Compartilhar via


Certutil tasks for managing certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for managing certificates

You can use certutil to perform a number of certificate management tasks.

To view the syntax for a specific task, click a task:

To validate that the certificate was issued by a specific CA

To verify the validity of a certificate

To install the CA certificate

To request a renewal CA certificate

To delete keys from the HKEY_LOCAL_MACHINE root store

To add Netscape-compatible Web-based revocation check extensions to every issued certificate

To retrieve the CA signing certificate and save it to a file

To retrieve the CA signing certificate and chain and save it to a PKCS #7 file

To import a certificate into the server database

To display the certificates in the Local Machine certificate store

To add a certificate or CRL to a local trusted root CA store

To view certificate stores

To verify all certificates in a store

To delete a certificate from the HKEY_LOCAL_MACHINE root store

To delete a certificate from the HKEY_CURRENT_USER root store

To validate that the certificate was issued by a specific CA

Syntax

certutil -verify [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-split] [-v] CertFile [CACertFile]

Parameters
  • -verify
    Verifies the certificate chain.
  • -f
    Overwrites existing files or keys.
  • -enterprise
    Uses the local computer's enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • CertFile
    Specifies the certificate.
  • CACertFile
    Specifies the CA signature certificate that contains the public key used to verify digital signatures.
  • -?
    Displays a list of certutil commands.
Remarks
  • CertFile and CACertFile must both contain a single certificate, not a PKCS #7 certification chain.

  • This command-line option also verifies the revocation status of the CertFile certificate. If CertFile does not contain information on how to check revocation or if the necessary URLs or CRLs are not available, an error occurs.

  • If you do not specify CACertFile, the certification chain for CertFile is constructed by using certificates installed on the computer, and all certificates in the chain are verified and checked to see if they have been revoked.

To verify the validity of a certificate

Syntax

certutil -isvalid [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] {SerialNumber | CertHash}

Parameters
  • -isvalid
    Determines whether the certificate is valid.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • SerialNumber
    Specifies the serial number of the certificate.
  • CertHash
    Specifies the certificate hash of the certificate.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • SerialNumber must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. A leading 0x is not allowed.

To install the CA certificate

Syntax

certutil -installcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] [CACertFile]

Parameters
  • -installcert
    Installs a CA certificate.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • CACertFile
    Specifies the CA signature certificate that contains the public key that is used to verify digital signatures.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • A PKCS #7 certification chain is the preferred content for CACertFile. However, an X.509 v3 certificate is accepted if all of the certificates that will be used to form the chain are already installed on the local computer.

  • This command also completes subordinate CA certificate installation for a subordinate CA that generated a request, but has not yet received and installed its CA certificate.

  • This command also allows installation of a requested renewal CA certificate.

To request a renewal CA certificate

Syntax

certutil -renewcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] [reusekeys] RequestFile

Parameters
  • -renewcert
    Renews the CA certificate.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • reusekeys
    Specifies to reuse the existing keys.
  • RequestFile
    Specifies the file to which you want to save the renewal request.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • If an online parent CA does not exist or if it does not immediately issue a renewal CA certificate, use the -installCert command to complete the renewal certificate installation when the certificate is available.

To delete keys from the HKEY_LOCAL_MACHINE root store

Syntax

certutil -delkey [-user] [-gmt] [-seconds] [-silent] [-v] KeyContainerName [CSPName]

Parameters
  • -delkey
    Deletes a private key from the host computer.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -v
    Specifies verbose output.
  • KeyContainerName
    Specifies the container name of the key.
  • CSPName
    Specifies the cryptographic service provider (CSP).
  • -?
    Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

  • The certutil -delkey command deletes a User or Machine private key. After it is deleted, any of the following scenarios might apply:

    • If it was not previously backed up or archived, the deleted key will be irretreivable.

    • If the deleted key was used for a certificate server signing key, the CA will be disabled and will not be able to issue new CRLs, which will effectively invalidate all of the certificates issued by the CA when the existing CRLs expire. You can replace other signing keys by re-enrolling for a new key and certificate.

    • If the deleted key was used for encrypting e-mail, previously received e-mail might be unreadable, unless you can recover it from a key management system like Key Management Service (KMS).

    • If the deleted key was used for encrypting files, an administrator with the appropriate credentials to create a Key Recovery Agent account might need to intervene and decrypt each file individually for the affected user.

    • Use - user to delete keys from the HKEY_CURRENT_USER root store.

To add Netscape-compatible Web-based revocation check extensions to every issued certificate

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] Policy\RevocationType {+ | -} REVEXT_ASPENABLE

Parameters
  • -setreg
    Sets or edits the registry key value.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • Policy\RevocationType
    Specifies the policy module and the certificate revocation configuration.
  • { +| -}
    Sets (+) or resets (-) the REVEXT_ASPENABLE flag.
  • REVEXT_ASPENABLE
    Adds this extension to certificates issued by the CA.
  • -?
    Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

To retrieve the CA signing certificate and save it to a file

Syntax

certutil -ca.cert [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] OutCACertFile [Index]

Parameters
  • -ca.cert
    Retrieves the CA signing certificate.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • OutCACertFile
    Specifies the CA file to which you want to write.
  • Index
    Specifies the CA certificate that you want to retrieve. The default is the most current CA.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The public key contained in this certificate is used to verify digital signatures on certificates issued by the CA.

To retrieve the CA signing certificate and chain and save it to a PKCS #7 file

Syntax

certutil -ca.chain [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] OutCACertChainFile [Index]

Parameters
  • -ca.chain
    Retrieves the CA signing certificate and chain.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • OutCACertChainFile
    Writes the CA signing certificate to the PKCS #7 file.
  • Index
    Specifies the CA certificate that you want to retrieve. The default is the most current CA.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To import a certificate into the server database

Syntax

certutil -importcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] CertFile

Parameters
  • -importcert
    Imports a certificate file into the database.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • CertFile
    Specifies the certificate to import.
  • -?
    Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • You can use this command-line option to make a certificate revocable if it is inadvertently lost from the database, which could be due to restoring a database from an incomplete backup of the database. Note that the server must have issued the certificate.

To display the certificates in the Local Machine certificate store

Syntax

certutil -store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc DCName] CertificateStoreName [CertID [OutFile]]]

Parameters
  • -store
    Displays the certificates in the specified certificate store.
  • -f
    Overwrites existing files or keys.
  • -enterprise
    Uses the local computer Enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • CertificateStoreName
    Specifies one of the following store names:
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>ca</strong></p></td>
<td><p>Specifies certificates in the Intermediate Certification Authorities store.</p></td>
</tr>
<tr class="even">
<td><p><strong>my</strong></p></td>
<td><p>Specifies certificates issued to the current user.</p></td>
</tr>
<tr class="odd">
<td><p><strong>root</strong></p></td>
<td><p>Specifies certificates in the Trusted Root Certification Authorities store.</p></td>
</tr>
<tr class="even">
<td><p><strong>spc</strong></p></td>
<td><p>Specifies software publisher certificates.</p></td>
</tr>
<tr class="odd">
<td><p><em>UserCreatedStore</em></p></td>
<td><p>Specifies the name of a user-created certificate store.</p></td>
</tr>
</tbody>
</table>
  • CertID
    Specifies a certificate or certificate revocation list (CRL) match token.
  • OutFile
    Specifies the file to which you want to write the displayed certificate information.
  • -?
    Displays a list of certutil commands.
Remarks
  • If CertificateStoreName is not specified, the CA store is used.

  • Use the -user option to display certificate stores for the current user instead of the local computer.

  • CertID can be a serial number, a Secure Hash Algorithm (SHA-1) certificate, CRL, certificate trust list (CTL), or public key hash, a numeric certificate index (for example, 0, 1, and so on), a numeric CRL index (for example, .0, .1, and so on), a numeric CTL index (for example, ..0, ..1, and so on), a certificate subject common name or a CRL issuer common name. Many of these might result in multiple matches.

Examples

To view the certificates in the NTAuth store of the local computer, type:

certutil -store -enterprise NTAuth

To view the certificates in the "Root" store of the local computer with cert Index as 37, type:

certutil -store -enterprise Root 37

To view the certificate of the user that has the serial number 26e0aaaf000000000004 in the store named My, type:

certutil -store -user My 26e0aaaf000000000004

To view the CRL with index .11 in the store named CA, type:

certutil -store CA .11

To view the certificates store at Lightweight Directory Access Protocol (LDAP) location "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,DC=corp,DC=MyCorp,DC=com", type:

certutil -store ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,DC=corp,DC=MyCorp,DC=com

To add a certificate or CRL to a local trusted root CA store

Syntax

certutil -addstore [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root InFile

Parameters
  • -addstore
    Adds a certificate to a certificate store.
  • -f
    Overwrites existing files or keys.
  • -enterprise
    Uses the local computer Enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • root
    Specifies the Trusted Root Certification Authorities store.
  • InFile
    Specifies the file name of the certificate or certificate revocation list (CRL).
  • -?
    Displays a list of certutil commands.

To view certificate stores

Syntax

Certutil [{-viewstore | -viewdelstore}] [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] {my | ca | root | spc} ["CertIndex" ]

Parameters
  • -viewstore
    Views a certificate in the certificate store.
  • -viewdelstore
    Deletes a certificate from the certificate store.
  • -f
    Overwrites existing files or keys.
  • -enterprise
    Uses the local computer Enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • my
    Displays certificates issued to the local computer.
  • ca
    Displays certificates in the Intermediate Certification Authorities store.
  • root
    Displays certificates in the Trusted Root Certification Authorities store.
  • spc
    Displays software publisher certificates.
  • " CertIndex "
    Specifies a certificate or certificate revocation list (CRL) match token.
  • -?
    Displays a list of certutil commands.
Remarks
  • To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

    • Dump a certificate store that contains the old certificate by typing:

      certutil-store [-user] root

    • Save the old certificate to a file and dump the file by typing:

      certutilfile**.cer**

  • By default -viewstore opens the HKLM "CA" store. You can override this default to display any user or enterprise store by specifying -user or -enterprise after -viewstore.

  • If you do not close the user interface and you use -viewdelstore, you delete the selected certificate from the certificate store.

  • The user interface does not support saving certificates to files. You can run the following syntax to display all certificates, select the one you want, and then save it to a file:

    certutil /viewstore /enterprise NTAuth *.file.cer

    The local NTAuth store is the result of the last Group Policy download from the Active Directory NTAuth store. It is the store used by smart card logon, so viewing this store can be useful when troubleshooting smart card logon failures.

Examples

To open and view the local NTAuth store on the current computer, type:

certutil -viewstore -enterprise NTAuth

To delete a certificate, type:

certutil -delstore -enterprise NTAuth " CertIndex "

To verify all certificates in a store

Syntax

certutil -verifystore [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [-dc DCName] CertificateStoreName [CertID]

Parameters
  • -verifystore
    Verifies the certificate in a store.
  • -enterprise
    Uses the local computer Enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • CertificateStoreName
    Specifies the certificate store name.
  • CertID
    Specifies a certificate or certificate revocation list (CRL) match token.
  • -?
    Displays a list of certutil commands.
Remarks
  • This command is similar to -store.

  • This command verifies the associated private keys (that is, if they exist), and verifies each certificate by building a chain from the installed CA and root certificates and verifies all certificates in the chain to make sure they are still valid and have not been revoked.

To delete a certificate from the HKEY_LOCAL_MACHINE root store

Syntax

certutil -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root CertIndex

Parameters
  • -delstore
    Deletes a certificate from the specified store.
  • -enterprise
    Uses the local computer Enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • root
    Specifies the root certificate store.
  • CertIndex
    Specifies the hash value.
  • -?
    Displays a list of certutil commands.
Remarks
  • To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

    • Dump a certificate store that contains the old certificate by typing:

      certutil-store [-user] root

    • Save the old certificate to a file and dump the file by typing:

      certutilfile**.cer**

To delete a certificate from the HKEY_CURRENT_USER root store

Syntax

certutil -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root -user CertIndex

Parameters
  • -delstore
    Deletes a certificate from the specified store.
  • -enterprise
    Uses the local computer Enterprise registry certificate store.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • root
    Specifies the root certificate store.
  • -user
    Specifies HKEY_CURRENT_USER certificate store.
  • CertIndex
    Specifies the hash value.
  • -?
    Displays a list of certutil commands.
Remarks
  • To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

    • Dump a certificate store that contains the old certificate by typing:

      certutil-store [-user] root

    • Save the old certificate to a file and dump the file by typing:

      certutilfile**.cer**

  • Certutil -delstore is valid only for deleting certificates and CRLs. You must use -delkey to delete keys.

    Caution

    • The certutil -delkeycommand deletes a User or Machine private key. Once deleted any of the following scenarios might apply:

If it was not previously backed up or archived, the deleted key will be irretreivable.

If the deleted key was used for a certificate server signing key, the CA will be disabled and will not be able to issue new CRLs, which will effectively invalidate all of the certificates issued by the CA when the existing CRLs expire. You can replace other signing keys by re-enrolling for a new key and certificate.

If the deleted key was used for encrypting e-mail, previously received e-mail might be unreadable, unless you can recover it from a key management system like Key Management Service (KMS).

If the deleted key was used for encrypting files, an administrator with the appropriate credentials to create a Key Recovery Agent account might need to intervene and decrypt each file individually for the affected user.

Use - user to delete keys from the HKEY_CURRENT_USER root store.

Examples

To delete the fifth certificate in the root store, type:

certutil -delstore root 5

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview