Wednesday, February 2, 2011


   CertUtil.exe is a command-line program that is installed as part of Certificate Services Management Tools. CertUtil.exe is used for extract and display CA configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. CertUtil.exe is a part of Windows Vista, Windows 7.

You can use CertUtil.exe to perform the following tasks:
  • Dump certificate services configuration information, certificate requests, certificates, or certificate revocation lists to files.
  • Get the certification authority (CA) configuration string.
  • Retrieve the CA signing certificate.
  • Revoke certificates.
  • Publish or retrieve a certificate revocation list.
  • Determine if a certificate is valid or if the encoding length is incompatible with old enrollment controls.
  • Verify one or all levels of a certificate chain.
  • Resubmit or deny pending requests.
  • Set attributes or an integer or string value extension for a pending request.
  • Verify a public/private key set.
  • Decode files that are based on hexadecimal or base 64.
  • Encode files to base 64.
  • Shut down the Certificate Services server.
  • Display the database schema.
  • Convert a Certificate Server version 1.0 database to a Windows 2000 Certificate Services version 2.0 database.
  • Back up and restore the CA keys and database.
  • Display certificates in a certificate store.
  • Display error message text for a specified error code.
  • Import issued certificates that are missing from the database.
  • Set and display certification authority registry settings.
  • Create or remove Certificate Services Web virtual roots and file shares.
Default location: %WinDir%\System32\certutil.exe

Syntax: Certutil <-parameter> [-parameter]


-dump -- Dump configuration information or files
-asn -- Parse ASN.1 file
-decodehex -- Decode hexadecimal-encoded file
-decode -- Decode Base64-encoded file
-encode -- Encode file to Base64
-deny -- Deny pending request
-resubmit -- Resubmit pending request
-setattributes -- Set attributes for pending request
-setextension -- Set extension for pending request
-revoke -- Revoke Certificate
-isvalid -- Display current certificate disposition
-getconfig -- Get default configuration string
-ping -- Ping Active Directory Certificate Services Request interface
-pingadmin -- Ping Active Directory Certificate Services Admin interface
-CAInfo -- Display CA Information
-ca.cert -- Retrieve the CA's certificate
-ca.chain -- Retrieve the CA's certificate chain
-GetCRL -- Get CRL
-CRL -- Publish new CRLs [or delta CRLs only]
-shutdown -- Shutdown Active Directory Certificate Services
-installCert -- Install Certification Authority certificate
-renewCert -- Renew Certification Authority certificate
-schema -- Dump Certificate Schema
-view -- Dump Certificate View
-db -- Dump Raw Database
-deleterow -- Delete server database row
-backup -- Backup Active Directory Certificate Services
-backupDB -- Backup Active Directory Certificate Services database
-backupKey -- Backup Active Directory Certificate Services certificate and private key
-restore -- Restore Active Directory Certificate Services
-restoreDB -- Restore Active Directory Certificate Services database
-restoreKey -- Restore Active Directory Certificate Services certificate and private key
-dynamicfilelist -- Display dynamic file List
-databaselocations -- Display database locations
-hashfile -- Generate and display cryptographic hash over a file
-store -- Dump certificate store
-addstore -- Add certificate to store
-delstore -- Delete certificate from store
-verifystore -- Verify certificate in store
-repairstore -- Repair key association or update certificate properties or key security descriptor
-viewstore -- Dump certificate store
-viewdelstore -- Delete certificate from store
-dsPublish -- Publish certificate or CRL to Active Directory
-Template -- Display templates
-TemplateCAs -- Display CAs for template
-CATemplates -- Display templates for CA
-InstallDefaultTemplates -- Install default certificate templates
-URLCache -- Display or delete URL cache entries
-pulse -- Pulse autoenrollment events
-MachineInfo -- Display Active Directory machine object information
-DCInfo -- Display domain controller information
-EntInfo -- Display enterprise information
-TCAInfo -- Display CA information
-SCInfo -- Display smart card information
-SCRoots -- Manage smart card root certificates
-verifykeys -- Verify public/private key set
-verify -- Verify certificate, CRL or chain
-sign -- Re-sign CRL or certificate
-vroot -- Create/delete web virtual roots and file shares
-vocsproot -- Create/delete web virtual roots for OCSP web proxy
-oid -- Display ObjectId or set display name
-error -- Display error code message text
-getreg -- Display registry value
-setreg -- Set registry value
-delreg -- Delete registry value
-ImportKMS -- Import user keys and certificates into server database for key archival
-ImportCert -- Import a certificate file into the database
-GetKey -- Retrieve archived private key recovery blob
-RecoverKey -- Recover archived private key
-MergePFX -- Merge PFX files
-ConvertEPF -- Convert PFX files to EPF file
-? -- Display this usage message
CertUtil -? -- Display a verb list (command list)
CertUtil - -? -- Display help text for the specified verb
CertUtil -v -? -- Display all help text for all verbs

No comments:

Post a Comment