Duration (Pacific Standard Time):
To (Pacific Standard Time):
Impact:
User Action:

Certutil tasks for managing certificates

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for managing certificates

You can use certutil to perform a number of certificate management tasks.

To view the syntax for a specific task, click a task:

To validate that the certificate was issued by a specific CA

To verify the validity of a certificate

To install the CA certificate

To request a renewal CA certificate

To delete keys from the HKEY_LOCAL_MACHINE root store

To add Netscape-compatible Web-based revocation check extensions to every issued certificate

To retrieve the CA signing certificate and save it to a file

To retrieve the CA signing certificate and chain and save it to a PKCS #7 file

To import a certificate into the server database

To display the certificates in the Local Machine certificate store

To add a certificate or CRL to a local trusted root CA store

To view certificate stores

To verify all certificates in a store

To delete a certificate from the HKEY_LOCAL_MACHINE root store

To delete a certificate from the HKEY_CURRENT_USER root store

To validate that the certificate was issued by a specific CA

Syntax

certutil -verify [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-split] [-v] CertFile [CACertFile]

Parameters
-verify
Verifies the certificate chain.

-f
Overwrites existing files or keys.

-enterprise
Uses the local computer's enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

CertFile
Specifies the certificate.

CACertFile
Specifies the CA signature certificate that contains the public key used to verify digital signatures.

-?
Displays a list of certutil commands.

Remarks
  • CertFile and CACertFile must both contain a single certificate, not a PKCS #7 certification chain.

  • This command-line option also verifies the revocation status of the CertFile certificate. If CertFile does not contain information on how to check revocation or if the necessary URLs or CRLs are not available, an error occurs.

  • If you do not specify CACertFile, the certification chain for CertFile is constructed by using certificates installed on the computer, and all certificates in the chain are verified and checked to see if they have been revoked.

To verify the validity of a certificate

Syntax

certutil -isvalid [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] {SerialNumber | CertHash}

Parameters
-isvalid
Determines whether the certificate is valid.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

SerialNumber
Specifies the serial number of the certificate.

CertHash
Specifies the certificate hash of the certificate.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • SerialNumber must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. A leading 0x is not allowed.

To install the CA certificate

Syntax

certutil -installcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] [CACertFile]

Parameters
-installcert
Installs a CA certificate.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

CACertFile
Specifies the CA signature certificate that contains the public key that is used to verify digital signatures.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • A PKCS #7 certification chain is the preferred content for CACertFile. However, an X.509 v3 certificate is accepted if all of the certificates that will be used to form the chain are already installed on the local computer.

  • This command also completes subordinate CA certificate installation for a subordinate CA that generated a request, but has not yet received and installed its CA certificate.

  • This command also allows installation of a requested renewal CA certificate.

To request a renewal CA certificate

Syntax

certutil -renewcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] [reusekeys] RequestFile

Parameters
-renewcert
Renews the CA certificate.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

reusekeys
Specifies to reuse the existing keys.

RequestFile
Specifies the file to which you want to save the renewal request.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • If an online parent CA does not exist or if it does not immediately issue a renewal CA certificate, use the -installCert command to complete the renewal certificate installation when the certificate is available.

To delete keys from the HKEY_LOCAL_MACHINE root store

Syntax

certutil -delkey [-user] [-gmt] [-seconds] [-silent] [-v] KeyContainerName [CSPName]

Parameters
-delkey
Deletes a private key from the host computer.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-v
Specifies verbose output.

KeyContainerName
Specifies the container name of the key.

CSPName
Specifies the cryptographic service provider (CSP).

-?
Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

  • The certutil -delkey command deletes a User or Machine private key. After it is deleted, any of the following scenarios might apply:

    • If it was not previously backed up or archived, the deleted key will be irretreivable.

    • If the deleted key was used for a certificate server signing key, the CA will be disabled and will not be able to issue new CRLs, which will effectively invalidate all of the certificates issued by the CA when the existing CRLs expire. You can replace other signing keys by re-enrolling for a new key and certificate.

    • If the deleted key was used for encrypting e-mail, previously received e-mail might be unreadable, unless you can recover it from a key management system like Key Management Service (KMS).

    • If the deleted key was used for encrypting files, an administrator with the appropriate credentials to create a Key Recovery Agent account might need to intervene and decrypt each file individually for the affected user.

    • Use - user to delete keys from the HKEY_CURRENT_USER root store.

To add Netscape-compatible Web-based revocation check extensions to every issued certificate

Syntax

certutil -setreg [-user] [-gmt] [-seconds] [-v] Policy\RevocationType {+ | -} REVEXT_ASPENABLE

Parameters
-setreg
Sets or edits the registry key value.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

Policy\RevocationType
Specifies the policy module and the certificate revocation configuration.

{ +| -}
Sets (+) or resets (-) the REVEXT_ASPENABLE flag.

REVEXT_ASPENABLE
Adds this extension to certificates issued by the CA.

-?
Displays a list of certutil commands.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

To retrieve the CA signing certificate and save it to a file

Syntax

certutil -ca.cert [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] OutCACertFile [Index]

Parameters
-ca.cert
Retrieves the CA signing certificate.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

OutCACertFile
Specifies the CA file to which you want to write.

Index
Specifies the CA certificate that you want to retrieve. The default is the most current CA.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The public key contained in this certificate is used to verify digital signatures on certificates issued by the CA.

To retrieve the CA signing certificate and chain and save it to a PKCS #7 file

Syntax

certutil -ca.chain [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] OutCACertChainFile [Index]

Parameters
-ca.chain
Retrieves the CA signing certificate and chain.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

OutCACertChainFile
Writes the CA signing certificate to the PKCS #7 file.

Index
Specifies the CA certificate that you want to retrieve. The default is the most current CA.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To import a certificate into the server database

Syntax

certutil -importcert [-f] [-gmt] [-seconds] [-v] [-config CAMachineName\CAName] CertFile

Parameters
-importcert
Imports a certificate file into the database.

-f
Overwrites existing files or keys.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

CertFile
Specifies the certificate to import.

-?
Displays a list of certutil commands.

Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • You can use this command-line option to make a certificate revocable if it is inadvertently lost from the database, which could be due to restoring a database from an incomplete backup of the database. Note that the server must have issued the certificate.

To display the certificates in the Local Machine certificate store

Syntax

certutil -store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc DCName] CertificateStoreName [CertID [OutFile]]]

Parameters
-store
Displays the certificates in the specified certificate store.

-f
Overwrites existing files or keys.

-enterprise
Uses the local computer Enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-silent
Uses a silent flag to acquire CryptContext.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

CertificateStoreName
Specifies one of the following store names:

 

Value Description

ca

Specifies certificates in the Intermediate Certification Authorities store.

my

Specifies certificates issued to the current user.

root

Specifies certificates in the Trusted Root Certification Authorities store.

spc

Specifies software publisher certificates.

UserCreatedStore

Specifies the name of a user-created certificate store.

CertID
Specifies a certificate or certificate revocation list (CRL) match token.

OutFile
Specifies the file to which you want to write the displayed certificate information.

-?
Displays a list of certutil commands.

Remarks
  • If CertificateStoreName is not specified, the CA store is used.

  • Use the -user option to display certificate stores for the current user instead of the local computer.

  • CertID can be a serial number, a Secure Hash Algorithm (SHA-1) certificate, CRL, certificate trust list (CTL), or public key hash, a numeric certificate index (for example, 0, 1, and so on), a numeric CRL index (for example, .0, .1, and so on), a numeric CTL index (for example, ..0, ..1, and so on), a certificate subject common name or a CRL issuer common name. Many of these might result in multiple matches.

Examples

To view the certificates in the NTAuth store of the local computer, type:

certutil -store -enterprise NTAuth

To view the certificates in the "Root" store of the local computer with cert Index as 37, type:

certutil -store -enterprise Root 37

To view the certificate of the user that has the serial number 26e0aaaf000000000004 in the store named My, type:

certutil -store -user My 26e0aaaf000000000004

To view the CRL with index .11 in the store named CA, type:

certutil -store CA .11

To view the certificates store at Lightweight Directory Access Protocol (LDAP) location "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,DC=corp,DC=MyCorp,DC=com", type:

certutil -store ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,DC=corp,DC=MyCorp,DC=com

To add a certificate or CRL to a local trusted root CA store

Syntax

certutil -addstore [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root InFile

Parameters
-addstore
Adds a certificate to a certificate store.

-f
Overwrites existing files or keys.

-enterprise
Uses the local computer Enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

root
Specifies the Trusted Root Certification Authorities store.

InFile
Specifies the file name of the certificate or certificate revocation list (CRL).

-?
Displays a list of certutil commands.

To view certificate stores

Syntax

Certutil [{-viewstore | -viewdelstore}] [-f] [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] {my | ca | root | spc} ["CertIndex" ]

Parameters
-viewstore
Views a certificate in the certificate store.

-viewdelstore
Deletes a certificate from the certificate store.

-f
Overwrites existing files or keys.

-enterprise
Uses the local computer Enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

my
Displays certificates issued to the local computer.

ca
Displays certificates in the Intermediate Certification Authorities store.

root
Displays certificates in the Trusted Root Certification Authorities store.

spc
Displays software publisher certificates.

" CertIndex "
Specifies a certificate or certificate revocation list (CRL) match token.

-?
Displays a list of certutil commands.

Remarks
  • To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

    • Dump a certificate store that contains the old certificate by typing:

      certutil-store [-user] root

    • Save the old certificate to a file and dump the file by typing:

      certutilfile.cer

  • By default -viewstore opens the HKLM "CA" store. You can override this default to display any user or enterprise store by specifying -user or -enterprise after -viewstore.

  • If you do not close the user interface and you use -viewdelstore, you delete the selected certificate from the certificate store.

  • The user interface does not support saving certificates to files. You can run the following syntax to display all certificates, select the one you want, and then save it to a file:

    certutil /viewstore /enterprise NTAuth *.file.cer

    The local NTAuth store is the result of the last Group Policy download from the Active Directory NTAuth store. It is the store used by smart card logon, so viewing this store can be useful when troubleshooting smart card logon failures.

Examples

To open and view the local NTAuth store on the current computer, type:

certutil -viewstore -enterprise NTAuth

To delete a certificate, type:

certutil -delstore -enterprise NTAuth " CertIndex "

To verify all certificates in a store

Syntax

certutil -verifystore [-enterprise] [-user] [-gmt] [-seconds] [-split] [-v] [-dc DCName] CertificateStoreName [CertID]

Parameters
-verifystore
Verifies the certificate in a store.

-enterprise
Uses the local computer Enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

CertificateStoreName
Specifies the certificate store name.

CertID
Specifies a certificate or certificate revocation list (CRL) match token.

-?
Displays a list of certutil commands.

Remarks
  • This command is similar to -store.

  • This command verifies the associated private keys (that is, if they exist), and verifies each certificate by building a chain from the installed CA and root certificates and verifies all certificates in the chain to make sure they are still valid and have not been revoked.

To delete a certificate from the HKEY_LOCAL_MACHINE root store

Syntax

certutil -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root CertIndex

Parameters
-delstore
Deletes a certificate from the specified store.

-enterprise
Uses the local computer Enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

root
Specifies the root certificate store.

CertIndex
Specifies the hash value.

-?
Displays a list of certutil commands.

Remarks
  • To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

    • Dump a certificate store that contains the old certificate by typing:

      certutil-store [-user] root

    • Save the old certificate to a file and dump the file by typing:

      certutilfile.cer

To delete a certificate from the HKEY_CURRENT_USER root store

Syntax

certutil -delstore [-enterprise] [-user] [-gmt] [-seconds] [-v] [-dc DCName] root -user CertIndex

Parameters
-delstore
Deletes a certificate from the specified store.

-enterprise
Uses the local computer Enterprise registry certificate store.

-user
Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt
Displays time as Greenwich mean time.

-seconds
Displays time with seconds and milliseconds.

-v
Specifies verbose output.

-dc DCName
Targets a specific domain controller.

root
Specifies the root certificate store.

-user
Specifies HKEY_CURRENT_USER certificate store.

CertIndex
Specifies the hash value.

-?
Displays a list of certutil commands.

Remarks
  • To determine the CertIndex certificate hash value, which is the value following Cert Hash(sha1): in the certificate, do one of the following:

    • Dump a certificate store that contains the old certificate by typing:

      certutil-store [-user] root

    • Save the old certificate to a file and dump the file by typing:

      certutilfile.cer

  • Certutil -delstore is valid only for deleting certificates and CRLs. You must use -delkey to delete keys.

    Caution

    • The certutil -delkeycommand deletes a User or Machine private key. Once deleted any of the following scenarios might apply:

If it was not previously backed up or archived, the deleted key will be irretreivable.

If the deleted key was used for a certificate server signing key, the CA will be disabled and will not be able to issue new CRLs, which will effectively invalidate all of the certificates issued by the CA when the existing CRLs expire. You can replace other signing keys by re-enrolling for a new key and certificate.

If the deleted key was used for encrypting e-mail, previously received e-mail might be unreadable, unless you can recover it from a key management system like Key Management Service (KMS).

If the deleted key was used for encrypting files, an administrator with the appropriate credentials to create a Key Recovery Agent account might need to intervene and decrypt each file individually for the affected user.

Use - user to delete keys from the HKEY_CURRENT_USER root store.

Examples

To delete the fifth certificate in the root store, type:

certutil -delstore root 5

Formatting legend

 

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also