Certutil tasks for troubleshooting certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for troubleshooting certificates

Certutil is a powerful tool for troubleshooting problems associated with certification authorities. You can use certutil to troubleshoot problems.

To view the syntax for a specific task, click a task:

• To display the information stored in public key related files

• To view CA database information and restrict the CA schema information that is displayed

• To dump the serial numbers of the certificates in the database

• To display CA registry settings

• To set the CA registry to perform a certain action when a request arrives

• To set CA registry settings

• To delete a registry value

• To display error message text for an error code in the local language

• To verify that the server is running (ICertRequest interface)

• To verify that the server is running (ICertAdmin interface)

• To generate and display the cryptographic hash over a file

• To dump the CA database schema

• To display all key container names that are available to the current user

• To provide a PKCS#10 request file to an Entrust CA for cross-certification

• To reassociate a private key with its certificate

• To verify that the URLs in the AIA and CDP extensions are valid and correct

• To check a certificate on a smart card

• To view templates that are installed locally

• To determine what CSP is used for a key pair

To display the information stored in public key related files

Syntax

certutil -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p Password] [FileName]

Parameters

• -dump
  Dumps configuration information or files.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -p Password
  Specifies a password.

• FileName
  Specifies the file name of the configuration file that you want to display.

• -?
  Displays a list of certutil commands.

To view CA database information and restrict the CA schema information that is displayed

Syntax

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName**\CAName] [-restrict** RestrictionList] [-out ColumnList] [RequestID]

Parameters

• -view
  Dumps the certification authority database view.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -silent
  Uses a silent flag to acquire CryptContext.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName

• -restrict RestrictionList
  Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.

• -out ColumnList
  Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.

• RequestID
  Specifies the request identifier number.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• Used without parameters, certutil displays a list of your CA configuration strings.

Examples

To list the subject e-mail names from all certificates issued from a CA named Myentrootca that is located on Cacomputer1, type:

certutil -config cacomputer1\myentrootca -view -out request.email

To restrict the rows displayed to those with request identifiers greater than 10,000 and then display only the request disposition from a CA named Myentrootca, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid>10,000"

To view only the last row, type:

Certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $"

To view only the second to last row, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $ - 1"

To view the subject e-mail names for all requests made to a CA, type:

certutil -view -out email

To display the numeric request identifiers of certificates based on the User template, type:

certutil -view -restrict "Certificate Template=User" -out requestid

To display the numeric request identifiers of certificates based on the template object identifier, 1.2.3.4.5.5.6.6.6.6.5.6, type:

certutil -view -restrict "Certificate Template=1.2.3.4.5.5.6.6.6.6.5.6" -out requestid

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To view e-mail of the users who made the request for a template named MyTemplate and to also view when the request was issued, type:

certutil -config cacomputer1\myentrootca -view -out email -restrict "CertificateTemplate == myTemplate, Disposition == 20"

To dump the serial numbers of the certificates in the database

Syntax

certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName**\CAName] [-restric** RestrictionList] [-out ColumnList] [{disposition==20 | disposition==21}] "serialnumber,requestid"

Parameters

• -view
  Dumps the certification authority database view.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -silent
  Uses a silent flag to acquire CryptContext.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• -restrict RestrictionList
  Restricts the rows in the file specified by RestrictionList, which is a text file that contains a comma-delimited list.

• -out ColumnList
  Specifies the columns in the file specified by ColumnList, which is a text file that contains a comma-delimited list.

• disposition==20
  Specifies DB_DISP_ISSUED.

• disposition==21
  Specifies DB_DISP_REVOKED.

• "serialnumber,requestid"
  Specifies to display all serial numbers and request identifier numbers.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To display CA registry settings

Syntax

certutil -getreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit |template}] [**\**ProgID] **\**RegistryValueName

Parameters

• -getreg
  Displays registry information.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• ca
  Specifies the CA registry key.

• restore
  Specifies the RESTORE registry key.

• policy
  Specifies the POLICYMODULE registry key.

• exit
  Specifies the EXITMODE registry key.

• template
  Specifies the TEMPLATE registry key.

• \ ProgID
  Specifies the registry subkey name of the policy or exit module.

• \ RegistryValueName
  Specifies a particular value within the registry key.

• -?
  Displays a list of certutil commands.

Remarks

• Restore is only available during restore mode.

• If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

Examples

To display information about the active CA, type:

certutil -getreg Active

To display the common name of the CA, type:

certutil -getreg ca\CommonName

To display information about what disposition action the policy module will take, type:

certutil -getreg Policy\RequestDisposition

To set the CA registry to perform a certain action when a request arrives

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] policy\requestdisposition [{0 | 1 | 2 | 3}]

Parameters

• -setreg
  Sets or edits the registry key value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• policy\requestdisposition
  Specifies the policy module and the disposition request ID.

• { 0| 1| 2| 3}
  Adds a process to a pending request specified by one of values described in the following table.

  Value	Description
  0	Places the incoming request in a pending state.
  1	Issues the incoming request.
  2	Denies the incoming request.
  3	Takes action based on the disposition request attribute provided with the incoming request.

• -?
  Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

To set CA registry settings

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [**\ProgID]\**RegistryValueName

Parameters

• -setreg
  Sets or edits registry information.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• ca
  Specifies the CA registry key.

• restore
  Specifies the RESTORE registry key.

• policy
  Specifies the POLICYMODULE registry key.

• exit
  Specifies the EXITMODE registry key.

• \ ProgID
  Specifies the registry subkey name of the policy or exit module.

• \ RegistryValueName
  Specifies a particular value within the registry key.

• -?
  Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

• Restore is only available when you are running certutil in restore mode.

• If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

• You can modify specific flags within the DWORD registry by using -setreg.

Examples

To set the request disposition to one, type:

certutil /setreg policy\requestdisposition 1

To set the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype +0x100

To reset the ninth bit in the DWORD registry policy\RevocationType, type:

certutil -setreg policy\revocationtype -0x100

To delete a registry value

Syntax

certutil -delreg [-user] [-gmt] [-seconds] [-v] [{ca | restore | policy | exit | template} [**\**ProgID] **\**RegistryValueName

Parameters

• -delreg
  Deletes the registry value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• ca
  Specifies the CA registry key.

• restore
  Specifies the RESTORE registry key.

• policy
  Specifies the POLICYMODULE registry key.

• exit
  Specifies the EXITMODE registry key.

• template
  Specifies the TEMPLATE registry key.

• \ ProgID
  Specifies the registry subkey name of the policy or exit module.

• \ RegistryValueName
  Specifies any CA registry value.

• -?
  Displays a list of certutil commands.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

• Restore is only available during backup and restore modes.

• If you do not specify ProgID, certutil-getreg uses the default policy module, CertificateAuthority_MicrosoftDefault.Policy.

To display error message text for an error code in the local language

Syntax

certutil -error ErrorCode

Parameters

• -error
  Displays error code message text in the local language, which is specified by the Locale registry key.

• ErrorCode
  Specifies the error code that you want to view in the local language.

• -?
  Displays a list of certutil commands.

Remarks

• For ErrorCode, you can use signed or unsigned decimal format, or hexadecimal format with a leading 0x.

• You can use this command to decode errors received from the Certification Authority snap-in.

To verify that the server is running (ICertRequest interface)

Syntax

certutil -ping [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

Parameters

• -ping
  Pings the Certificate Services ICertRequest interface.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To verify that the server is running (ICertAdmin interface)

Syntax

certutil -pingadmin [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

Parameters

• -pingadmin
  Pings the Certificate Services ICertAdmin interface.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• To determine whether you have successfully completed this command, make sure that the user has administrative access to the server.

To generate and display the cryptographic hash over a file

Syntax

certutil -hashfile [-gmt] [-seconds] [-v] InFile

Parameters

• -hashfile
  Generates and displays cryptographic hash over a file.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• InFile
  Specifies the file for which you want to display the hash.

• -?
  Displays a list of certutil commands.

To dump the CA database schema

Syntax

certutil -schema [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [{Ext | Attib | CRL}]

Parameters

• -config ConfigString
  Processes the operation by using the CA specified in the configuration string (that is, ConfigString). Without this option, the default CA processes the request.

• -schema
  Dumps the CA database schema.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• Ext
  Displays the schema for Ext table.

• Attib
  Displays the schema for Attib table.

• CRL
  Displays the schema for the certificate revocation list (CRL).

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To view the CA database schema, type:

certutil -schema

To display all key container names that are available to the current user

Syntax

certutil -key [-user] [-gmt] [-seconds] [-silent] [-v] [CSPName] [*]

Parameters

• -key
  Displays the key containers for the local computer.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -silent
  Uses a silent flag to acquire CryptContext.

• -v
  Specifies verbose output.

• CSPName
  Specifies the cryptographic service provider (CSP) for which you want to display the key containers.

• *
  Displays the key containers for all of the CSPs.

• -?
  Displays a list of certutil commands.

Remarks

• RSA is the default CSP for the Windows Server 2003 family. To specify an alternate CSP provider, use the CSPName command-line option. For more information about RSA, see the RSA Labs Web site. Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.

To provide a PKCS#10 request file to an Entrust CA for cross-certification

Syntax

certutil -split [-gmt] [-seconds] [-v] CMC**.req**

Parameters

• -split
  Analyzes each binary (ASN.1-encoded) object in a certificate request file, and then saves each object to a separate blob file.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• CMC .req
  Specifies the Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC) file that you want to analyze.

• -?
  Displays a list of certutil commands.

Remarks

• For more information about creating a CMS request from the root certificate by using the certreq –policy command, see Certreq in Related Topics. In Certreq, see the "To construct a cross-certification or qualified subordination request from an existing CA certificate or request" task.

• If possible, when you construct a request from an existing certificate, you should run the certreq –policy command on a computer that has the input certificate's private key installed. If the private key is unavailable (as is usually the case for cross-certifying non-Microsoft CAs), the PKCS #10 file is NULL-signed and the outer CMS is also NULL-signed. A NULL-signed PKCS#10 is unacceptable to most non-Microsoft CAs.

To reassociate a private key with its certificate

Syntax

certutil -repairstore [{-cspCSPName[-f]}] [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [{ca | my| root | spc}] CertIndex

Parameters

• -repairstore
  Repairs the key provider information in the ca store.

• -csp
  Uses only the cryptographic service provider (CSP) specified to locate and repair the key.

• CSPName
  Specifies the name of the CSP to use.

• -f
  Used with -csp to locate a key when necessary to force searching for the key using the specified CSP.

• -enterprise
  Uses the local computer Enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• ca
  Specifies certificates in the Intermediate Certification Authorities store.

• my
  Specifies certificates issued to the local computer.

• root
  Specifies certificates in the Trusted Root Certification Authorities store.

• spc
  Specifies software publisher certificates.

• CertIndex
  Specifies the Secure Hash Algorithm (SHA-1) certificate hash, serial number, or certificate index identifier.

• -?
  Displays a list of certutil commands.

Remarks

• If the certificate is located in the HKEY_LOCAL_MACHINE certificate store, do not use -user.

To verify that the URLs in the AIA and CDP extensions are valid and correct

Syntax

certutil -url[-f] [-gmt] [-seconds] [-split] [-v] CertFile**.crt**

Parameters

• -url
  Verifies certificate or certificate revocation list (CRL) URLs.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• CertFile .crt
  Specifies the certificate file.

• -?
  Displays a list of certutil commands.

Remarks

• To make sure that the URLs are valid and point to the appropriate CRLs or issuing CA certificates, you can use this command to check the Authority Information Access (AIA) and CRL Distribution Points (CDPs) extensions, and then dereference the URLs inside these extensions.

To check a certificate on a smart card

Syntax

certutil -scinfo [-gmt] [-seconds] [-silent] [-split] [-v] [ReaderName]

Parameters

• -scinfo
  Displays smart card information.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -silent
  Uses a silent flag to acquire CryptContext.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• ReaderName
  Specifies the name of the smart card reader.

• -?
  Displays a list of certutil commands.

To view templates that are installed locally

Syntax

certutil -template [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] TemplateName

Parameters

• -template
  Displays the specified template.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -ut
  Displays the user templates.

• -mt
  Displays the computer templates.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• TemplateName
  Specifies the name of the template that you want to view.

• -?
  Displays a list of certutil commands.

To determine what CSP is used for a key pair

Syntax

certutil PFXfile .pfx

Parameters

• PFXfile .pfx
  Specifies a file with a .pfx extension.

• -?
  Displays a list of certutil commands.

Remarks

• After you import the .pfx file, you can display the HKEY_CURRENT_USER "My" store using the following syntax:

  certutil /user /store my [CertIndex]

  This command displays each certificate key's cryptographic service provider (CSP) as Provider=xxx.

• In place of CertIndex, you can specify the decimal, the zero-based certificate store index number, the common name, the Secure Hash Algorithm (SHA-1), or the public key SHA-1.

Formatting legend

Format	Meaning
Italic	Information that the user must supply
Bold	Elements that the user must type exactly as shown
Ellipsis (...)	Parameter that can be repeated several times in a command line
Between brackets ([])	Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd}	Set of choices from which the user must choose only one
Courier font	Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview