certutil

適用於: ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016, ✅ Windows 11, ✅ Windows 10, ✅ Azure Local 2311.2 and later

Caution

Certutil 不建議在任何生產程式代碼中使用，也不會提供即時網站支援或應用程式相容性的任何保證。這是開發人員和IT系統管理員用來檢視裝置上憑證內容資訊的工具。

Certutil.exe 是安裝為憑證服務的一部分的命令行程式。您可以使用 certutil.exe 來顯示證書頒發機構單位（CA）組態資訊、設定憑證服務，以及備份和還原 CA 元件。此程式也會驗證憑證、金鑰組和憑證鏈結。

如果在 certutil 沒有其他參數的證書頒發機構單位上執行，則會顯示目前的證書頒發機構單位設定。如果在 certutil 沒有其他參數的非證書頒發機構單位上執行，則命令預設為執行 certutil -dump 命令。並非所有版本的 certutil 都提供本檔描述的所有參數和選項。您可以執行 certutil -? 或 certutil <parameter> -?來查看 certutil 版本所提供的選項。

Tip

若要查看所有 certutil 動詞和選項的完整說明，包括自 -? 變數中隱藏的指令動詞和選項，請執行 certutil -v -uSAGE。參數 uSAGE 會區分大小寫。

Parameters

-dump

傾印組態資訊或檔案。

certutil [options] [-dump]
certutil [options] [-dump] File

Options:

[-f] [-user] [-Silent] [-split] [-p Password] [-t Timeout]

-dumpPFX

傾印 PFX 結構。

certutil [options] [-dumpPFX] File

Options:

[-f] [-Silent] [-split] [-p Password] [-csp Provider]

-asn

使用抽象語法表示法（ASN.1）語法剖析和顯示檔案的內容。檔案類型包括。CER，。DER 和 PKCS #7 格式的檔案。

certutil [options] -asn File [type]

[type]：數值CRYPT_STRING_* 譯碼類型

-decodehex

譯碼十六進位編碼的檔案。

certutil [options] -decodehex InFile OutFile [type]

[type]：數值CRYPT_STRING_* 譯碼類型

Options:

[-f]

-encodehex

以十六進位編碼檔案。

certutil [options] -encodehex InFile OutFile [type]

[type]：數值CRYPT_STRING_* 編碼類型

Options:

[-f] [-nocr] [-nocrlf] [-UnicodeText]

-decode

譯碼Base64編碼的檔案。

certutil [options] -decode InFile OutFile

Options:

[-f]

-encode

將檔案編碼為Base64。

certutil [options] -encode InFile OutFile

Options:

[-f] [-unicodetext]

-deny

拒絕擱置的要求。

certutil [options] -deny RequestId

Options:

[-config Machine\CAName]

-resubmit

重新提交擱置的要求。

certutil [options] -resubmit RequestId

Options:

[-config Machine\CAName]

-setattributes

設定擱置憑證要求的屬性。

certutil [options] -setattributes RequestId AttributeString

Where:

RequestId is the numeric Request ID for the pending request.
AttributeString is the request attribute name and value pairs.

Options:

[-config Machine\CAName]

Remarks

名稱和值必須以冒號分隔，而多個名稱和值對必須以換行符分隔。例如： CertificateTemplate:User\nEMail:User@Domain.com 將 \n 序列轉換成換行符的位置。

-setextension

設定擱置憑證要求的延伸模組。

certutil [options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}

Where:

requestID is the numeric Request ID for the pending request.
ExtensionName is the ObjectId string for the extension.
Flags sets the priority of the extension. 0 建議使用，雖然 1 將擴充功能設定為重大， 2 但會停用擴充功能，並 3 同時執行這兩項作業。

Options:

[-config Machine\CAName]

Remarks

If the last parameter is numeric, it's taken as a Long.
If the last parameter can be parsed as a date, it's taken as a Date.
如果最後一個參數以開頭， \@則令牌的其餘部分將作為包含二進位數據的檔名或 ASCII 文本十六進位轉儲。
如果最後一個參數是任何其他參數，則會將其視為 String。

-revoke

撤銷憑證。

certutil [options] -revoke SerialNumber [Reason]

Where:

SerialNumber is a comma-separated list of certificate serial numbers to revoke.
Reason is the numeric or symbolic representation of the revocation reason, including:
- 0. CRL_REASON_UNSPECIFIED - Unspecified (default)
- 1. CRL_REASON_KEY_COMPROMISE - Key compromise
- 2. CRL_REASON_CA_COMPROMISE - Certificate Authority compromise
- 3. CRL_REASON_AFFILIATION_CHANGED - Affiliation changed
- 4. CRL_REASON_SUPERSEDED - Superseded
- 5. CRL_REASON_CESSATION_OF_OPERATION - Cessation of operation
- 6. CRL_REASON_CERTIFICATE_HOLD - Certificate hold
- 8. CRL_REASON_REMOVE_FROM_CRL - Remove from CRL
- 9: CRL_REASON_PRIVILEGE_WITHDRAWN - Privilege withdrawn
- 10: CRL_REASON_AA_COMPROMISE - AA compromise
- -1. Unrevoke - Unrevokes

Options:

[-config Machine\CAName]

-isvalid

顯示目前憑證的處置。

certutil [options] -isvalid SerialNumber | CertHash

Options:

[-config Machine\CAName]

-getconfig

取得預設組態字串。

certutil [options] -getconfig

Options:

[-idispatch] [-config Machine\CAName]

-getconfig2

透過 ICertGetConfig 取得預設組態字串。

certutil [options] -getconfig2

Options:

[-idispatch]

-getconfig3

透過 ICertConfig 取得設定。

certutil [options] -getconfig3

Options:

[-idispatch]

-ping

嘗試連絡 Active Directory 憑證服務要求介面。

certutil [options] -ping [MaxSecondsToWait | CAMachineList]

Where:

CAMachineList is a comma-separated list of CA machine names. 對於單一計算機，請使用終止逗號。這個選項也會顯示每個 CA 電腦的月臺成本。

Options:

[-config Machine\CAName] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-pingadmin

嘗試連絡 Active Directory 憑證服務系統管理介面。

certutil [options] -pingadmin

Options:

[-config Machine\CAName]

-CAInfo

顯示證書頒發機構單位的相關信息。

certutil [options] -CAInfo [InfoName [Index | ErrorCode]]

Where:

InfoName indicates the CA property to display, based on the following infoname argument syntax:
- * - 顯示所有屬性
- ads - Advanced Server
- aia [Index] - AIA URLs
- cdp [Index] - CDP URLs
- cert [Index] - CA cert
- certchain [Index] - CA cert chain
- certcount - CA cert count
- certcrlchain [Index] - CA cert chain with CRLs
- certstate [Index] - CA cert
- certstatuscode [Index] - CA cert verify status
- certversion [Index] - CA cert version
- CRL [Index] - Base CRL
- crlstate [Index] - CRL
- crlstatus [Index] - CRL Publish Status
- cross- [Index] - Backward cross cert
- cross+ [Index] - Forward cross cert
- crossstate- [Index] - Backward cross cert
- crossstate+ [Index] - Forward cross cert
- deltacrl [Index] - Delta CRL
- deltacrlstatus [Index] - Delta CRL Publish Status
- dns - DNS Name
- dsname - Sanitized CA short name (DS name)
- error1 ErrorCode - Error message text
- error2 ErrorCode - Error message text and error code
- exit [Index] - Exit module description
- exitcount - Exit module count
- file - File version
- info - CA info
- kra [Index] - KRA cert
- kracount - KRA cert count
- krastate [Index] - KRA cert
- kraused - KRA cert used count
- localename - CA locale name
- name - CA name
- ocsp [Index] - OCSP URLs
- parent - Parent CA
- policy - Policy module description
- product - Product version
- propidmax - Maximum CA PropId
- role - Role Separation
- sanitizedname - Sanitized CA name
- sharedfolder - Shared folder
- subjecttemplateoids - Subject Template OIDs
- templates - Templates
- type - CA type
- xchg [Index] - CA exchange cert
- xchgchain [Index] - CA exchange cert chain
- xchgcount - CA exchange cert count
- xchgcrlchain [Index] - CA exchange cert chain with CRLs
index is the optional zero-based property index.
errorcode is the numeric error code.

Options:

[-f] [-split] [-config Machine\CAName]

-CAPropInfo

顯示 CA 屬性類型資訊。

certutil [options] -CAInfo [InfoName [Index | ErrorCode]]

Options:

[-idispatch] [-v1] [-admin] [-config Machine\CAName]

-ca.cert

擷取證書頒發機構單位的憑證。

certutil [options] -ca.cert OutCACertFile [Index]

Where:

OutCACertFile is the output file.
Index is the CA certificate renewal index (defaults to most recent).

Options:

[-f] [-split] [-config Machine\CAName]

-ca.chain

擷取證書頒發機構單位的憑證鏈結。

certutil [options] -ca.chain OutCACertChainFile [Index]

Where:

OutCACertChainFile is the output file.
Index is the CA certificate renewal index (defaults to most recent).

Options:

[-f] [-split] [-config Machine\CAName]

-GetCRL

取得證書吊銷清單（CRL）。

certutil [options] -GetCRL OutFile [Index] [delta]

Where:

Index is the CRL index or key index (defaults to CRL for most recent key).
delta is the delta CRL (default is base CRL).

Options:

[-f] [-split] [-config Machine\CAName]

-CRL

發佈新的證書吊銷清單（CRL）或差異 CRL。

certutil [options] -CRL [dd:hh | republish] [delta]

Where:

dd:hh is the new CRL validity period in days and hours.
republish republishes the most recent CRLs.
delta publishes the delta CRLs only (default is base and delta CRLs).

Options:

[-split] [-config Machine\CAName]

-shutdown

關閉 Active Directory 憑證服務。

certutil [options] -shutdown

Options:

[-config Machine\CAName]

-installCert

安裝證書頒發機構單位憑證。

certutil [options] -installCert [CACertFile]

Options:

[-f] [-silent] [-config Machine\CAName]

-renewCert

更新證書頒發機構單位憑證。

certutil [options] -renewCert [ReuseKeys] [Machine\ParentCAName]

Options:

[-f] [-silent] [-config Machine\CAName]

使用 -f 忽略未完成的續約要求，併產生新的要求。

-schema

傾印憑證的架構。

certutil [options] -schema [Ext | Attrib | CRL]

Where:

命令預設為 [要求] 和 [憑證] 數據表。
Ext is the extension table.
Attribute is the attribute table.
CRL is the CRL table.

Options:

[-split] [-config Machine\CAName]

-view

傾印憑證檢視。

certutil [options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]

Where:

Queue dumps a specific request queue.
Log dumps the issued or revoked certificates, plus any failed requests.
LogFail dumps the failed requests.
Revoked dumps the revoked certificates.
Ext dumps the extension table.
Attrib dumps the attribute table.
CRL dumps the CRL table.
csv provides the output using comma-separated values.

Options:

[-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

Remarks

To display the StatusCode column for all entries, type -out StatusCode
若要顯示最後一個專案的所有資料列，請輸入： -restrict RequestId==$
To display the RequestId and Disposition for three requests, type: -restrict requestID>=37,requestID<40 -out requestID,disposition
To display Row IDs Row IDs and CRL numbers for all Base CRLs, type: -restrict crlminbase=0 -out crlrowID,crlnumber crl
若要顯示基底 CRL 數位 3，請輸入： -v -restrict crlminbase=0,crlnumber=3 -out crlrawcrl crl
若要顯示整個 CRL 資料表，請輸入： CRL
用於 Date[+|-dd:hh] 日期限制。
用於 now+dd:hh 相對於目前時間的日期。
範本包含擴充密鑰使用方式（EKU），這些是描述憑證使用方式的物件識別碼（OIDs）。憑證不一定會包含範本一般名稱或顯示名稱，但一律包含範本 EKU。您可以從 Active Directory 擷取特定證書範本的 EKU，然後根據該延伸模組限制檢視。

-db

傾印原始資料庫。

certutil [options] -db

Options:

[-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

-deleterow

從伺服器資料庫刪除數據列。

certutil [options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL]

Where:

Request deletes the failed and pending requests, based on submission date.
Cert deletes the expired and revoked certificates, based on expiration date.
Ext deletes the extension table.
Attrib deletes the attribute table.
CRL deletes the CRL table.

Options:

[-f] [-config Machine\CAName]

Examples

若要刪除在 2001 年 1 月 22 日之前提交的失敗和擱置要求，請輸入： 1/22/2001 request
若要刪除 2001 年 1 月 22 日到期的所有憑證，請輸入： 1/22/2001 cert
若要刪除 RequestID 37 的憑證數據列、屬性和延伸模組，請輸入： 37
若要刪除 2001 年 1 月 22 日到期的 CRL，請輸入： 1/22/2001 crl

Note

Date expects the format mm/dd/yyyy rather than dd/mm/yyyy, for example 1/22/2001 rather than 22/1/2001 for January 22, 2001. If your server isn't configured with US regional settings, using the Date argument might produce unexpected results.

-backup

備份 Active Directory 憑證服務。

certutil [options] -backup BackupDirectory [Incremental] [KeepLog]

Where:

BackupDirectory is the directory to store the backed up data.
Incremental performs an incremental backup only (default is full backup).
KeepLog preserves the database log files (default is to truncate log files).

Options:

[-f] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList]

-backupDB

備份 Active Directory 憑證服務資料庫。

certutil [options] -backupdb BackupDirectory [Incremental] [KeepLog]

Where:

BackupDirectory is the directory to store the backed up database files.
Incremental performs an incremental backup only (default is full backup).
KeepLog preserves the database log files (default is to truncate log files).

Options:

[-f] [-config Machine\CAName]

-backupkey

備份 Active Directory 憑證服務憑證和私鑰。

certutil [options] -backupkey BackupDirectory

Where:

BackupDirectory is the directory to store the backed up PFX file.

Options:

[-f] [-config Machine\CAName] [-p password] [-ProtectTo SAMNameAndSIDList] [-t Timeout]

-restore

還原 Active Directory 憑證服務。

certutil [options] -restore BackupDirectory

Where:

BackupDirectory is the directory containing the data to be restored.

Options:

[-f] [-config Machine\CAName] [-p password]

-restoredb

還原 Active Directory 憑證服務資料庫。

certutil [options] -restoredb BackupDirectory

Where:

BackupDirectory is the directory containing the database files to be restored.

Options:

[-f] [-config Machine\CAName]

-restorekey

還原 Active Directory 憑證服務憑證和私鑰。

certutil [options] -restorekey BackupDirectory | PFXFile

Where:

BackupDirectory is the directory containing PFX file to be restored.
PFXFile is the PFX file to be restored.

Options:

[-f] [-config Machine\CAName] [-p password]

-exportPFX

匯出憑證和私鑰。如需詳細資訊，請參閱 -store 本文中的參數。

certutil [options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]

Where:

CertificateStoreName is the name of the certificate store.
CertId is the certificate or CRL match token.
PFXFile is the PFX file to be exported.
Modifiers are the comma-separated list, which can include one or more of the following:
- CryptoAlgorithm= specifies the cryptographic algorithm to use for encrypting the PFX file, such as TripleDES-Sha1 or Aes256-Sha256.
- EncryptCert - Encrypts the private key associated with the certificate with a password.
- ExportParameters -Exports the private key parameters in addition to the certificate and private key.
- ExtendedProperties - Includes all extended properties associated with the certificate in the output file.
- NoEncryptCert - Exports the private key without encrypting it.
- NoChain - Doesn't import the certificate chain.
- NoRoot - Doesn't import the root certificate.

-importPFX

匯入憑證和私鑰。如需詳細資訊，請參閱 -store 本文中的參數。

certutil [options] -importPFX [CertificateStoreName] PFXFile [Modifiers]

Where:

CertificateStoreName is the name of the certificate store.
PFXFile is the PFX file to be imported.
Modifiers are the comma-separated list, which can include one or more of the following:
- AT_KEYEXCHANGE - Changes the keyspec to key exchange.
- AT_SIGNATURE - Changes the keyspec to signature.
- ExportEncrypted - Exports the private key associated with the certificate with password encryption.
- FriendlyName= - Specifies a friendly name for the imported certificate.
- KeyDescription= - Specifies a description for the private key associated with the imported certificate.
- KeyFriendlyName= - Specifies a friendly name for the private key associated with the imported certificate.
- NoCert - Doesn't import the certificate.
- NoChain - Doesn't import the certificate chain.
- NoExport - Makes the private key non-exportable.
- NoProtect - Doesn't password protect keys by using a password.
- NoRoot - Doesn't import the root certificate.
- Pkcs8 - Uses PKCS8 format for the private key in the PFX file.
- Protect - Protects keys by using a password.
- ProtectHigh - Specifies that a high-security password must be associated with the private key.
- VSM - Stores the private key associated with the imported certificate in the Virtual Smart Card (VSC) container.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-p Password] [-csp Provider]

Remarks

默認為個人計算機存放區。

-dynamicfilelist

顯示動態檔案清單。

certutil [options] -dynamicfilelist

Options:

[-config Machine\CAName]

-databaselocations

顯示資料庫位置。

certutil [options] -databaselocations

Options:

[-config Machine\CAName]

-hashfile

透過檔案產生並顯示密碼編譯哈希。

certutil [options] -hashfile InFile [HashAlgorithm]

-store

傾印證書存儲。

certutil [options] -store [CertificateStoreName [CertId [OutputFile]]]

Where:

CertificateStoreName is the certificate store name. For example:
- My, CA (default), Root,
- ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)
- ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)
- ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)
- ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)
- ldap: (AD computer object certificates)
- -user ldap: (AD user object certificates)
CertId is the certificate or CRL match token. 這個識別碼可以是：
- Serial number
- SHA-1 certificate
- CRL、CTL 或公鑰哈希
- 數值憑證索引（0、1 等等）
- 數值 CRL 索引（.0、.1 等等）
- 數值 CTL 索引（..0, ..1 等等）
- Public key
- Signature 或 extension ObjectId
- 憑證主體一般名稱
- E-mail address
- UPN 或 DNS 名稱
- 金鑰容器名稱或 CSP 名稱
- 範本名稱或 ObjectId
- EKU 或應用程式原則 ObjectId
- CRL 簽發者一般名稱。

其中許多標識碼可能會導致多個相符專案。

OutputFile is the file used to save the matching certificates.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-split] [-dc DCName]

此選項 -user 會存取使用者存放區，而不是計算機存放區。
此選項 -enterprise 會存取計算機企業存放區。
選項 -service 會存取計算機服務存放區。
選項 -grouppolicy 會存取計算機組策略存放區。

For example:

-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

Note

使用 -store 參數時，會觀察到效能問題，這兩個層面如下：

當存放區中的憑證數目超過 10 時。
When a CertId is specified, it's used to match all the listed types for every certificate. For example, if a serial number is provided, it will also attempt to match all other listed types.

如果您擔心效能問題，建議使用PowerShell命令，其中只會符合指定的憑證類型。

-enumstore

列舉證書存儲。

certutil [options] -enumstore [\\MachineName]

Where:

MachineName is the remote machine name.

Options:

[-enterprise] [-user] [-grouppolicy]

-addstore

將憑證新增至存放區。如需詳細資訊，請參閱 -store 本文中的參數。

certutil [options] -addstore CertificateStoreName InFile

Where:

CertificateStoreName is the certificate store name.
InFile is the certificate or CRL file you want to add to the store.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-dc DCName]

-delstore

從存放區刪除憑證。如需詳細資訊，請參閱 -store 本文中的參數。

certutil [options] -delstore CertificateStoreName certID

Where:

CertificateStoreName is the certificate store name.
CertId is the certificate or CRL match token.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-dc DCName]

-verifystore

驗證存放區中的憑證。如需詳細資訊，請參閱 -store 本文中的參數。

certutil [options] -verifystore CertificateStoreName [CertId]

Where:

CertificateStoreName is the certificate store name.
CertId is the certificate or CRL match token.

Options:

[-Enterprise] [-user] [-GroupPolicy] [-Silent] [-split] [-dc DCName] [-t Timeout]

-repairstore

修復金鑰關聯或更新憑證屬性或金鑰安全性描述元。如需詳細資訊，請參閱 -store 本文中的參數。

certutil [options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]

Where:

CertificateStoreName is the certificate store name.
CertIdList is the comma-separated list of certificate or CRL match tokens. 如需詳細資訊，請參閱 -store 本文中的 CertId 描述。

PropertyInfFile is the INF file containing external properties, including:

[Properties]
    19 = Empty ; Add archived property, OR:
    19 =       ; Remove archived property

    11 = {text}Friendly Name ; Add friendly name property

    127 = {hex} ; Add custom hexadecimal property
        _continue_ = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
        _continue_ = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

    2 = {text} ; Add Key Provider Information property
      _continue_ = Container=Container Name&
      _continue_ = Provider=Microsoft Strong Cryptographic Provider&
      _continue_ = ProviderType=1&
      _continue_ = Flags=0&
      _continue_ = KeySpec=2

    9 = {text} ; Add Enhanced Key Usage property
      _continue_ = 1.3.6.1.5.5.7.3.2,
      _continue_ = 1.3.6.1.5.5.7.3.1,

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-split] [-csp Provider]

-viewstore

傾印憑證存放區。如需詳細資訊，請參閱 -store 本文中的參數。

certutil [options] -viewstore [CertificateStoreName [CertId [OutputFile]]]

Where:

CertificateStoreName is the certificate store name. For example:
- My, CA (default), Root,
- ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)
- ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)
- ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)
- ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)
- ldap: (AD computer object certificates)
- -user ldap: (AD user object certificates)
CertId is the certificate or CRL match token. 這可以是：
- Serial number
- SHA-1 certificate
- CRL、CTL 或公鑰哈希
- 數值憑證索引（0、1 等等）
- 數值 CRL 索引（.0、.1 等等）
- 數值 CTL 索引（..0, ..1 等等）
- Public key
- Signature 或 extension ObjectId
- 憑證主體一般名稱
- E-mail address
- UPN 或 DNS 名稱
- 金鑰容器名稱或 CSP 名稱
- 範本名稱或 ObjectId
- EKU 或應用程式原則 ObjectId
- CRL 簽發者一般名稱。

其中許多都可能導致多個相符專案。

OutputFile is the file used to save the matching certificates.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-dc DCName]

此選項 -user 會存取使用者存放區，而不是計算機存放區。
此選項 -enterprise 會存取計算機企業存放區。
選項 -service 會存取計算機服務存放區。
選項 -grouppolicy 會存取計算機組策略存放區。

For example:

-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

-viewdelstore

從存放區刪除憑證。

certutil [options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]]

Where:

CertificateStoreName is the certificate store name. For example:
- My, CA (default), Root,
- ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)
- ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)
- ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)
- ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)
- ldap: (AD computer object certificates)
- -user ldap: (AD user object certificates)
CertId is the certificate or CRL match token. 這可以是：
- Serial number
- SHA-1 certificate
- CRL、CTL 或公鑰哈希
- 數值憑證索引（0、1 等等）
- 數值 CRL 索引（.0、.1 等等）
- 數值 CTL 索引（..0, ..1 等等）
- Public key
- Signature 或 extension ObjectId
- 憑證主體一般名稱
- E-mail address
- UPN 或 DNS 名稱
- 金鑰容器名稱或 CSP 名稱
- 範本名稱或 ObjectId
- EKU 或應用程式原則 ObjectId
- CRL 簽發者一般名稱。

其中許多可能會導致多個相符專案。

OutputFile is the file used to save the matching certificates.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-dc DCName]

此選項 -user 會存取使用者存放區，而不是計算機存放區。
此選項 -enterprise 會存取計算機企業存放區。
選項 -service 會存取計算機服務存放區。
選項 -grouppolicy 會存取計算機組策略存放區。

For example:

-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

-UI

叫用 certutil 介面。

certutil [options] -UI File [import]

-TPMInfo

顯示信任的平臺模組資訊。

certutil [options] -TPMInfo

Options:

[-f] [-Silent] [-split]

-attest

指定應該證明憑證要求檔案。

certutil [options] -attest RequestFile

Options:

[-user] [-Silent] [-split]

-getcert

從選取 UI 選取憑證。

certutil [options] [ObjectId | ERA | KRA [CommonName]]

Options:

[-Silent] [-split]

-ds

顯示目錄服務（DS）辨別名稱（DN）。

certutil [options] -ds [CommonName]

Options:

[-f] [-user] [-split] [-dc DCName]

-dsDel

刪除 DS DN。

certutil [options] -dsDel [CommonName]

Options:

[-user] [-split] [-dc DCName]

-dsPublish

將憑證或證書吊銷清單（CRL）發佈至 Active Directory。

certutil [options] -dspublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
certutil [options] -dspublish CRLfile [DSCDPContainer [DSCDPCN]]

Where:

CertFile is the name of the certificate file to publish.
NTAuthCA publishes the certificate to the DS Enterprise store.
RootCA publishes the certificate to the DS Trusted Root store.
SubCA publishes the CA certificate to the DS CA object.
CrossCA publishes the cross-certificate to the DS CA object.
KRA publishes the certificate to the DS Key Recovery Agent object.
User publishes the certificate to the User DS object.
Machine publishes the certificate to the Machine DS object.
CRLfile is the name of the CRL file to publish.
DSCDPContainer is the DS CDP container CN, usually the CA machine name.
DSCDPCN is the DS CDP object CN based on the sanitized CA short name and key index.

Options:

[-f] [-user] [-dc DCName]

用來 -f 建立新的 DS 物件。

-dsCert

顯示 DS 憑證。

certutil [options] -dsCert [FullDSDN] | [CertId [OutFile]]

Options:

[-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

-dsCRL

顯示 DS CRL。

certutil [options] -dsCRL [FullDSDN] | [CRLIndex [OutFile]]

Options:

[-idispatch] [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

-dsDeltaCRL

顯示 DS 差異 CRL。

certutil [options] -dsDeltaCRL [FullDSDN] | [CRLIndex [OutFile]]

Options:

[-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

-dsTemplate

顯示 DS 樣本屬性。

certutil [options] -dsTemplate [Template]

Options:

[Silent] [-dc DCName]

-dsAddTemplate

新增 DS 範本。

certutil [options] -dsAddTemplate TemplateInfFile

Options:

[-dc DCName]

-ADTemplate

顯示 Active Directory 範本。

certutil [options] -ADTemplate [Template]

Options:

[-f] [-user] [-ut] [-mt] [-dc DCName]

-Template

顯示憑證註冊原則範本。

Options:

certutil [options] -Template [Template]

Options:

[-f] [-user] [-Silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-TemplateCAs

顯示證書範本的證書頒發機構單位（CA）。

certutil [options] -TemplateCAs Template

Options:

[-f] [-user] [-dc DCName]

-CATemplates

顯示證書頒發機構單位的範本。

certutil [options] -CATemplates [Template]

Options:

[-f] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]

-SetCATemplates

設定證書頒發機構單位可以發出的證書範本。

certutil [options] -SetCATemplates [+ | -] TemplateList

Where:

符號會將 + 證書範本新增至 CA 的可用範本清單。
簽署 - 會從 CA 的可用範本清單中移除證書範本。

-SetCASites

管理網站名稱，包括設定、驗證和刪除證書頒發機構單位網站名稱。

certutil [options] -SetCASites [set] [SiteName]
certutil [options] -SetCASites verify [SiteName]
certutil [options] -SetCASites delete

Where:

SiteName is allowed only when targeting a single Certificate Authority.

Options:

[-f] [-config Machine\CAName] [-dc DCName]

Remarks

此選項 -config 以單一證書頒發機構單位為目標（預設值為所有 CA）。
The -f option can be used to override validation errors for the specified SiteName or to delete all CA site names.

Note

如需設定 Active Directory Domain Services （AD DS）網站感知 CA 的詳細資訊，請參閱 AD DS Site Awareness for AD CS 和 PKI 用戶端。

-enrollmentServerURL

顯示、新增或刪除與 CA 相關聯的註冊伺服器 URL。

certutil [options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]]
certutil [options] -enrollmentserverURL URL delete

Where:

AuthenticationType specifies one of the following client authentication methods while adding a URL:
- Kerberos - Use Kerberos SSL credentials.
- UserName - Use a named account for SSL credentials.
- ClientCertificate - Use X.509 Certificate SSL credentials.
- Anonymous - Use anonymous SSL credentials.
delete deletes the specified URL associated with the CA.
Priority defaults to 1 if not specified when adding a URL.
Modifiers is a comma-separated list, which includes one or more of the following:
- AllowRenewalsOnly only renewal requests can be submitted to this CA via this URL.
- AllowKeyBasedRenewal allows use of a certificate that has no associated account in the AD. This applies only with ClientCertificate and AllowRenewalsOnly mode.

Options:

[-config Machine\CAName] [-dc DCName]

-ADCA

顯示 Active Directory 證書頒發機構單位。

certutil [options] -ADCA [CAName]

Options:

[-f] [-split] [-dc DCName]

-CA

顯示註冊原則證書頒發機構單位。

certutil [options] -CA [CAName | TemplateName]

Options:

[-f] [-user] [-Silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-Policy

顯示註冊原則。

certutil [options] -Policy

Options:

[-f] [-user] [-Silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-PolicyCache

顯示或刪除註冊原則快取專案。

certutil [options] -PolicyCache [delete]

Where:

delete deletes the policy server cache entries.
-f deletes all cache entries

Options:

[-f] [-user] [-policyserver URLorID]

-CredStore

顯示、新增或刪除認證存放區專案。

certutil [options] -CredStore [URL]
certutil [options] -CredStore URL add
certutil [options] -CredStore URL delete

Where:

URL is the target URL. 您也可以使用 * 來比對所有專案或 https://machine* 比對 URL 前置詞。
add adds a credential store entry. 使用此選項也需要使用 SSL 認證。
delete deletes credential store entries.
-f overwrites a single entry or deletes multiple entries.

Options:

[-f] [-user] [-Silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-InstallDefaultTemplates

安裝預設證書範本。

certutil [options] -InstallDefaultTemplates

Options:

[-dc DCName]

-URL

驗證憑證或CRL URL。

certutil [options] -URL InFile | URL

Options:

[-f] [-split]

-URLCache

顯示或刪除 URL 快取專案。

certutil [options] -URLcache [URL | CRL | * [delete]]

Where:

URL is the cached URL.
CRL runs on all cached CRL URLs only.
* 會在所有快取的 URL 上運作。
delete deletes relevant URLs from the current user's local cache.
-f forces fetching a specific URL and updating the cache.

Options:

[-f] [-split]

-pulse

脈衝自動註冊事件或NGC工作。

certutil [options] -pulse [TaskName [SRKThumbprint]]

Where:

TaskName is the task to trigger.
- Pregen is the NGC Key pregen task.
- AIKEnroll is the NGC AIK certificate enrollment task. （預設為自動註冊事件）。
SRKThumbprint is the thumbprint of the Storage Root Key
Modifiers:
- Pregen
- PregenDelay
- AIKEnroll
- CryptoPolicy
- NgcPregenKey
- DIMSRoam

Options:

[-user]

-MachineInfo

顯示 Active Directory 計算機對象的相關信息。

certutil [options] -MachineInfo DomainName\MachineName$

-DCInfo

顯示域控制器的相關信息。預設會顯示沒有驗證的DC憑證。

certutil [options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]

Modifiers:
- Verify
- DeleteBad
- DeleteAll

Options:

[-f] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

Tip

The ability to specify an Active Directory Domain Services (AD DS) domain [Domain] and to specify a domain controller (-dc) was added in Windows Server 2012. To successfully run the command, you must use an account that is a member of Domain Admins or Enterprise Admins. 此指令的行為修改如下：

如果未指定網域，且未指定特定的域控制器，此選項會傳回要從預設域控制器處理的域控制器清單。
如果未指定網域，但已指定域控制器，就會產生指定域控制器上的憑證報告。
如果指定了網域，但未指定域控制器，就會產生域控制器清單，以及清單中每個域控制器的憑證報告。
如果指定網域和域控制器，則會從目標域控制器產生域控制器清單。也會產生清單中每個域控制器的憑證報告。

例如，假設有名為 CPANDL 的網域與名為 CPANDL-DC1 的域控制器。您可以執行下列命令，從 CPANDL-DC1 擷取域控制器及其憑證清單： certutil -dc cpandl-dc1 -DCInfo cpandl。

-EntInfo

顯示企業證書頒發機構單位的相關信息。

certutil [options] -EntInfo DomainName\MachineName$

Options:

[-f] [-user]

-TCAInfo

顯示證書頒發機構單位的相關信息。

certutil [options] -TCAInfo [DomainDN | -]

Options:

[-f] [-Enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

-SCInfo

顯示智慧卡的相關信息。

certutil [options] -scinfo [ReaderName [CRYPT_DELETEKEYSET]]

Where:

CRYPT_DELETEKEYSET deletes all keys on the smart card.

Options:

[-Silent] [-split] [-urlfetch] [-t Timeout]

-SCRoots

管理智慧卡跟證書。

certutil [options] -SCRoots update [+][InputRootFile] [ReaderName]
certutil [options] -SCRoots save @OutputRootFile [ReaderName]
certutil [options] -SCRoots view [InputRootFile | ReaderName]
certutil [options] -SCRoots delete [ReaderName]

Options:

[-f] [-split] [-p Password]

-key

列出儲存在金鑰容器中的金鑰。

certutil [options] -key [KeyContainerName | -]

Where:

KeyContainerName is the key container name for the key to verify. 這個選項預設為計算機金鑰。若要切換至使用者金鑰，請使用 -user。
-使用符號是指使用預設密鑰容器。

Options:

[-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation]

-delkey

刪除具名金鑰容器。

certutil [options] -delkey KeyContainerName

Options:

[-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation]

-DeleteHelloContainer

刪除 Windows Hello 容器，移除儲存在裝置上的所有相關聯認證，包括任何 WebAuthn 和 FIDO 認證。

用戶必須在使用此選項後註銷，才能完成。

certutil [options] -DeleteHelloContainer

-verifykeys

驗證公用或私鑰集。

certutil [options] -verifykeys [KeyContainerName CACertFile]

Where:

KeyContainerName is the key container name for the key to verify. 這個選項預設為計算機金鑰。若要切換至使用者金鑰，請使用 -user。
CACertFile signs or encrypts certificate files.

Options:

[-f] [-user] [-Silent] [-config Machine\CAName]

Remarks

如果未指定任何自變數，則會針對其私鑰驗證每個簽署 CA 憑證。
這項作業只能針對本機 CA 或本機金鑰執行。

-verify

驗證憑證、證書吊銷清單（CRL）或憑證鏈結。

certutil [options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] [Modifiers]
certutil [options] -verify CertFile [CACertFile [CrossedCACertFile]]
certutil [options] -verify CRLFile CACertFile [IssuedCertFile]
certutil [options] -verify CRLFile CACertFile [DeltaCRLFile]

Where:

CertFile is the name of the certificate to verify.
ApplicationPolicyList is the optional comma-separated list of required Application Policy ObjectIds.
IssuancePolicyList is the optional comma-separated list of required Issuance Policy ObjectIds.
CACertFile is the optional issuing CA certificate to verify against.
CrossedCACertFile is the optional certificate cross-certified by CertFile.
CRLFile is the CRL file used to verify the CACertFile.
IssuedCertFile is the optional issued certificate covered by the CRLfile.
DeltaCRLFile is the optional delta CRL file.
Modifiers:
- 強式 - 強式簽章驗證
- MSRoot - 必須鏈結至Microsoft根目錄
- MSTestRoot - 必須鏈結至Microsoft測試根目錄
- AppRoot - 必須鏈結至Microsoft應用程式根目錄
- EV - 強制執行擴充驗證原則

Options:

[-f] [-Enterprise] [-user] [-Silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName]

Remarks

Using ApplicationPolicyList restricts chain building to only chains valid for the specified Application Policies.
Using IssuancePolicyList restricts chain building to only chains valid for the specified Issuance Policies.
Using CACertFile verifies the fields in the file against CertFile or CRLfile.
If CACertFile isn't specified, the full chain is built and verified against CertFile.
If CACertFile and CrossedCACertFile are both specified, the fields in both files are verified against CertFile.
Using IssuedCertFile verifies the fields in the file against CRLfile.
Using DeltaCRLFile verifies the fields in the file against CertFile.

-verifyCTL

驗證 AuthRoot 或不允許的憑證 CTL。

certutil [options] -verifyCTL CTLobject [CertDir] [CertFile]

Where:

CTLObject identifies the CTL to verify, including:
- AuthRootWU reads the AuthRoot CAB and matching certificates from the URL cache. 請 -f 改用從 Windows Update 下載。
- DisallowedWU reads the Disallowed Certificates CAB and disallowed certificate store file from the URL cache. 請 -f 改用從 Windows Update 下載。
  - PinRulesWU reads the PinRules CAB from the URL cache. 請 -f 改用從 Windows Update 下載。
- AuthRoot reads the registry-cached AuthRoot CTL. Use with -f and an untrusted CertFile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.
- Disallowed reads the registry-cached Disallowed Certificates CTL. Use with -f and an untrusted CertFile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.
  - PinRules reads the registry cached PinRules CTL. Using -f has the same behavior as with PinRulesWU.
- CTLFileName specifies the file or http path to the CTL or CAB file.
CertDir specifies the folder containing certificates matching the CTL entries. Defaults to the same folder or website as the CTLobject. 使用 HTTP 資料夾路徑需要結尾的路徑分隔符。 If you don't specify AuthRoot or Disallowed, multiple locations are searched for matching certificates, including local certificate stores, crypt32.dll resources and the local URL cache. 使用 -f 視需要從 Windows Update 下載。
CertFile specifies the certificate(s) to verify. 憑證會比對 CTL 專案，並顯示結果。這個選項會隱藏大部分的預設輸出。

Options:

[-f] [-user] [-split]

-syncWithWU

使用 Windows Update 同步處理憑證。

certutil [options] -syncWithWU DestinationDir

Where:

DestinationDir is the specified directory.
f forces an overwrite.
Unicode writes redirected output in Unicode.
gmt displays times as GMT.
seconds displays times with seconds and milliseconds.
v is a verbose operation.
PIN is the Smart Card PIN.
WELL_KNOWN_SID_TYPE is a numeric SID:
- 22 - 本機系統
- 23 - 本地服務
- 24 - 網路服務

Remarks

使用自動更新機制下載下列檔案：

authrootstl.cab contains the CTLs of non-Microsoft root certificates.
disallowedcertstl.cab contains the CTLs of untrusted certificates.
disallowedcert.sst contains the serialized certificate store, including the untrusted certificates.
thumbprint.crt contains the non-Microsoft root certificates.

例如： certutil -syncWithWU \\server1\PKI\CTLs 。

如果您使用不存在的本機路徑或資料夾作為目的地資料夾，您會看到錯誤： The system can't find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
如果您使用不存在或無法使用的網路位置作為目的地資料夾，您會看到錯誤： The network name can't be found. 0x80070043 (WIN32: 67 ERROR_BAD_NET_NAME)
如果您的伺服器無法透過 TCP 連接埠 80 連線到Microsoft自動更新伺服器，您會收到下列錯誤： A connection with the server couldn't be established 0x80072efd (INet: 12029 ERROR_INTERNET_CANNOT_CONNECT)
如果您的伺服器無法使用 DNS 名稱 ctldl.windowsupdate.com連線到Microsoft自動更新伺服器，您會收到下列錯誤： The server name or address couldn't be resolved 0x80072ee7 (INet: 12007 ERROR_INTERNET_NAME_NOT_RESOLVED).
如果您沒有使用 -f 參數，而且目錄中已有任何 CTL 檔案，您會收到檔案存在錯誤： certutil: -syncWithWU command FAILED: 0x800700b7 (WIN32/HTTP: 183 ERROR_ALREADY_EXISTS) Certutil: Can't create a file when that file already exists.
如果受信任的跟證書有所變更，您會看到： Warning! Encountered the following no longer trusted roots: <folder path>\<thumbprint>.crt. Use "-f" option to force the delete of the above ".crt" files. Was "authrootstl.cab" updated? If yes, consider deferring the delete until all clients have been updated.

Options:

[-f] [-Unicode] [-gmt] [-seconds] [-v] [-privatekey] [-pin PIN] [-sid WELL_KNOWN_SID_TYPE]

-generateSSTFromWU

產生與 Windows Update 同步的存放區檔案。

certutil [options] -generateSSTFromWU SSTFile

Where:

SSTFile is the .sst file to be generated that contains the Third Party Roots downloaded from Windows Update.

Options:

[-f] [-split]

-generatePinRulesCTL

產生包含釘選規則清單的憑證信任清單（CTL）檔案。

certutil [options] -generatePinRulesCTL XMLFile CTLFile [SSTFile [QueryFilesPrefix]]

Where:

XMLFile is the input XML file to be parsed.
CTLFile is the output CTL file to be generated.
SSTFile is the optional .sst file to be created that contains all of the certificates used for pinning.
QueryFilesPrefix are optional Domains.csv and Keys.csv files to be created for database query.
- The QueryFilesPrefix string is prepended to each created file.
- The Domains.csv file contains rule name, domain rows.
- The Keys.csv file contains rule name, key SHA256 thumbprint rows.

Options:

[-f]

-downloadOcsp

下載 OCSP 回應並寫入目錄。

certutil [options] -downloadOcsp CertificateDir OcspDir [ThreadCount] [Modifiers]

Where:

CertificateDir is the directory of a certificate, store and PFX files.
OcspDir is the directory to write OCSP responses.
ThreadCount is the optional maximum number of threads for concurrent downloading. Default is 10.
Modifiers are comma separated list of one or more of the following:
- DownloadOnce - Downloads once and exits.
- ReadOcsp - Reads from OcspDir instead of writing.

-generateHpkpHeader

使用指定檔案或目錄中的憑證來產生 HPKP 標頭。

certutil [options] -generateHpkpHeader CertFileOrDir MaxAge [ReportUri] [Modifiers]

Where:

CertFileOrDir is the file or directory of certificates, which is the source of pin-sha256.
MaxAge is the max-age value in seconds.
ReportUri is the optional report-uri.
Modifiers are comma separated list of one or more of the following:
- includeSubDomains - Appends the includeSubDomains.

-flushCache

在選取的行程中排清指定的快取，例如，lsass.exe。

certutil [options] -flushCache ProcessId CacheMask [Modifiers]

Where:

ProcessId is the numeric ID of a process to flush. Set to 0 to flush all processes where flush is enabled.
CacheMask is the bit mask of caches to be flushed either numeric or the following bits:
- 0: ShowOnly
- 0x01: CERT_WNF_FLUSH_CACHE_REVOCATION
- 0x02: CERT_WNF_FLUSH_CACHE_OFFLINE_URL
- 0x04: CERT_WNF_FLUSH_CACHE_MACHINE_CHAIN_ENGINE
- 0x08: CERT_WNF_FLUSH_CACHE_USER_CHAIN_ENGINES
- 0x10: CERT_WNF_FLUSH_CACHE_SERIAL_CHAIN_CERTS
- 0x20: CERT_WNF_FLUSH_CACHE_SSL_TIME_CERTS
- 0x40: CERT_WNF_FLUSH_CACHE_OCSP_STAPLING
Modifiers are comma separated list of one or more of the following:
- Show - Shows the caches being flushed. Certutil 必須明確終止。

-addEccCurve

加入 ECC 曲線。

certutil [options] -addEccCurve [CurveClass:]CurveName CurveParameters [CurveOID] [CurveType]

Where:

CurveClass is the ECC Curve Class type:
- WEIERSTRASS (Default)
- MONTGOMERY
- TWISTED_EDWARDS
CurveName is the ECC Curve name.
CurveParameters are one of the following:
- 包含 ASN 編碼參數的憑證檔名。
- 包含 ASN 編碼參數的檔案。
CurveOID is the ECC Curve OID and is one of the following:
- 包含 ASN 編碼 OID 的憑證檔名。
- 明確的 ECC 曲線 OID。
CurveType is the Schannel ECC NamedCurve point (numeric).

Options:

[-f]

-deleteEccCurve

刪除 ECC 曲線。

certutil [options] -deleteEccCurve CurveName | CurveOID

Where:

CurveName is the ECC Curve name.
CurveOID is the ECC Curve OID.

Options:

[-f]

-displayEccCurve

顯示 ECC 曲線。

certutil [options] -displayEccCurve [CurveName | CurveOID]

Where:

CurveName is the ECC Curve name.
CurveOID is the ECC Curve OID.

Options:

[-f]

-csplist

列出此電腦上安裝的密碼編譯服務提供者（CSP），以進行密碼編譯作業。

certutil [options] -csplist [Algorithm]

Options:

[-user] [-Silent] [-csp Provider]

-csptest

測試此電腦上安裝的 CSP。

certutil [options] -csptest [Algorithm]

Options:

[-user] [-Silent] [-csp Provider]

-CNGConfig

在此電腦上顯示 CNG 密碼編譯組態。

certutil [options] -CNGConfig

Options:

[-Silent]

-sign

重新簽署證書吊銷清單（CRL）或憑證。

certutil [options] -sign InFileList | SerialNumber | CRL OutFileList [StartDate [+ | -dd:hh] + | -dd:hh] [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile]
certutil [options] -sign InFileList | SerialNumber | CRL OutFileList [#HashAlgorithm] [+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm]
certutil [options] -sign InFileList OutFileList [Subject:CN=...] [Issuer:hex data]

Where:

InFileList is the comma-separated list of certificate or CRL files to modify and re-sign.
SerialNumber is the serial number of the certificate to create. 無效期間和其他選項無法存在。
CRL creates an empty CRL. 無效期間和其他選項無法存在。
OutFileList is the comma-separated list of modified certificate or CRL output files. 檔案數目必須符合 infilelist。
StartDate+dd:hh is the new validity period for the certificate or CRL files, including:
- 選擇性日期加上
- 選擇性的天數和小時有效期間如果使用多個字段，請使用（+）或（-）分隔符。使用 now[+dd:hh] 從目前時間開始。使用 now-dd:hh+dd:hh 從目前時間和固定有效期間開始的固定位移。使用 never 沒有到期日（僅適用於CRL）。
SerialNumberList is the comma-separated serial number list of the files to add or remove.
ObjectIdList is the comma-separated extension ObjectId list of the files to remove.

@ExtensionFile is the INF file that contains the extensions to update or remove. For example:

[Extensions]
    2.5.29.31 = ; Remove CRL Distribution Points extension
    2.5.29.15 = {hex} ; Update Key Usage extension
    _continue_=03 02 01 86

HashAlgorithm is the name of the hash algorithm. 這必須是前面加上符號的 # 文字。
AlternateSignatureAlgorithm is the alternate signature algorithm specifier.

Options:

[-nullsign] [-f] [-user] [-Silent] [-Cert CertId] [-csp Provider]

Remarks

使用減號（-）會移除序號和延伸模組。
使用加號（+）會將序號新增至 CRL。
You can use a list to remove both serial numbers and ObjectIds from a CRL at the same time.
Using the minus sign before AlternateSignatureAlgorithm allows you to use the legacy signature format.
使用加號可讓您使用替代簽章格式。
If you don't specify AlternateSignatureAlgorithm, the signature format in the certificate or CRL is used.

-vroot

建立或刪除 Web 虛擬根目錄和檔案共用。

certutil [options] -vroot [delete]

-vocsproot

建立或刪除 OCSP Web Proxy 的 Web 虛擬根目錄。

certutil [options] -vocsproot [delete]

-addEnrollmentServer

視需要為指定的證書頒發機構單位新增註冊伺服器應用程式和應用程式集區。此命令不會安裝二進位檔或套件。

certutil [options] -addEnrollmentServer Kerberos | UserName | ClientCertificate [AllowRenewalsOnly] [AllowKeyBasedRenewal]

Where:

addEnrollmentServer requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:
- Kerberos uses Kerberos SSL credentials.
- UserName uses named account for SSL credentials.
- ClientCertificate uses X.509 Certificate SSL credentials.
Modifiers:
- AllowRenewalsOnly allows only renewal request submissions to the Certificate Authority through the URL.
- AllowKeyBasedRenewal allows use of a certificate with no associated account in Active Directory. This applies when used with ClientCertificate and AllowRenewalsOnly mode.

Options:

[-config Machine\CAName]

-deleteEnrollmentServer

視需要刪除指定證書頒發機構單位的註冊伺服器應用程式和應用程式集區。此命令不會安裝二進位檔或套件。

certutil [options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate

Where:

deleteEnrollmentServer requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:
- Kerberos uses Kerberos SSL credentials.
- UserName uses named account for SSL credentials.
- ClientCertificate uses X.509 Certificate SSL credentials.

Options:

[-config Machine\CAName]

-addPolicyServer

視需要新增原則伺服器應用程式和應用程式集區。此命令不會安裝二進位檔或套件。

certutil [options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Where:

addPolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:
- Kerberos uses Kerberos SSL credentials.
- UserName uses named account for SSL credentials.
- ClientCertificate uses X.509 Certificate SSL credentials.
KeyBasedRenewal allows use of policies returned to the client containing keybasedrenewal templates. This option applies only for UserName and ClientCertificate authentication.

-deletePolicyServer

視需要刪除原則伺服器應用程式和應用程式集區。此命令不會移除二進位檔或套件。

certutil [options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Where:

deletePolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:
- Kerberos uses Kerberos SSL credentials.
- UserName uses named account for SSL credentials.
- ClientCertificate uses X.509 Certificate SSL credentials.
KeyBasedRenewal allows use of a KeyBasedRenewal policy server.

-Class

顯示 COM 登錄資訊。

certutil [options] -Class [ClassId | ProgId | DllName | *]

Options:

[-f]

-7f

檢查憑證是否有0x7f長度編碼。

certutil [options] -7f CertFile

-oid

顯示物件識別碼或設定顯示名稱。

certutil [options] -oid ObjectId [DisplayName | delete [LanguageId [type]]]
certutil [options] -oid GroupId
certutil [options] -oid AlgId | AlgorithmName [GroupId]

Where:

ObjectId is the ID to be displayed or to add to the display name.
GroupId is the GroupID number (decimal) that ObjectIds enumerate.
AlgId is the hexadecimal ID that objectID looks up.
AlgorithmName is the algorithm name that objectID looks up.
DisplayName displays the name to store in DS.
Delete deletes the display name.
LanguageId is the language ID value (defaults to current: 1033).
Type is the type of DS object to create, including:
- 1 - 樣本（預設值）
- 2 - 發行原則
- 3 - 應用程式原則
-f 會建立 DS 物件。

Options:

[-f]

-error

顯示與錯誤碼相關聯的消息正文。

certutil [options] -error ErrorCode

-getsmtpinfo

取得簡單郵件傳輸通訊協定（SMTP）資訊。

certutil [options] -getsmtpinfo

-setsmtpinfo

設定 SMTP 資訊。

certutil [options] -setsmtpinfo LogonName

Options:

[-config Machine\CAName] [-p Password]

-getreg

顯示登錄值。

certutil [options] -getreg [{ca | restore | policy | exit | template | enroll | chain | PolicyServers}\[ProgId\]] [RegistryValueName]

Where:

ca uses a Certificate Authority's registry key.
restore uses Certificate Authority's restore registry key.
policy uses the policy module's registry key.
exit uses the first exit module's registry key.
template uses the template registry key (use -user for user templates).
enroll uses the enrollment registry key (use -user for user context).
chain uses the chain configuration registry key.
PolicyServers uses the Policy Servers registry key.
ProgId uses the policy or exit module's ProgID (registry subkey name).
RegistryValueName uses the registry value name (use Name* to prefix match).
value uses the new numeric, string, or date registry value or filename. 如果數值開頭 + 為或 -，則會在現有的登錄值中設定或清除新值中指定的位。

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

Remarks

如果字串值以或 +開頭-，而現有的值是REG_MULTI_SZ值，則會將字元串新增至現有登錄值或從現有的登錄值中移除。若要強制建立 REG_MULTI_SZ 值，請將新增 \n 至字串值的結尾。
如果值以開頭 \@，則值的其餘部分是包含二進位值的十六進位文字表示的檔名。
如果它未參考有效的檔案，則會將其剖析為 [Date][+|-][dd:hh] 選擇性日期加上或減去選擇性天數和小時。
如果同時指定兩者，請使用加號（+）或減號（-）分隔符。用於 now+dd:hh 相對於目前時間的日期。
使用 i64 作為後綴來建立REG_QWORD值。
用來 chain\chaincacheresyncfiletime @now 有效地排清快取的CRL。
Registry aliases:
- Config
- CA
- 原則 - PolicyModules
- 退出 - ExitModules
- 還原 - RestoreInProgress
- 範本 - Software\Microsoft\Cryptography\CertificateTemplateCache
- 註冊 - Software\Microsoft\Cryptography\AutoEnrollment （Software\Policies\Microsoft\Cryptography\AutoEnrollment）
- MSCEP - 軟體\Microsoft\Cryptography\MSCEP
- 鏈 - Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
- PolicyServers - Software\Microsoft\Cryptography\PolicyServers （Software\Policies\Microsoft\Cryptography\PolicyServers）
- Crypt32 - System\CurrentControlSet\Services\crypt32
- NGC - 系統\CurrentControlSet\Control\Cryptography\Ngc
- 自動更新 - Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
- 護照 - Software\Policies\Microsoft\PassportForWork
- MDM - 軟體\Microsoft\Policies\PassportForWork

-setreg

設定登錄值。

certutil [options] -setreg [{ca | restore | policy | exit | template | enroll | chain | PolicyServers}\[ProgId\]] RegistryValueName Value

Where:

ca uses a Certificate Authority's registry key.
restore uses Certificate Authority's restore registry key.
policy uses the policy module's registry key.
exit uses the first exit module's registry key.
template uses the template registry key (use -user for user templates).
enroll uses the enrollment registry key (use -user for user context).
chain uses the chain configuration registry key.
PolicyServers uses the Policy Servers registry key.
ProgId uses the policy or exit module's ProgID (registry subkey name).
RegistryValueName uses the registry value name (use Name* to prefix match).
Value uses the new numeric, string, or date registry value or filename. 如果數值開頭 + 為或 -，則會在現有的登錄值中設定或清除新值中指定的位。

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

Remarks

如果字串值以或 +開頭-，而現有的值是REG_MULTI_SZ值，則會將字元串新增至現有登錄值或從現有的登錄值中移除。若要強制建立 REG_MULTI_SZ 值，請將新增 \n 至字串值的結尾。
如果值以開頭 \@，則值的其餘部分是包含二進位值的十六進位文字表示的檔名。
如果它未參考有效的檔案，則會將其剖析為 [Date][+|-][dd:hh] 選擇性日期加上或減去選擇性天數和小時。
如果同時指定兩者，請使用加號（+）或減號（-）分隔符。用於 now+dd:hh 相對於目前時間的日期。
使用 i64 作為後綴來建立REG_QWORD值。
用來 chain\chaincacheresyncfiletime @now 有效地排清快取的CRL。

-delreg

刪除登錄值。

certutil [options] -delreg [{ca | restore | policy | exit | template | enroll |chain | PolicyServers}\[ProgId\]][RegistryValueName]

Where:

ca uses a Certificate Authority's registry key.
restore uses Certificate Authority's restore registry key.
policy uses the policy module's registry key.
exit uses the first exit module's registry key.
template uses the template registry key (use -user for user templates).
enroll uses the enrollment registry key (use -user for user context).
chain uses the chain configuration registry key.
PolicyServers uses the Policy Servers registry key.
ProgId uses the policy or exit module's ProgID (registry subkey name).
RegistryValueName uses the registry value name (use Name* to prefix match).
Value uses the new numeric, string or date registry value or filename. 如果數值開頭 + 為或 -，則會在現有的登錄值中設定或清除新值中指定的位。

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

Remarks

如果字串值以或 +開頭-，而現有的值是REG_MULTI_SZ值，則會將字元串新增至現有登錄值或從現有的登錄值中移除。若要強制建立 REG_MULTI_SZ 值，請將新增 \n 至字串值的結尾。
如果值以開頭 \@，則值的其餘部分是包含二進位值的十六進位文字表示的檔名。
如果它未參考有效的檔案，則會將其剖析為 [Date][+|-][dd:hh] 選擇性日期加上或減去選擇性天數和小時。
如果同時指定兩者，請使用加號（+）或減號（-）分隔符。用於 now+dd:hh 相對於目前時間的日期。
使用 i64 作為後綴來建立REG_QWORD值。
用來 chain\chaincacheresyncfiletime @now 有效地排清快取的CRL。
Registry aliases:
- Config
- CA
- 原則 - PolicyModules
- 退出 - ExitModules
- 還原 - RestoreInProgress
- 範本 - Software\Microsoft\Cryptography\CertificateTemplateCache
- 註冊 - Software\Microsoft\Cryptography\AutoEnrollment （Software\Policies\Microsoft\Cryptography\AutoEnrollment）
- MSCEP - 軟體\Microsoft\Cryptography\MSCEP
- 鏈 - Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
- PolicyServers - Software\Microsoft\Cryptography\PolicyServers （Software\Policies\Microsoft\Cryptography\PolicyServers）
- Crypt32 - System\CurrentControlSet\Services\crypt32
- NGC - 系統\CurrentControlSet\Control\Cryptography\Ngc
- 自動更新 - Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
- 護照 - Software\Policies\Microsoft\PassportForWork
- MDM - 軟體\Microsoft\Policies\PassportForWork

-importKMS

將使用者金鑰和憑證匯入伺服器資料庫中以進行金鑰封存。

certutil [options] -importKMS UserKeyAndCertFile [CertId]

Where:

UserKeyAndCertFile is a data file with user private keys and certificates that are to be archived. 此檔案可以是：
- Exchange 金鑰管理伺服器（KMS）匯出檔案。
- PFX 檔案。
CertId is a KMS export file decryption certificate match token. 如需詳細資訊，請參閱 -store 本文中的參數。
-f 會匯入證書頒發機構單位未核發的憑證。

Options:

[-f] [-Silent] [-split] [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]]

-ImportCert

將憑證檔案匯入資料庫。

certutil [options] -ImportCert Certfile [ExistingRow]

Where:

ExistingRow imports the certificate in place of a pending request for the same key.
-f 會匯入證書頒發機構單位未核發的憑證。

Options:

[-f] [-config Machine\CAName]

Remarks

證書頒發機構單位也可能需要設定為藉由執行 certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN來支援外部憑證。

-GetKey

擷取封存的私鑰復原 Blob、產生復原腳本，或復原封存的密鑰。

certutil [options] -GetKey SearchToken [RecoveryBlobOutFile]
certutil [options] -GetKey SearchToken script OutputScriptFile
certutil [options] -GetKey SearchToken retrieve | recover OutputFileBaseName

Where:

script generates a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if the output file isn't specified).
retrieve retrieves one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified). 使用此選項會截斷任何擴充功能，並附加每個密鑰復原 Blob 的憑證特定字串和 .rec 擴充功能。每個檔案都包含憑證鏈結和相關聯的私鑰，仍會加密至一或多個密鑰復原代理程序憑證。
recover retrieves and recovers private keys in one step (requires Key Recovery Agent certificates and private keys). 使用此選項會截斷任何延伸模組，並附加 .p12 延伸模組。每個檔案都包含已復原的憑證鏈結和相關聯的私鑰，儲存為 PFX 檔案。
SearchToken selects the keys and certificates to be recovered, including:
- 憑證一般名稱
- 憑證序號
- 憑證 SHA-1 哈希（指紋）
- 憑證 KeyId SHA-1 哈希（主體金鑰標識碼）
- 要求者名稱（domain\user）
- UPN (user@domain)
RecoveryBlobOutFile outputs a file with a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.
OutputScriptFile outputs a file with a batch script to retrieve and recover private keys.
OutputFileBaseName outputs a file base name.

Options:

[-f] [-UnicodeText] [-Silent] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]

Remarks

For retrieve, any extension is truncated and a certificate-specific string and the .rec extensions are appended for each key recovery blob. 每個檔案都包含憑證鏈結和相關聯的私鑰，仍會加密至一或多個密鑰復原代理程序憑證。
For recover, any extension is truncated and the .p12 extension is appended. 包含已復原的憑證鏈結和相關聯的私鑰，儲存為 PFX 檔案。

-RecoverKey

復原封存的私鑰。

certutil [options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]]

Options:

[-f] [-user] [-Silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout]

-mergePFX

合併 PFX 檔案。

certutil [options] -MergePFX PFXInFileList PFXOutFile [Modifiers]

Where:

PFXInFileList is a comma-separated list of PFX input files.
PFXOutFile is the name of the PFX output file.
Modifiers are comma separated lists of one or more of the following:
- ExtendedProperties includes any extended properties.
- NoEncryptCert specifies to not encrypt the certificates.
- EncryptCert specifies to encrypt the certificates.

Options:

[-f] [-user] [-split] [-p password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]

Remarks

命令行上指定的密碼必須是逗號分隔密碼清單。
如果指定了一個以上的密碼，則最後一個密碼會用於輸出檔案。如果只提供一個密碼，或最後一個密碼為 *，則會提示使用者輸入輸出檔案密碼。

-add-chain

新增憑證鏈結。

certutil [options] -add-chain LogId certificate OutFile

Options:

[-f]

-add-pre-chain

新增憑證前鏈結。

certutil [options] -add-pre-chain LogId pre-certificate OutFile

Options:

[-f]

-get-sth

取得帶正負號的樹狀樹頭。

certutil [options] -get-sth [LogId]

Options:

[-f]

-get-sth-consistency

取得帶正負號的樹狀目錄前端變更。

certutil [options] -get-sth-consistency LogId TreeSize1 TreeSize2

Options:

[-f]

-get-proof-by-hash

從時間戳伺服器取得哈希的證明。

certutil [options] -get-proof-by-hash LogId Hash [TreeSize]

Options:

[-f]

-get-entries

從事件記錄檔擷取專案。

certutil [options] -get-entries LogId FirstIndex LastIndex

Options:

[-f]

-get-roots

從證書存儲擷取跟證書。

certutil [options] -get-roots LogId

Options:

[-f]

-get-entry-and-proof

擷取事件記錄檔專案及其密碼編譯證明。

certutil [options] -get-entry-and-proof LogId Index [TreeSize]

Options:

[-f]

-VerifyCT

根據憑證透明度記錄來驗證憑證。

certutil [options] -VerifyCT Certificate SCT [precert]

Options:

[-f]

-?

顯示參數清單。

certutil -?
certutil <name_of_parameter> -?
certutil -? -v

Where:

-? 顯示參數清單
-<name_of_parameter> -？ 顯示指定參數的說明內容。
-? -v 會顯示參數和選項的詳細資訊清單。

選項

本節會根據命令定義所有能夠指定的選項。每個參數都包含哪些選項有效使用的相關信息。

Option	Description
-admin	針對 CA 屬性使用 ICertAdmin2。
-anonymous	使用匿名 SSL 認證。
-cert CertId	Signing certificate.
-clientcertificate clientCertId	使用 X.509 憑證 SSL 認證。針對選取 UI，請使用 `-clientcertificate`。
-config Machine\CAName	證書頒發機構單位和計算機名稱字串。
-csp provider	Provider: KSP - Microsoft Software Key Storage Provider TPM - Microsoft Platform Crypto Provider NGC - Microsoft Passport Key Storage Provider SC - Microsoft Smart Card Key Storage Provider
-dc DCName	以特定域控制器為目標。
-enterprise	使用本機計算機企業登錄證書存儲。
-f	Force overwrite.
-generateSSTFromWU SSTFile	使用自動更新機制產生 SST。
-gmt	使用 GMT 顯示時間。
-GroupPolicy	使用組策略證書存儲。
-idispatch	使用 IDispatch，而不是 COM 原生方法。
-kerberos	使用 Kerberos SSL 認證。
-location alternatestoragelocation	`(-loc)` AlternateStorageLocation。
-mt	顯示計算機範本。
-nocr	編碼沒有CR字元的文字。
-nocrlf	編碼沒有 CR-LF 字元的文字。
-nullsign	使用數據的哈希做為簽章。
-oldpfx	使用舊的 PFX 加密。
-out columnlist	以逗號分隔的數據列清單。
-p password	Password
-pin PIN	智慧卡 PIN。
-policyserver URLorID	原則伺服器 URL 或識別碼。針對選取 U/I，請使用 `-policyserver`。針對所有原則伺服器，請使用 `-policyserver *`
-privatekey	顯示密碼和私鑰數據。
-protect	使用密碼保護金鑰。
-protectto SAMnameandSIDlist	以逗號分隔的 SAM 名稱/SID 清單。
-restrict restrictionlist	逗號分隔的限制清單。每個限制都包含數據行名稱、關係運算元和常數整數、字串或日期。一個數據行名稱前面可能會加上加號或減號，以指出排序順序。例如：`requestID = 47`、`+requestername >= a, requestername` 或 `-requestername > DOMAIN, Disposition = 21`。
-reverse	反向記錄和佇列數據行。
-seconds	使用秒和毫秒顯示時間。
-service	使用服務證書存儲。
-sid	Numeric SID: 22 - Local System 23 - Local Service 24 - Network Service
-silent	`silent`使用旗標來取得 crypt 內容。
-split	分割內嵌的 ASN.1 專案，並儲存至檔案。
-sslpolicy servername	符合 ServerName 的 SSL 原則。
-symkeyalg symmetrickeyalgorithm[,keylength]	選擇性金鑰長度的對稱金鑰演演算法名稱。例如：`AES,128` 或 `3DES`。
-syncWithWU DestinationDir	與 Windows Update 同步處理。
-t timeout	以毫秒為單位的 URL 擷取逾時。
-Unicode	在 Unicode 中寫入重新導向的輸出。
-UnicodeText	在 Unicode 中寫入輸出檔案。
-urlfetch	擷取並驗證 AIA 憑證和 CDP CRL。
-user	使用HKEY_CURRENT_USER金鑰或證書存儲。
-username username	針對 SSL 認證使用具名帳戶。針對選取 UI，請使用 `-username`。
-ut	顯示用戶範本。
-v	提供更詳細的（詳細資訊）資訊。
-v1	使用 V1 介面。

哈希演算法：MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512。

如需如何使用此命令的更多範例，請參閱下列文章：

意見反應

此頁面對您有幫助嗎？

Last updated on 2025-07-14

共用方式為

certutil

Parameters

-dump

-dumpPFX

-asn

-decodehex

-encodehex

-decode

-encode

-deny

-resubmit

-setattributes

Remarks

-setextension

Remarks

-revoke

-isvalid

-getconfig

-getconfig2

-getconfig3

-ping

-pingadmin

-CAInfo

-CAPropInfo

-ca.cert

-ca.chain

-GetCRL

-CRL

-shutdown

-installCert

-renewCert

-schema

-view

Remarks

-db

-deleterow

Examples

-backup

-backupDB

-backupkey

-restore

-restoredb

-restorekey

-exportPFX

-importPFX

Remarks

-dynamicfilelist

-databaselocations

-hashfile

-store

-enumstore

-addstore

-delstore

-verifystore

-repairstore

-viewstore

-viewdelstore

-UI

-TPMInfo

-attest

-getcert

-ds

-dsDel

-dsPublish

-dsCert

-dsCRL

-dsDeltaCRL

-dsTemplate

-dsAddTemplate

-ADTemplate

-Template

-TemplateCAs

-CATemplates

-SetCATemplates

-SetCASites

Remarks

-enrollmentServerURL

-ADCA

-CA