Historical Content Alert
This is a historical content for Windows NT 4.0 product and is presented for informative purposes only. All content in this directory is copyrighted and owned by Microsoft.

CertUtil

CertUtil.exe is used for many purposes. It can:

  • Dump Certificate Server configuration information or a KeyGen file

  • Get the Certificate Authority (CA) configuration string

  • Retrieve the CA signing and key exchange certificates

  • Revoke certificates

  • Publish or retrieve a certificate revocation list (CRL)

  • Determine if a certificate is valid or if the encoding length is incompatible with old enrollment controls.

  • Verify one level of a certificate chain

  • Resubmit or deny pending requests

  • Set attributes or an integer or string value extension for a pending request

  • Verify a public/private key set

  • Decode hexadecimal- or Base64-encoded files

  • Encode files to Base64

CertUtil command usage is as follows:

CertUtil [options] -dump
Result: Dumps the Certificate Authority's configuration information.

CertUtil [options] -getconfig
Result: Gets the default configuration string for the Certificate Authority and displays it.

CertUtil [options] -keygen KeyGenFile
Result: Dumps the KeyGen file specified by KeyGenFile.

CertUtil [options] -decodehex InFile OutFile
Result: Decodes the hexadecimal-encoded file specified by InFile and writes the result to OutFile.

CertUtil [options] -decode InFile OutFile
Result: Decodes the Base64-encode file specified by InFile and writes the result to OutFile.

CertUtil [options] -encode InFile OutFile
Result: Encodes the file specified by InFile to Base64 and writes the result to OutFile.

CertUtil [options] [-config ConfigString] -deny RequestId
Result: Denies the pending certificate request specified by RequestId. RequestId must be in decimal format.

CertUtil [options] [-config ConfigString] -resubmit RequestId
Result: Resubmits the pending certificate request specified by RequestId. RequestId must be in decimal format.

CertUtil [options] [-config ConfigString] -revoke SerialNumber
Result: Revokes the certificate specified by SerialNumber. SerialNumber must be in hexadecimal format with an even number of digits. A single "0" may be prepended to a value with an odd number of digits.

CertUtil [options] [-config ConfigString] -CRL [OutFile | -]
Result: Publishes the current certificate revocation list (CRL.) Optionally the CRL is written to the file specified by OutFile, or to the Default Web Location if "-" is specifed. The expiration date is set to be one day and one hour from the time of publication to facilitate a daily publishing schedule.

CertUtil [options] [-config ConfigString] -GetCRL OutFile
Result: Retrieves the most recently published CRL and writes it to the file specified by OutFile.

CertUtil [options] [-config ConfigString] -isvalid SerialNumber
Result: Checks the certificate specified by SerialNumber to determine if it is valid. SerialNumber must be in hexadecimal format with an even number of digits. A single "0" may be prepended to a value with an odd number of digits.

CertUtil [options] [-config ConfigString] -setattributes RequestId
AttributeString
Result: Sets the named attributes specified by AttributeString in the certificate request specified by RequestId. The following is a valid example:

certutil -setattributes 123 "attribname1:attribvalue1\nattribname2:37"

CertUtil [options] [-config ConfigString] -setextension RequestId
ExtensionName Flags Value
Result: Sets the extension specified by ExtensionName in the certificate request specified by RequestId. RequestId must be in decimal format. Flags must be set to 0 or 1, 1 makes the extension "critical". Value must be a string and will be interpreted as a long integer in decimal format if all characters are digits. The following is a valid example for a non-critical extension:

certutil -setextension 123 "extension1" 0 Value1

CertUtil [options] [-config ConfigString] -ca.signature
OutCASignatureCertFile
Result: Retrieves the Certificate Authority (CA) signing certificate and writes it to the file specified by OutCASignatureCertFile.

CertUtil [options] [-config ConfigString] -ca.exchange
OutCAExchangeCertFile
Result: Retrieves the CA key exchange certificate and writes it to the file specified by OutCAExchangeCertFile.

CertUtil [options] -verifykeys KeyContainerName CACertFile
Result: Verifies the public/private key set in the key container specified by KeyContainerName using the CA certificate specified by CACertFile.

CertUtil [options] -verify CertFile CACertFile
Result: Verifies the certificate specified by CertFile was issued using the CA certificate specified by CACertFile. Both files must contain a single certificate, not a PKCS7. Also verifies the revocation status of the CertFile certificate. An error will occur if CertFile does not contain information on how to check revocation or the necessary URLs or CRLs are unavailable.

CertUtil [options] -7f CertFile
Result: Checks the certificate specified by CertFile for 0x7f length encodings. Avoiding 0x7f length encodings ensures compatibility with old enrollment controls.

CertUtil [options] -?
Result: Displays the command options.

The CertUtil command options are as follows:

-config ConfigString Causes the operation to be processed using the Certificate Authority (CA) identified in the configuration string specified by ConfigString. Without this option, the default CA will process the request.
-idispatch Causes CertUtil to use IDispatch methods instead of COM for the current operation.
-v Causes CertUtil to display verbose output.
-db RequestID Used only with the dump command. Only the database row specified by RequestID is dumped. The Certificate Server service must be stopped to use this option.

For further explanation of how to use CertUtil, see Examining Configuration Information.


Share this article: