Certutil tasks for managing certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for managing certificates

You can use certutil to perform a number of certificate management tasks.

To view the syntax for a specific task, click a task:

To validate that the certificate was issued by a specific CA

To verify the validity of a certificate

To install the CA certificate

To request a renewal CA certificate

To delete keys from the HKEY_LOCAL_MACHINE root store

To add Netscape-compatible Web-based revocation check extensions to every issued certificate

To retrieve the CA signing certificate and save it to a file

To retrieve the CA signing certificate and chain and save it to a PKCS #7 file

To import a certificate into the server database

To display the certificates in the Local Machine certificate store

To add a certificate or CRL to a local trusted root CA store

To view certificate stores

To verify all certificates in a store

To delete a certificate from the HKEY_LOCAL_MACHINE root store

To delete a certificate from the HKEY_CURRENT_USER root store

To validate that the certificate was issued by a specific CA

Syntax

certutil -verify [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-split] [-v] CertFile [CACertFile]

Parameters

• -verify
  Verifies the certificate chain.

• -f
  Overwrites existing files or keys.

• -enterprise
  Uses the local computer's enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -silent
  Uses a silent flag to acquire CryptContext.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• CertFile
  Specifies the certificate.

• CACertFile
  Specifies the CA signature certificate that contains the public key used to verify digital signatures.

• -?
  Displays a list of certutil commands.

Remarks

• CertFile and CACertFile must both contain a single certificate, not a PKCS #7 certification chain.

• This command-line option also verifies the revocation status of the CertFile certificate. If CertFile does not contain information on how to check revocation or if the necessary URLs or CRLs are not available, an error occurs.

• If you do not specify CACertFile, the certification chain for CertFile is constructed by using certificates installed on the computer, and all certificates in the chain are verified and checked to see if they have been revoked.

To verify the validity of a certificate

Syntax

certutil -isvalid [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] {SerialNumber | CertHash}

Parameters

• -isvalid
  Determines whether the certificate is valid.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• SerialNumber
  Specifies the serial number of the certificate.

• CertHash
  Specifies the certificate hash of the certificate.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• SerialNumber must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. A leading 0x is not allowed.

To install the CA certificate

Syntax

certutil -installcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] [CACertFile]

Parameters

• -installcert
  Installs a CA certificate.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• CACertFile
  Specifies the CA signature certificate that contains the public key that is used to verify digital signatures.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• A PKCS #7 certification chain is the preferred content for CACertFile. However, an X.509 v3 certificate is accepted if all of the certificates that will be used to form the chain are already installed on the local computer.

• This command also completes subordinate CA certificate installation for a subordinate CA that generated a request, but has not yet received and installed its CA certificate.

• This command also allows installation of a requested renewal CA certificate.

To request a renewal CA certificate

Syntax

certutil -renewcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] [reusekeys] RequestFile

Parameters

• -renewcert
  Renews the CA certificate.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• reusekeys
  Specifies to reuse the existing keys.

• RequestFile
  Specifies the file to which you want to save the renewal request.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• If an online parent CA does not exist or if it does not immediately issue a renewal CA certificate, use the -installCert command to complete the renewal certificate installation when the certificate is available.

To delete keys from the HKEY_LOCAL_MACHINE root store

Syntax

certutil -delkey [-user] [-gmt] [-seconds] [-silent] [-v] KeyContainerName [CSPName]

Parameters

• -delkey
  Deletes a private key from the host computer.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -silent
  Uses a silent flag to acquire CryptContext.

• -v
  Specifies verbose output.

• KeyContainerName
  Specifies the container name of the key.

• CSPName
  Specifies the cryptographic service provider (CSP).

• -?
  Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

• The certutil -delkey command deletes a User or Machine private key. After it is deleted, any of the following scenarios might apply:

  • If it was not previously backed up or archived, the deleted key will be irretreivable.

  • If the deleted key was used for a certificate server signing key, the CA will be disabled and will not be able to issue new CRLs, which will effectively invalidate all of the certificates issued by the CA when the existing CRLs expire. You can replace other signing keys by re-enrolling for a new key and certificate.

  • If the deleted key was used for encrypting e-mail, previously received e-mail might be unreadable, unless you can recover it from a key management system like Key Management Service (KMS).

  • If the deleted key was used for encrypting files, an administrator with the appropriate credentials to create a Key Recovery Agent account might need to intervene and decrypt each file individually for the affected user.

  • Use - user to delete keys from the HKEY_CURRENT_USER root store.

To add Netscape-compatible Web-based revocation check extensions to every issued certificate

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] Policy\RevocationType {+ | -} REVEXT_ASPENABLE

Parameters

• -setreg
  Sets or edits the registry key value.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• Policy\RevocationType
  Specifies the policy module and the certificate revocation configuration.

• { +| -}
  Sets (+) or resets (-) the REVEXT_ASPENABLE flag.

• REVEXT_ASPENABLE
  Adds this extension to certificates issued by the CA.

• -?
  Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

To retrieve the CA signing certificate and save it to a file

Syntax

certutil -ca.cert [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] OutCACertFile [Index]

Parameters

• -ca.cert
  Retrieves the CA signing certificate.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• OutCACertFile
  Specifies the CA file to which you want to write.

• Index
  Specifies the CA certificate that you want to retrieve. The default is the most current CA.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• The public key contained in this certificate is used to verify digital signatures on certificates issued by the CA.

To retrieve the CA signing certificate and chain and save it to a PKCS #7 file

Syntax

certutil -ca.chain [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] OutCACertChainFile [Index]

Parameters

• -ca.chain
  Retrieves the CA signing certificate and chain.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• OutCACertChainFile
  Writes the CA signing certificate to the PKCS #7 file.

• Index
  Specifies the CA certificate that you want to retrieve. The default is the most current CA.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To import a certificate into the server database

Syntax

certutil -importcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] CertFile

Parameters

• -importcert
  Imports a certificate file into the database.

• -f
  Overwrites existing files or keys.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -config CAMachineName \ CAName
  processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).

• CertFile
  Specifies the certificate to import.

• -?
  Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

• You can use this command-line option to make a certificate revocable if it is inadvertently lost from the database, which could be due to restoring a database from an incomplete backup of the database. Note that the server must have issued the certificate.

To display the certificates in the Local Machine certificate store

Syntax

certutil -store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc DCName] CertificateStoreName [CertID [OutFile]]]

Parameters

• -store
  Displays the certificates in the specified certificate store.

• -f
  Overwrites existing files or keys.

• -enterprise
  Uses the local computer Enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -silent
  Uses a silent flag to acquire CryptContext.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -dc DCName
  Targets a specific domain controller.

• CertificateStoreName
  Specifies one of the following store names:

<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>ca</strong></p></td>
<td><p>Specifies certificates in the Intermediate Certification Authorities store.</p></td>
</tr>
<tr class="even">
<td><p><strong>my</strong></p></td>
<td><p>Specifies certificates issued to the current user.</p></td>
</tr>
<tr class="odd">
<td><p><strong>root</strong></p></td>
<td><p>Specifies certificates in the Trusted Root Certification Authorities store.</p></td>
</tr>
<tr class="even">
<td><p><strong>spc</strong></p></td>
<td><p>Specifies software publisher certificates.</p></td>
</tr>
<tr class="odd">
<td><p><em>UserCreatedStore</em></p></td>
<td><p>Specifies the name of a user-created certificate store.</p></td>
</tr>
</tbody>
</table>

• CertID
  Specifies a certificate or certificate revocation list (CRL) match token.

• OutFile
  Specifies the file to which you want to write the displayed certificate information.

• -?
  Displays a list of certutil commands.

Remarks

• If CertificateStoreName is not specified, the CA store is used.

• Use the -user option to display certificate stores for the current user instead of the local computer.

• CertID can be a serial number, a Secure Hash Algorithm (SHA-1) certificate, CRL, certificate trust list (CTL), or public key hash, a numeric certificate index (for example, 0, 1, and so on), a numeric CRL index (for example, .0, .1, and so on), a numeric CTL index (for example, ..0, ..1, and so on), a certificate subject common name or a CRL issuer common name. Many of these might result in multiple matches.

Examples

To view the certificates in the NTAuth store of the local computer, type:

certutil -store -enterprise NTAuth

To view the certificates in the "Root" store of the local computer with cert Index as 37, type:

certutil -store -enterprise Root 37

To view the certificate of the user that has the serial number 26e0aaaf000000000004 in the store named My, type:

certutil -store -user My 26e0aaaf000000000004

To view the CRL with index .11 in the store named CA, type:

certutil -store CA .11

To view the certificates store at Lightweight Directory Access Protocol (LDAP) location "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,DC=corp,DC=MyCorp,DC=com", type:

certutil -store ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,DC=corp,DC=MyCorp,DC=com

To add a certificate or CRL to a local trusted root CA store

Syntax

certutil -addstore [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root InFile

Parameters

• -addstore
  Adds a certificate to a certificate store.

• -f
  Overwrites existing files or keys.

• -enterprise
  Uses the local computer Enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -dc DCName
  Targets a specific domain controller.

• root
  Specifies the Trusted Root Certification Authorities store.

• InFile
  Specifies the file name of the certificate or certificate revocation list (CRL).

• -?
  Displays a list of certutil commands.

To view certificate stores

Syntax

Certutil [{-viewstore | -viewdelstore}] [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] {my | ca | root | spc} ["CertIndex" ]

Parameters

• -viewstore
  Views a certificate in the certificate store.

• -viewdelstore
  Deletes a certificate from the certificate store.

• -f
  Overwrites existing files or keys.

• -enterprise
  Uses the local computer Enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -dc DCName
  Targets a specific domain controller.

• my
  Displays certificates issued to the local computer.

• ca
  Displays certificates in the Intermediate Certification Authorities store.

• root
  Displays certificates in the Trusted Root Certification Authorities store.

• spc
  Displays software publisher certificates.

• " CertIndex "
  Specifies a certificate or certificate revocation list (CRL) match token.

• -?
  Displays a list of certutil commands.

Remarks

• To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

  • Dump a certificate store that contains the old certificate by typing:

    certutil-store [-user] root

  • Save the old certificate to a file and dump the file by typing:

    certutilfile**.cer**

• By default -viewstore opens the HKLM "CA" store. You can override this default to display any user or enterprise store by specifying -user or -enterprise after -viewstore.

• If you do not close the user interface and you use -viewdelstore, you delete the selected certificate from the certificate store.

• The user interface does not support saving certificates to files. You can run the following syntax to display all certificates, select the one you want, and then save it to a file:

  certutil /viewstore /enterprise NTAuth *.file.cer

  The local NTAuth store is the result of the last Group Policy download from the Active Directory NTAuth store. It is the store used by smart card logon, so viewing this store can be useful when troubleshooting smart card logon failures.

Examples

To open and view the local NTAuth store on the current computer, type:

certutil -viewstore -enterprise NTAuth

To delete a certificate, type:

certutil -delstore -enterprise NTAuth " CertIndex "

To verify all certificates in a store

Syntax

certutil -verifystore [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [-dc DCName] CertificateStoreName [CertID]

Parameters

• -verifystore
  Verifies the certificate in a store.

• -enterprise
  Uses the local computer Enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -split
  Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

• -v
  Specifies verbose output.

• -dc DCName
  Targets a specific domain controller.

• CertificateStoreName
  Specifies the certificate store name.

• CertID
  Specifies a certificate or certificate revocation list (CRL) match token.

• -?
  Displays a list of certutil commands.

Remarks

• This command is similar to -store.

• This command verifies the associated private keys (that is, if they exist), and verifies each certificate by building a chain from the installed CA and root certificates and verifies all certificates in the chain to make sure they are still valid and have not been revoked.

To delete a certificate from the HKEY_LOCAL_MACHINE root store

Syntax

certutil -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root CertIndex

Parameters

• -delstore
  Deletes a certificate from the specified store.

• -enterprise
  Uses the local computer Enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -dc DCName
  Targets a specific domain controller.

• root
  Specifies the root certificate store.

• CertIndex
  Specifies the hash value.

• -?
  Displays a list of certutil commands.

Remarks

• To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

  • Dump a certificate store that contains the old certificate by typing:

    certutil-store [-user] root

  • Save the old certificate to a file and dump the file by typing:

    certutilfile**.cer**

To delete a certificate from the HKEY_CURRENT_USER root store

Syntax

certutil -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root -user CertIndex

Parameters

• -delstore
  Deletes a certificate from the specified store.

• -enterprise
  Uses the local computer Enterprise registry certificate store.

• -user
  Uses the HKEY_CURRENT_USER keys or certificate store.

• -gmt
  Displays time as Greenwich mean time.

• -seconds
  Displays time with seconds and milliseconds.

• -v
  Specifies verbose output.

• -dc DCName
  Targets a specific domain controller.

• root
  Specifies the root certificate store.

• -user
  Specifies HKEY_CURRENT_USER certificate store.

• CertIndex
  Specifies the hash value.

• -?
  Displays a list of certutil commands.

Remarks

• To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

  • Dump a certificate store that contains the old certificate by typing:

    certutil-store [-user] root

  • Save the old certificate to a file and dump the file by typing:

    certutilfile**.cer**

• Certutil -delstore is valid only for deleting certificates and CRLs. You must use -delkey to delete keys.

  Caution

  • The certutil -delkeycommand deletes a User or Machine private key. Once deleted any of the following scenarios might apply:

If it was not previously backed up or archived, the deleted key will be irretreivable.

If the deleted key was used for a certificate server signing key, the CA will be disabled and will not be able to issue new CRLs, which will effectively invalidate all of the certificates issued by the CA when the existing CRLs expire. You can replace other signing keys by re-enrolling for a new key and certificate.

If the deleted key was used for encrypting e-mail, previously received e-mail might be unreadable, unless you can recover it from a key management system like Key Management Service (KMS).

If the deleted key was used for encrypting files, an administrator with the appropriate credentials to create a Key Recovery Agent account might need to intervene and decrypt each file individually for the affected user.

Use - user to delete keys from the HKEY_CURRENT_USER root store.

Examples

To delete the fifth certificate in the root store, type:

certutil -delstore root 5

Formatting legend

Format	Meaning
Italic	Information that the user must supply
Bold	Elements that the user must type exactly as shown
Ellipsis (...)	Parameter that can be repeated several times in a command line
Between brackets ([])	Optional items
Between braces ({}); choices separated by pipe (|). Example: {even|odd}	Set of choices from which the user must choose only one
Courier font	Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview