Appendix 4: Certutil -setextension

Applies To: Windows Server 2003 with SP1

This option allows an administrator to manipulate pending requests on a CA. In some cases, it is not possible to specify every possible certificate extension in the certificate request. For example, if a request for a user certificate is submitted to the CA with the MMC snap-in, additional information is not allowed in the enrollment process.

Unfortunately, to apply an extension to a pending certificate, you have to create the ASN.1-encoded extension manually. Once you have constructed the ASN.1 binary large object (BLOB) information you want, you can add the extension to the certificate request that is pending. Encoding data into ASN.1 is not straightforward, and you have to understand the basic concept of this macro language used by certutil.exe. It is usually easier to find an existing request or certificate with the extensions you want, and then use certutil -v -dump to display the extensions as a hexadecimal dump.

For more information about ASN.1 encoding, see Appendix 5: ASN.1 File Structure.

The -setextension option is similar to the [Extensions] section in the INF file used by certreq.exe. This implies that the critical flag on certificate extensions can be set for distinct object identifiers and that specific value(s) can be set for these object identifiers using the command-line options.


With an enterprise CA, template settings will always override certificate extension conflicts that have been set manually. But this is only true for the extensions that are explicitly set through the template.

The syntax of the command line looks similar to the following example.

certutil.exe –setextension <RequestID> <ExtensionName> Flags {Long|Date|String|@InFile}
Option Description


The ID of the pending request. It can be determined with the MMC snap-in.


The object identifier of the extension that should be modified. If you are unsure which object identifier is appropriate, dump an existing certificate and find the object identifier from there.


Used to set a certificate extension to critical. flag = 0 means the extension is non-critical; flag = 1 means the extension is critical.

{Long | Date | String | @InFile}

Only the @InFile option applies. All other parameters should not be used. The @InFile can be Base64-encoded or a file in hexadecimal format. If the file contents could be interpreted as either Base64 or hexadecimal, hexadecimal is used. To force Base64 interpretation, use the “----- BEGIN -----“ and “----- END -----“ header. The content of the file depends on the extensions that should be manipulated.

The following examples illustrate how to use the certutil -setextension command to set the key usage of a pending certificate on the CA to critical and constrain the key usage to certificate and certificate revocation list (CRL) signing.

echo 03 02 01 06>ku.txt 
certutil.exe -setextension <Request-ID> 1 @ku.txt