\user]

To generate and display the cryptographic hash over a file:
CERTUTIL -hashfile [-gmt] [-seconds] [-v] input_file

To dump the CA database schema:
CERTUTIL -schema [-gmt] [-seconds] [-v] [-config machine\user] [dump_type]

To display all key container names that are available to the current user:
CERTUTIL -key [-user] [-gmt] [-seconds] [-silent] [-v] [-config machine\user] [csp_name] [ * ]

To display all key container names that are available to the current user:
CERTUTIL -split [-gmt] [-seconds] [-v] cmc_file.REQ

To reassociate a private key with its certificate:
CERTUTIL -repairstore [-csp [csp_name] [-f]] [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [certificate_store] certificate_index

To verify that the URLs in the AIA and CDP extensions are valid and correct:
CERTUTIL -url [-f] [-gmt] [-seconds] [-split] [-v] certificate_file.CRT

To check a certificate on a smart card:
CERTUTIL -scinfo [-gmt] [-seconds] [-silent] [-split] [-v] reader_name

To view templates that are installed locally:
CERTUTIL -template [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] template_name

To determine what CSP is used for a key pair:
CERTUTIL pfx_file.PFX

Parameters

cmc_file.REQ (NT2003)

Specifies the Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC) file that you want to analyze.

For more information about creating a CMS request from the root certificate by using the certreq -policy.

If possible, when you construct a request from an existing certificate, you should run the certreq -policy on a computer that has the input certificate's private key installed. If the private key is unavailable (as is usually the case for cross-certifying non-Microsoft CAs), the PKCS #10 file is NULL-signed and the outer CMS is also NULL-signed. A NULL-signed PKCS #10 is unacceptable to most non-Microsoft CAs.

certificate_file.CRT (NT2003)

Specifies the certificate file.

certificate_index (NT2003)

Specifies the Secure Hash Algorithm (SHA-1) certificate hash, serial number, or certificate index identifier.

certificate_store (NT2003)

One of:

ca Specifies certificates in the Intermediate Certification Authorities store
my Specifies certificates issued to the local computer
root Specifies certificates in the Trusted Root Certification Authorities store
spc Specifies software publisher certificates

csp_name (NT2003)

Specifies the cryptographic service provider (CSP) for which you want to display the key containers.

RSA is the default CSP for the Windows Server 2003 family.

disposition (NT2003)

One of:

disposition==20 Specifies DB_DISP_ISSUED
disposition==21 Specifies DB_DISP_REVOKED

dump_type (NT2003)

Specifies one of:

ext Displays the schema for Ext table
attib Displays the schema for Attib table
crl Displays the schema for the certificate revocation list (CRL)

error_code (NT2003)

Specifies the error code that you want to view in the local language.

Can use signed or unsigned decimal format, or hexadecimal format with a leading 0x.

file_name (NT2003)

Specifies the file name of the configuration file that you want to display.

input_file (NT2003)

Specifies the file for which you want to display the hash.

pfx_file.pfx (NT2003)

Specifies a file with a .pfx extension.

policy\request_distribution (NT2003)

Specifies the policy module and the disposition request ID.

\program_id (NT2003)

Specifies the registry subkey name of the policy or exit module.

If omitted, uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

reader_name (NT2003)

Specifies the name of the smart card reader.

registry_key (NT2003)

Specifies one of these registry keys:

ca Specifies the CA registry key
exit Specifies the EXITMODE registry key
policy Specifies the POLICYMODULE registry key
restore Specifies the RESTORE registry key. Available only during restore mode
template Specifies the TEMPLATE registry key

registry_value_name (NT2003)

Specifies a particular value within the registry key.

request_id (NT2003)

Specifies the request identifier number.

Must be in decimal format (or hexadecimal format with a leading 0x).

request_value (NT2003)

Adds a process to a pending request specified by one of values described:

0 Places the incoming request in a pending state
1 Issues the incoming request
2 Denies the incoming request
3 Takes action based on the disposition request attribute provided with the incoming request.

* (NT2003)

Displays the key containers for all of the CSPs.

"serialnumber,requestid" (NT2003)

Specifies to display all serial numbers and request identifier numbers.

template_name (NT2003)

Specifies the name of the template that you want to view.

Switches

/? (NT2003): Display help.
-config machine\user (NT2003): Processes the operation by using the CA specified in the machine/user configuration string.; You must specify the machine or user in -config. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.; If you use "-config -", the operation is processed using the default CA.
-csp (NT2003): Uses only the cryptographic service provider (CSP) specified to locate and repair the key.
-delreg (NT2003): Deletes the registry value.
-dump (NT2003): Dumps configuration information or files.
-enterprise (NT2003): Uses the local computer Enterprise registry certificate store.
-error (NT2003): Displays error code message text in the local language, which is specified by the Locale registry key.; You can use this command to decode errors received from the Certification Authority snap-in.
-f (NT2003): Overwrites existing files or keys.
-getreg (NT2003): Displays registry information.
-gmt (NT2003): Displays time as Greenwich mean time.
-hashfile (NT2003): Generates and displays cryptographic hash over a file.
-key (NT2003): Displays the key containers for the local computer.
-mt (NT2003): Displays the computer templates.
-out column_list (NT2003): Specifies a comma-separated column list.
-p password (NT2003): Specifies a password.; The maximum length allowed for a PFX file password is 32 characters.
-ping (NT2003): Pings the Certificate Services ICertRequest interface.
-pingadmin (NT2003): Pings the Certificate Services ICertAdmin interface.; To determine whether you have successfully completed this command, make sure that the user has administrative access to the server.
-repairstore (NT2003): Repairs the key provider information in the ca store.
-restrict restriction_list (NT2003): Restricts which rows from the schema are displayed. Specifies a comma-separated restriction list.
-schema (NT2003): Dumps the CA database schema.
-scinfo (NT2003): Displays smart card information.
-seconds (NT2003): Displays time with seconds and milliseconds.
-setreg (NT2003): Sets or edits the registry key value.
-silent (NT2003): Uses a silent flag to acquire CryptContext.
-split (NT2003): Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
-split (NT2003): Analyzes each binary (ASN.1-encoded) object in a certificate request file, and then saves each object to a separate blob file.
-template (NT2003): Displays the specified template.
-url (NT2003): Verifies certificate or certificate revocation list (CRL) URLs.; To make sure that the URLs are valid and point to the appropriate CRLs or issuing CA certificates, you can use this to check the Authority Information Access (AIA) and CRL Distribution Points (CDPs) extensions, and then dereference the URLs inside these extensions.
-user (NT2003): Uses the HKEY_CURRENT_USER keys or certificate store.; If the certificate is located in the HKEY_LOCAL_MACHINE certificate store, do not use.
-ut (NT2003): Displays the user templates.
-v (NT2003): Specifies verbose output.
-view (NT2003): Dumps the certification authority database view.

Notes

none.

Examples

none.

Errorlevels

none.

Availability

External

DOS: none
Windows: none
Windows NT: NT2003

Last Updated: 2003/07/28
Direct corrections or suggestions to: Rick Lively