Duration (Pacific Standard Time):
To (Pacific Standard Time):
Impact:
User Action:

Certutil tasks for configuring a Certification Authority (CA)

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for configuring a Certification Authority (CA)

You can use certutil to perform a number of CA configuration tasks.

To view the syntax for a specific task, click a task:

To display CA property type information

Syntax

certutil -capropinfo[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters
-capropinfo
Displays CA property type information.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To display the configuration string for a CA

Syntax

certutil -getconfig[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters
-getconfig
Retrieves the default configuration string.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server

Syntax

certutil -vroot[-gmt] [-seconds] [-v] [delete]

Parameters
-vroot
Creates the virtual roots for the Certificate Services Web server.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

delete
Deletes the virtual roots for the Certificate Services Web server.

-?
Displays a list of certutil commands.

Remarks
  • If active server pages (ASP) is not enabled, this command enables ASP.

  • If you installed the CA Web enrollment pages before installing IIS, the required virtual roots are not created. To create the virtual roots after installing IIS, at a command prompt, type:

    "certutil -vroot"

    This command does not install the Web enrollment pages. Instead, it creates the IIS virtual roots that point to the Web enrollment pages, CA certificate, certificate revocation lists (CRLs), and enrollment controls (that is, xenroll.dll and scrdenrl.dll).

To display CA information

Syntax

certutil -cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [InfoName]

Parameters
-cainfo
Displays CA information.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

InfoName
Specifies the CA information that you want to display. Use one of the values in the following table.

 

Value Description

file

Displays information about the file version.

product

Displays the product version.

exitcount

Displays the exit module count.

exit [Index]

Displays the exit module description.

policy

Displays the policy module description.

name

Displays the CA name.

sanitizedname

Displays the sanitized CA name.

sharedfolder

Displays the shared folder.

error1ErrorCode

Displays the error code message in the local language. For ErrorCode, specify the error code that you want to retrieve.

error2ErrorCode

Displays the error code message and the error code in the local language. For ErrorCode, specify the error code that you want to retrieve.

type

Displays the CA type.

info

Displays the CA info.

parent

Displays the parent CA.

certcount

Displays the CA certificate count.

xchgcount

Displays the CA Exchange certificate count.

kracount

Displays the number of key recovery agent (KRA) certificates.

kraused

Displays the number of KRA certificate that are being used.

propidmax

Displays maximum CA PropID.

certstate [Index]

Displays CA certificate status.

certstatuscode [Index]

Displays CA certificate verification status.

crlstate [Index]

Displays a certificate revocation list (CRL).

krastate [Index]

Displays a KRA certificate.

crossstate+ [Index]

Forward cross-certification.

crossstate- [Index]

Backward cross-certification.

cert [Index]

Displays a CA certificate.

certchain [Index]

Displays a CA certificate chain.

certcrlchain [Index]

Displays a CA certificate chain with CRLs.

xchg [Index]

Displays a CA exchange certificate.

xchgchain [Index]

Displays a CA exchange certificate chain.

xchgcrlchain [Index]

Displays a CA exchange certificate chain with CRLs.

kra [Index]

Displays a KRA certificate.

cross+ [Index]

Forward cross-certification.

cross- [Index]

Backwards cross-certification.

crl [Index]

Displays a base CRL.

deltacrl [Index]

Displays a delta CRL.

crlstatus [Index]

Displays CRL publish status.

deltacrlstatus [Index]

Displays delta CRL publish status.

dns

Displays the DNS name.

role

Displays role separation.

ads

Displays Advanced Server.

templates

Displays the templates.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To display CA information, type:

certutil -cainfo

To display a CA certificate state disposition, type:

certutil -cainfo certstate

To display CRL information, type:

certutil -cainfo crlstate

To determine whether a CA has been renewed

Syntax

certutil -cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [certstate]

Parameters
-cainfo
Displays CA information.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

certstate
Returns a LONG containing a certificate state disposition.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • If the CA's index is greater than 0, the CA certificate has been renewed. The command output displays the index information.

  • If one of the older CA certificates expires and is regenerated by using the existing key, CRLs are not published for that CA key. If the CA has never been renewed for a new key, this prevents CRL generation. If you generate and publish a new CRL, you will not solve this problem, but you can use the CRL to help confirm the condition. To force the generation and publication a CRL, type:

    certutil -crl

  • The update for this condition is provided in Windows 2000 Service Pack 3.

Examples

To display a CA certificate state disposition, type:

certutil -cainfo certstate

To change the length of the validity period for certificates issued from a CA

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriod{"days" | "weeks" | "months" | "years"}

certutil -setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriodUnits"UnitValue"

Parameters
-setreg
Sets or edits the registry key value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

HKLM\system\currentcontrolset\services\certsvc\configuration\
Specifies the path to the ValidityPeriod and ValidityPeriodUnits registry keys.

CAName
Specifies the name of the CA.

ca
Specifies the default CA on the local computer.

\ValidityPeriod{ "days"| "weeks"| "months"| "years"}
Sets the period of time that you want the certificate to be valid. Specify days, weeks, months, or years. Wrap the time period in quotation marks.

\ValidityPeriodUnits " UnitValue "
Sets the numeric value for ValidityPeriod.

-?
Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

Examples

You can set an enterprise qualified subordinate CA to have a different certificate validity period than the parent CA. On the CA computer that is issuing the subordinate CA certificate, type the following commands to set the validity period to three months:

certutil -setreg ca\ValidityPeriod "months"

certutil -setreg ca\ValidityPeriodUnits "3"

To force a CA to include expired certificates in future base and delta CRLs

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] ca\CRLFlags+CRLF_PUBLISH_EXPIRED_CERT_CRLS

Parameters
-setreg
Sets or edits the registry key value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

ca
Specifies the CA registry key.

CRLFlags
Specifies the registry value name.

CRLF_PUBLISH_EXPIRED_CERT_CRLS
Specifies the new numeric or string registry value.

-?
Displays a list of certutil commands.

Remarks
  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

  • With this command, you can verify the revocation status of a time-stamped certificate that has expired.

  • If a numeric registry value starts with a plus sign (+) or a dash (-), the bits specified in the new value are set or cleared in the existing registry value.

  • If a string registry value starts with a plus sign (+) or a dash (-) and the existing value is a REG_MULTI_SZ value, the string value is either added to or removed from the existing registry value.

To configure a CA to issue certificates beyond the default two year limit

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] ca\ValidityPeriod"years"

certutil -setreg ca\ValidityPeriodUnits "2"

Parameters
-setreg
Sets or edits the registry key value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

ca\ValidityPeriod "years"
Sets the validity length of the certificate to years.

ca\ValidityPeriodUnits "2"
Sets the "years" validity period value to two.

-?
Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

To increase the session limit on the CA database

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] dbsessioncount 30

Parameters
-setreg
Sets or edits the registry key value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

dbsessioncount 30
Specifies the new session limit.

-?
Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Remarks

To disable or restore the enforcement of the distinguished name length on the CA

Syntax

certutil -setreg[-user] [-gmt] [-seconds] [-v] ca\ENFORCEX500NAMELENGTHS {0 | 1}

Parameters
-setreg
Sets or edits the specified registry value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

ca \ ENFORCEX500NAMELENGTHS
Specifies the path to the REG_DWORD\ENFORCEX500NAMELENGTHS registry value.

{ 0| 1}
Specifies whether to disable (specify 0) or restore (specify 1) the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value.

-?
Displays a list of certutil commands.

Remarks
  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

  • Use this command in situations where the existing subject is okay, but the request is rejected by the certificate server.

Examples

To disable the organizational unit length enforcement on the server, type:

certutil -setreg ca\enforceX500namelengths 0

To restore the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value, type:

certutil -setreg ca\enforceX500namelengths 1

Formatting legend

 

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also