Certutil tasks for managing CRLs
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Certutil tasks for managing CRLs
You can use certutil to view, produce, and configure the certificate revocation list (CRL) information for a certification authority.
To view the syntax for a specific task, click a task:
To retrieve a CRL
To publish the current CRL
To publish a certificate or CRL to Active Directory
To add certificates to the NTAuth store
To retrieve a CRL
Syntax
certutil -getcrl [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] OutFile [Index] [delta]
Parameters
- -getcrl
Retrieves the certificate revocation list (CRL).
- -f
Overwrites existing files or keys.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- OutFile
Specifies the file to which you want to send the output.
- Index
Specifies the index identifier number.
- delta
Retrieves a delta CRL.
- -?
Displays a list of certutil commands.
Remarks
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. If you do not have the appropriate authority, use -cainfo to retrieve CRLs.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
Examples
To retrieve the most recently published base CRL, MyMostRecentCRL.crl, type:
certutil -getcrl MyMostRecentCRL.crl
To retrieve the third CRL, MyThirdCRL.crl type:
certutil -getcrl MyThirdCRL.crl 3
To retrieve the most recently published delta CRL, MyMostRecentDelta.crl, type:
certutil -getcrl MyMostRecentDelta.crl delta
To retrieve the fifth delta CRL, MyFifthDelta.crl, type:
certutil -getcrl MyFifthDelta.crl 5 delta
To publish the current CRL
Syntax
certutil -crl [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [DD:HH] [delta]
Parameters
- -crl
Publishes a new certificate revocation list (CRL).
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
- -v
Specifies verbose output.
- -config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
- DD : HH
Specifies the length of the CRL life in days and hours.
- delta
Publishes a delta CRL only.
- -?
Displays a list of certutil commands.
Remarks
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
The CRL is written to the file specified by OutFileResult, or, if you use a minus sign (-), it is written to the default Web location.
The expiration date is set to be one day and one hour from the time of publication to facilitate a daily publishing schedule.
To publish a certificate or CRL to Active Directory
Syntax
certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] [{CertFile | CRL}] [{ntauthca | rootca | subca | crossca | kra | user | machine}]
Parameters
- -dsPublish
Publishes a new certificate to the CA object in Active Directory.
- -f
Overwrites existing files or keys.
- -user
Uses the HKEY_CURRENT_USER keys or certificate store.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -dc DCName
Targets a specific domain controller.
- CertFile
Specifies the certificate that you want to use.
- CRL
Specifies the certificate revocation list that you want to use.
- ntauthca
Specifies that the certificate is to be published to the NTAuth store.
- rootca
Specifies that the certificate is to be published to the root CA store.
- subca
Specifies that the certificate is to be published to the subordinate CA store.
- crossca
Specifies that the certificate is to be published to the cross-certified CA store.
- kra
Specifies that the certificate is to be published to the key recovery agent store.
- user
Specifies that the certificate is to be published to the user store.
- machine
Specifies that the certificate is to be published to the computer store.
- -?
Displays a list of certutil commands.
Remarks
- If a CA issues certificates for smart card logon, you need to publish the certificate to NTAuth.
To add certificates to the NTAuth store
Syntax
certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] NewCert ntauthca
Parameters
- -dspublish
Publishes a new certificate or certificate revocation list (CRL) to the CA object in Active Directory.
- -f
Overwrites existing files or keys.
- -user
Uses the HKEY_CURRENT_USER keys or certificate store.
- -gmt
Displays time as Greenwich mean time.
- -seconds
Displays time with seconds and milliseconds.
- -v
Specifies verbose output.
- -dc DCName
Targets a specific domain controller.
- NewCert
Specifies the certificate that you want to publish.
- ntauthca
Specifies that the certificate is to be published to the NTAuth store.
- -?
Displays a list of certutil commands.
Remarks
- You must have Enterprise Administrator access to use this command.
Formatting legend
Format | Meaning |
---|---|
Italic |
Information that the user must supply |
Bold |
Elements that the user must type exactly as shown |
Ellipsis (...) |
Parameter that can be repeated several times in a command line |
Between brackets ([]) |
Optional items |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one |
Courier font |
Code or program output |