Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, verify certificates, key pairs or certificate chains.
Display AD templates:
CertUtil [Options] -ADTemplate [Template] Options: [-f] [-v] [-user] [-ut] [-mt] [-dc DCName]Display AD CAs:
CertUtil [Options] -ADCA [CAName] [-f] [-split] [-dc DCName]Display Active Directory computer object information:
CertUtil [Options] -MachineInfo DomainName\MachineName$ [-v]Display domain controller information:
CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll] [-f] [-v] [-user] [-urlfetch] [-dc DCName] [-t Timeout] [Modifiers] To successfully run this command, use an account that is a member of Domain Admins or Enterprise Admins.
Display directory service (DS) distinguished names (DNs).:
CertUtil [Options] -ds [CommonName] Options: [-f] [-user] [-split] [-dc DCName]Delete DS DNs:
CertUtil [Options] -dsDel [CommonName] Options: [-user] [-split] [-dc DCName]Publish certificate or CRL to Active Directory:
CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] Options: [-f] [-v] [-user] [-dc DCName] CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]] [-f] [-user] [-dc DCName] Options: [-f] [-v] [-user] [-dc DCName]CertFile : certificate file to publish
NTAuthCA : Publish cert to DS Enterprise store
RootCA : Publish cert to DS Trusted Root store
SubCA : Publish CA cert to DS CA object
CrossCA : Publish cross cert to DS CA object
KRA : Publish cert to DS Key Recovery Agent object
User : Publish cert to User DS object
Machine : Publish cert to Machine DS object
CRLFile : CRL file to publish
DSCDPContainer : DS CDP container CN, usually the CA machine name
DSCDPCN : DS CDP object CN, usually based on the sanitized CA short name and key index
Use -f to create DS object.Display DS certificates:
CertUtil [Options] -dsCert [FullDSDN] | [CertId [OutFile]] Options: [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]Display DS CRLs:
CertUtil [Options] -dsCRL [FullDSDN] | [CRLIndex [OutFile]] Options: [-idispatch] [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]Display DS delta CRLs:
CertUtil [Options] -dsDeltaCRL [FullDSDN] | [CRLIndex [OutFile]] Options: [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]Display DS template attributes:
CertUtil [Options] -dsTemplate [Template] Options: [Silent] [-dc DCName]Add DS templates:
CertUtil [Options] -dsAddTemplate TemplateInfFile Options: [-dc DCName]
Ping Active Directory Certificate Services Request interface:
CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList] [-v] [-config Machine\CAName] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]CAMachineList -- Comma-separated CA machine name list.
For a single machine, use a terminating comma.
Displays the site cost for each CA machine. Modifiers: SCEP CES CEPPing Active Directory Certificate Services Admin interface:
CertUtil [Options] -pingadmin [MaxSecondsToWait | CAMachineList] [-v] [-config Machine\CAName]CAMachineList -- Comma-separated CA machine name list.
For a single machine, use a terminating comma.
Displays the site cost for each CA machine.
Backup Active Directory Certificate Services:
CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog] [-f] [-v] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList]BackupDirectory : directory to store backed up data.
Incremental : perform incremental backup only (default is full backup).
KeepLog : preserve database log files (default is to truncate log files).Backup Active Directory Certificate Services database:
CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog] [-f] [-v] [-config Machine\CAName]BackupDirectory : directory to store backed up data.
Incremental : perform incremental backup only (default is full backup).
KeepLog : preserve database log files (default is to truncate log files).Backup Active Directory Certificate Services certificate and private key:
CertUtil [Options] -backupKey BackupDirectory [-f] [-v] [-config Machine\CAName] [-p Password] [-t Timeout]BackupDirectory : directory to store backed up PFX file.
Restore Active Directory Certificate Services:
CertUtil [Options] -restore BackupDirectory [-f] [-v] [-config Machine\CAName] [-p Password]BackupDirectory : directory containing data to be restored.
Restore Active Directory Certificate Services database:
CertUtil [Options] -restoreDB BackupDirectory Options: [-f] [-v] [-config Machine\CAName] [-p Password]BackupDirectory : directory containing database files to be restored.
Restore Active Directory Certificate Services certificate and private key:
CertUtil [Options] -restoreKey [ BackupDirectory | PFXFile ] [-f] [-v] [-config Machine\CAName] [-p Password]BackupDirectory : directory containing PFX file to be restored.
PFXFile : PFX file to be restored.
Convert PFX files to EPF file:
CertUtil [Options] -ConvertEPF PFXInFileList EPFOutFile [cast | cast-] [V3CACertId][,Salt] [-f] [-Silent] [-split] [-dc DCName] [-p Password] [-csp Provider]PFXInFileList : Comma separated PFX input file list
EPFOutFile : EPF output file
cast : Use CAST 64 encryption
cast- : Use CAST 64 encryption (export)
V3CACertId : V3 CA Certificate match token. See -store CertId description.
Salt: EPF output file salt string
The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is "*", the user will be prompted for
the output file password.
Import user keys and certificates into server database for key archival:
CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId] [-f] [-v] [-silent] [-split] [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]]UserKeyAndCertFile : Data file containing user private keys and certificates to be archived.
This can be any of the following:
Exchange Key Management Server (KMS) export file
PFX file
CertId : KMS export file decryption certificate match token. See -store.
Use -f to import certificates not issued by the CA.
Import a certificate file into the database:
CertUtil [Options] -ImportCert Certfile [ExistingRow] Options: [-f] [-v] [-config Machine\CAName]Use ExistingRow to import the certificate in place of a pending request for the same key.
Use -f to import certificates not issued by the CA. The CA might also need to be configured to support foreign certificate import: certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN
Export the certificates and private keys:
CertUtil [Options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]CertificateStoreName : Certificate store name. See -store.
CertId : The certificate or CRL match token. PFXFile : PFX file to be imported.
Modifiers : Comma separated list of one or more of the following [defaults to personal machine store]:CryptoAlgorithm= specifies the cryptographic algorithm to use for encrypting the PFX file, such as TripleDES-Sha1 or Aes256-Sha256.
EncryptCert : Encrypt the private key associated with the certificate with a password.
ExportParameters : Export the private key parameters in addition to the certificate and private key.
ExtendedProperties : Include all extended properties associated with the certificate in the output file.
NoEncryptCert : Export the private key without encrypting it.
NoChain : Don't import the certificate chain.
NoRoot : Don't import the root certificate.Import certificate and private key:
CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers] [-Enterprise] [-f] [-v] [-user] [-p Password] [-GroupPolicy] [-Silent] [-csp Provider]CertificateStoreName : Certificate store name. See -store.
PFXFile : PFX file to be imported.
Modifiers : Comma separated list of one or more of the following [defaults to personal machine store]:
AT_SIGNATURE : Change the KeySpec to Signature.
AT_KEYEXCHANGE : Change the KeySpec to Key Exchange.
ExportEncrypted
FriendlyName=
KeyFriendlyName=
KeyDescription=
NoExport : Make the private key non-exportable.
NoCert : Do not import the certificate.
NoChain : Do not import the certificate chain, End Entity certificate only.
NoRoot : Do not import the root certificate.
Protect : Protect keys with password.
NoProtect : Do not password protect keys.
Protect
ProtectHigh
Pkcs8
VSMMerge PFX files:
CertUtil [Options] -MergePFX PFXInFileList PFXOutFile [ExtendedProperties] [-f] [-user] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [Modifiers]PFXInFileList : Comma separated PFX input file list
PFXOutFile : PFX output file
ExtendedProperties: Include extended properties.Modifiers : Comma separated list of one or more of the following:
ExtendedProperties : Include extended properties.
NoEncryptCert : Do not encrypt the certificates.
EncryptCert : Encrypt the certificates.The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is "*", the user will be prompted for
the output file password.
Dump certificate store:
CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]CertificateStoreName : Certificate store name.
Examples:
"My", "CA" (default), "Root","ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?cACertificate?one?objectClass=certificationAuthority" (View Root Certificates)
"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?cACertificate?base?objectClass=certificationAuthority" (Modify Root Certificates)
"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?certificateRevocationList?base?objectClass=cRLDistributionPoint" (View CRLs)
"ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=...?cACertificate?base?objectClass=certificationAuthority" (Enterprise CA Certificates)
ldap: (AD machine object certificates)
-user ldap: (AD user object certificates)CertId : Certificate or CRL match token. This can be:
a serial number, an SHA-1 certificate, CRL, CTL or public key hash,
a numeric cert index (0, 1, and so on),
a numeric CRL index (.0, .1, and so on),
a numeric CTL index (..0, ..1, and so on),
a public key, signature or extension ObjectId,
a certificate subject Common Name,
an e-mail address, UPN or DNS name,
a key container name or CSP name,
a template name or ObjectId,
an EKU or Application Policies ObjectId, or a CRL issuer Common Name.
Many of the above may result in multiple matches.OutputFile : File to save matching cert.
Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11
Enumerate certificate stores:
CertUtil [Options] -enumstore [\\MachineName] [-Enterprise] [-user] [-GroupPolicy] MachineName -- remote machine name.Verify certificate in store:
CertUtil [Options] -verifystore CertificateStoreName [CertId] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]Verify Key Attestation Request:
CertUtil [Options] -attest RequestFile [-user] [-Silent] [-split]Verify public/private key set:
CertUtil [Options] -verifykeys [KeyContainerName CACertFile] [-f] [-v] [-user] [-silent] [-config Machine\CAName]KeyContainerName : Key container name of the key to verify. Defaults to machine keys. Use -user for user keys.
CACertFile : Signing or encryption certificate file
If no arguments are specified, each signing CA cert is verified against its private key.
This operation can only be performed against a local CA or local keys.
Add certificate to store:
CertUtil [Options] -addstore CertificateStoreName InFile [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]CertificateStoreName : Certificate store name. See -store for examples.
InFile : Certificate or CRL file to add to store.Modifiers: Certs CRLs CTLs Root NoRoot
Delete certificate from store:
CertUtil [Options] -delstore CertificateStoreName CertId [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-Silent] [-dc DCName]CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store.
Valid only for deleting certificates and CRLs. Use -delkey to delete keys.Delete Hello Logon container:
CertUtil [Options] -DeleteHelloContainer ** Users need to sign out after using this option for it to complete. **List the keys stored in a key container:
CertUtil [Options] -key [KeyContainerName | -] Options: [-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation] Where: KeyContainerName is the key container name for the key to verify. This option defaults to machine keys. To switch to user keys, use -user. Using the - sign refers to using the default key container.Delete a named key container:
CertUtil [Options] -delkey KeyContainerName [-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation]
Dump certificate store:
CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store for a list of formats.
OutputFile : file to save matching cert.Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11Delete certificate from store:
CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]] Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store for a list of formats.
OutputFile : File to save matching cert.Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11Use either of the following commands to delete certificates from within the NTAuthCertificates store:
certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=certificationAuthority" certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=pKIEnrollmentServicesource: KB889250 Step by Step Decommission a Windows Enterprise CA.
Repair key association or update certificate properties or key security descriptor:
CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]CertificateStoreName : Certificate store name. See -store for examples.
CertIdList : comma separated list of Certificate or CRL match tokens. See -store CertId description.
PropertyInfFile : INF file containing external properties:[Properties]
19 = Empty ; Add archived property, OR:
19 = ; Remove archived property11 = "{text}Friendly Name" ; Add friendly name property
127 = "{hex}" ; Add custom hexadecimal property
_continue_ = "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"
_continue_ = "10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f"2 = "{text}" ; Add Key Provider Information property
_continue_ = "Container=Container Name&"
_continue_ = "Provider=Microsoft Strong Cryptographic Provider&"
_continue_ = "ProviderType=1&"
_continue_ = "Flags=0&"
_continue_ = "KeySpec=2"9 = "{text}" ; Add Enhanced Key Usage property
_continue_ = "1.3.6.1.5.5.7.3.2,"
_continue_ = "1.3.6.1.5.5.7.3.1,"
Decode a Hex-encoded file to binary:
CertUtil [-f] [-v] -decodehex InFile OutFile [encoding_ype]Decode Base64-encoded file to binary:
CertUtil [-f] [-v] -decode InFile OutFile
Encode a binary file to Base64:
CertUtil [-f] [-v] -encode InFile OutFile [-UnicodeText]Encode a file as Hex:
CertUtil [-f] [-v] -encodehex InFile OutFile Format Hex encoded files are around 3x larger than base64 Examples of the Hex formats: CertUtil -encodehex -f strings64.exe strHex0.txt 0 - base64 with certificate headers. CertUtil -encodehex -f strings64.exe strHex1.txt 1 - base64 without certificate headers. CertUtil -encodehex -f strings64.exe strHex2.txt 2 - Pure binary (rarely used). CertUtil -encodehex -f strings64.exe strHex3.txt 3 - Base64, with request beginning and ending headers. CertUtil -encodehex -f strings64.exe strHex4.txt 4 - Hexadecimal only. (in columns with spaces). CertUtil -encodehex -f strings64.exe strHex5.txt 5 - Hexadecimal, with ASCII character display. CertUtil -encodehex -f strings64.exe strHex9.txt 9 - Base64, with X.509 CRL beginning and ending headers. CertUtil -encodehex -f strings64.exe strHx10.txt 10 - Hexadecimal, with address display. CertUtil -encodehex -f strings64.exe strHx11.txt 11 - Hexadecimal, with ASCII character and address display. CertUtil -encodehex -f strings64.exe strHx12.txt 12 - A raw hexadecimal string in one line.
Add ECC Curve:
CertUtil [Options] -addEccCurve [CurveClass:]CurveName CurveParameters [CurveOID] [CurveType] [-f] CurveClass: -- ECC Curve Class Type: - WEIERSTRASS [Default] - MONTGOMERY - TWISTED_EDWARDS CurveName -- ECC Curve Name CurveParameters -- ECC Curve Parameters. It is one of the following - Certificate Filename Containing ASN Encoded Parameters - File Containing ASN Encoded Parameters CurveOID -- ECC Curve OID. It is one of the following: - Certificate Filename Containing ASN Encoded OID - Explicit ECC Curve OID CurveType -- Schannel ECC NamedCurve Point (Numeric)Delete ECC Curve:
CertUtil [Options] -deleteEccCurve CurveName | CurveOID [-f] CurveName : ECC Curve Name CurveOID : ECC Curve OIDDisplay ECC Curve:
CertUtil [Options] -displayEccCurve [CurveName | CurveOID] [-f] CurveName : ECC Curve Name CurveOID : ECC Curve OID
Add an Enrollment Server application:
CertUtil [Options] -addEnrollmentServer Kerberos | UserName | ClientCertificate options: [AllowRenewalsOnly] [AllowKeyBasedRenewal] [-f] [-config Machine\CAName] [Modifiers]Add an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not install binaries or packages.
addEnrollmentServer requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:
Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials
Modifiers:
AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allows use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly mode.Delete an Enrollment Server application:
CertUtil [Options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate options: [-f] [-config Machine\CAName]Delete an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.
Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials
Display, add or delete enrollment server URLs associated with a CA:
CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]] [-f] [-config Machine\CAName] [-dc DCName] CertUtil [Options] -enrollmentServerURL URL delete [-f] [-config Machine\CAName] [-dc DCName]AuthenticationType: Specify one of the following client authentication methods while adding a URL:
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
Anonymous : Use anonymous SSL credentials.delete : Delete the specified URL associated with the CA
Priority : Defaults to '1' if not specified when adding a URL
Modifiers : Comma separated list of one or more of the following:AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allow use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly Mode
Add a Policy Server application:
CertUtil [Options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]Add a policy server application and application pool if necessary.
This command does not install binaries or packages.
addPolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : Allows use of policies returned to the client containing keybasedrenewal templates. This flag applies only for UserName and ClientCertificate authentication.Delete a Policy Server application:
CertUtil [Options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]Delete a policy server application and application pool if necessary.
This command does not remove binaries or packages.
deletePolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : Allows use of a KeyBasedRenewal policy server.
Abstract Syntax Notation One (ASN.1) is a standard interface description language for data structures:
CertUtil [-f] -asn File [decoding_type]
Display CA Information:
CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]] [-v] [-f] [-split] [-config Machine\CAName]Index : Optional zero-based property index.
ErrorCode : Numeric error code.
InfoName : Indicates the CA property to display:Use "*" for all properties.
ads - Advanced Server
aia [Index] - AIA URLs
cdp [Index] - CDP URLs
cert [Index] - CA cert
certchain [Index] - CA cert chain
certcount - CA cert count
certcrlchain [Index] - CA cert chain with CRLs
certstate [Index] - CA cert
certstatuscode [Index] - CA cert verify status
certversion [Index] - CA cert version
CRL [Index] - Base CRL
crlstate [Index] - CRL
crlstatus [Index] - CRL Publish Status
cross- [Index] - Backward cross cert
cross+ [Index] - Forward cross cert
crossstate- [Index] - Backward cross cert
crossstate+ [Index] - Forward cross cert
deltacrl [Index] - Delta CRL
deltacrlstatus [Index] - Delta CRL Publish Status
dns - DNS Name
dsname - Sanitized CA short name (DS name)
error1 ErrorCode - Error message text
error2 ErrorCode - Error message text and error code
exit [Index] - Exit module description
exitcount - Exit module count
file - File version
info - CA info
kra [Index] - KRA cert
kracount - KRA cert count
krastate [Index] - KRA cert
kraused - KRA cert used count
localename - CA locale name
name - CA name
ocsp [Index] - OCSP URLs
parent - Parent CA
policy - Policy module description
product - Product version
propidmax - Maximum CA PropId
role - Role Separation
sanitizedname - Sanitized CA name
sharedfolder - Shared folder
subjecttemplateoids - Subject Template OIDs
templates - Templates
type - CA type
xchg [Index] - CA exchange cert
xchgchain [Index] - CA exchange cert chain
xchgcount - CA exchange cert count
xchgcrlchain [Index] - CA exchange cert chain with CRLsRetrieve the CA’s certificate:
CertUtil [Options] -ca.cert OutCACertFile [Index] [-f] [-v] [-split] [-config Machine\CAName]OutCACertFile: output file.
Index: CA certificate renewal index (defaults to most recent).Retrieve the CA’s certificate chain:
CertUtil [Options] -ca.chain OutCACertChainFile [Index] [-f] [-v] [-split] [-config Machine\CAName]OutCACertChainFile: output file.
Index: CA certificate renewal index (defaults to most recent).Display Enrollment Policy CAs:
CertUtil [Options] -CA [CAName | TemplateName] [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]
Display COM registry information:
CertUtil [Options] -Class [ClassId | ProgId | DllName | *] Options: -f -- Force overwrite -Unicode -- Write redirected output in Unicode -gmt -- Display times as GMT -seconds -- Display times with seconds and milliseconds -v -- Verbose operation -privatekey -- Display password and private key data -pin PIN -- Smart Card PIN -sid WELL_KNOWN_SID_TYPE -- Numeric SID 22 -- Local System 23 -- Local Service 24 -- Network Service The ClassID can be found under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID e.g. certutil -class 04731B67-D933-450A-90E6-4ACD2E9408FE
Get CRL:
CertUtil [Options] -GetCRL OutFile [Index] [delta] [-f] [-v] [-split] [-config Machine\CAName]Index : CRL index or key index (defaults to CRL for newest key).
delta : delta CRL (default is base CRL).Publish new CRLs [or delta CRLs only]:
CertUtil [Options] -CRL [dd:hh | republish] [delta] [-v] [-split] [-config Machine\CAName]dd:hh -- new CRL validity period in days and hours.
republish : republish most recent CRLs.
delta : delta CRLs only (default is base and delta CRLs).
Display, add or delete Credential Store entries:
CertUtil [Options] -CredStore [URL] [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] CertUtil [Options] -CredStore URL add [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] CertUtil [Options] -CredStore URL delete [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]URL : Target URL. Use * to match all entries. Use https://machine* to match a URL prefix.
add : Add a Credential Store entry. SSL credentials must also be specified.
delete : Delete Credential Store entries
-f : use -f to overwrite an entry or to delete multiple entries.
List the cryptographic service providers (CSPs) installed on this machine for cryptographic operations:
CertUtil [Options] -csplist [Algorithm] Options: [-user] [-Silent] [-csp Provider]Test the CSPs installed on this machine:
CertUtil [Options] -csptest [Algorithm] Options: [-user] [-Silent] [-csp Provider]Display CNG cryptographic configuration on this machine:
CertUtil [Options] -CNGConfig Options: [-Silent]
Download Online Certificate Status Protocol (OCSP) Responses and Write to Directory:
CertUtil [Options] -downloadOcsp CertificateDir OcspDir [ThreadCount] [Modifiers] CertificateDir : directory of certificate, store and PFX files. OcspDir : directory to write OCSP responses. ThreadCount : optional maximum number of threads for concurrent downloading. Default is 10. Modifiers : Comma separated list of one or more of the following: DownloadOnce : Download once and exit ReadOcsp : Read from OcspDir instead of writing By default, CertUtil won’t exit and must be explicitly terminated. An OCSP response will contain either ‘good’, ‘revoked’ or ‘unknown’.
Display dynamic file List:
CertUtil [Options] -dynamicfilelist [-v] [-config Machine\CAName]Display database locations:
CertUtil [Options] -databaselocations [-v] [-config Machine\CAName]Generate and display cryptographic hash over a file:
CertUtil [Options] -hashfile InFile [HashAlgorithm] [-v]
Dump Certificate Schema:
CertUtil [Options] -schema [Ext | Attrib | CRL] options: [-v] [-split] [-config Machine\CAName]Ext : Extension table.
Attrib : Attribute table.
CRL : CRL table.
Defaults to Request and Certificate table.Dump Certificate View:
CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv] options: [-v] [-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]Queue : Request queue.
Log : Issued or revoked certificates, plus failed requests.
LogFail : Failed requests.
Revoked : Revoked certificates.
Ext : Extension table.
Attrib : Attribute table.
CRL : CRL table.
csv : Output as Comma Separated Values.To display the StatusCode column for all entries: -out StatusCode
To display all columns for the last entry: -restrict "RequestId==$"
To display RequestId and Disposition for three requests:
-restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition"
To display Row Ids and CRL Numbers for all Base CRLs: -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL
To display Base CRL Number 3: -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL
To display the entire CRL table: CRL Use "Date[+|-dd:hh]" for date restrictions Use "now+dd:hh" for a date relative to the current time.Dump Raw Database:
CertUtil [Options] -db [-v] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]
Delete server database row:
CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL] [-f] [-v] [-config Machine\CAName]Request : Failed and pending requests (submission date).
Cert : Expired and revoked certificates (expiration date).
Ext : Extension table Attrib: Attribute table.
Attrib : Attribute table.
CRL : CRL table (expiration date).To delete failed and pending requests submitted by January 22, 2024: 1/22/2024 Request
To delete all certificates that expired by January 22, 2024: 1/22/2024 Cert
To delete the certificate row, attributes and extensions for RequestId 37: 37
To delete CRLs that expired by January 22, 2024: 1/22/2024 CRL [-f] [-config Machine\CAName]
Deny pending request:
CertUtil [Options] -deny RequestId [-v] [-config Machine\CAName]Resubmit pending request:
CertUtil [Options] -resubmit RequestId [-v] [-config Machine\CAName]Set attributes for pending request:
CertUtil [Options] -setattributes RequestId AttributeString [-v] [-config Machine\CAName]RequestId : Numeric Request Id of pending request.
AttributeString : Request Attribute name and value pairs.
Names and values are colon separated. Multiple name, value pairs are newline separated.
Example: "CertificateTemplate:User\nEMail:User@Domain.com"
Each "\n" sequence is converted to a newline separator.
Set extension for pending request:
CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile} [-v] [-config Machine\CAName]RequestId : Numeric Request Id of a pending request.
ExtensionName : ObjectId string of the extension.
Flags : 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both.
If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date.
If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.
Anything else is taken as a String.
Set, Verify or Delete CA site names:
CertUtil [Options] -SetCASites [set] [Sitename] CertUtil [Options] -SetCASites verify [Sitename] CertUtil [Options] -SetCASites delete Options: [-f] [-v] [-config Machine\CAName] [-dc DCName]Use the -config option to target a single CA (Default is all CAs)
Sitename is allowed only when targeting a single CA
Use -f to override validation errors for the specified Sitename
Use -f to delete all CA site names
Display error code message text:
CertUtil [-v] -error ErrorCode
Flush specified caches in selected process, such as, lsass.exe:
CertUtil [Options] -flushCache ProcessId CacheMask [Modifiers] ProcessId : numeric id of process to flush. Set to 0 to flush all processes where flush is enabled. CacheMask : bit mask of caches to be flushed. Numeric OR of following bits: 0x01 : CERT_WNF_FLUSH_CACHE_REVOCATION 0x02 : CERT_WNF_FLUSH_CACHE_OFFLINE_URL 0x04 : CERT_WNF_FLUSH_CACHE_MACHINE_CHAIN_ENGINE 0x08 : CERT_WNF_FLUSH_CACHE_USER_CHAIN_ENGINES 0x10 : CERT_WNF_FLUSH_CACHE_SERIAL_CHAIN_CERTS 0x20 : CERT_WNF_FLUSH_CACHE_SSL_TIME_CERTS 0x40 : CERT_WNF_FLUSH_CACHE_OCSP_STAPLING 0 : ShowOnly Modifiers : Comma separated list of one or more of the following: Show : Show caches being flushed. Certutil must be explicitly terminated.
Generate Pin Rules CTL:
CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile [QueryFilesPrefix]] [-f] XMLFile : Input XML file to be parsed. CTLFile : Output CTL file to be generated. SSTFile : optional .sst file to be created. The .sst file contains all of the certificates used for pinning. QueryFilesPrefix -- optional Domains.csv and Keys.csv files to be created for database query. The QueryFilesPrefix string is prepended to each created file. The Domains.csv file contains rule name, domain rows. The Keys.csv file contains rule name, key SHA256 thumbprint rows.
HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header.
Generate HPKP header using certificates in specified file or directory:CertUtil [Options] -generateHpkpHeader CertFileOrDir MaxAge [ReportUri] [Modifiers] CertFileOrDir : file or directory of certificates. Source of pin-sha256. MaxAge : max-age value in seconds. ReportUri : optional report-uri. Modifiers : Comma separated list of one or more of the following: includeSubDomains : append includeSubDomains.
Display registry value:
CertUtil [Options] -getreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryName] RegistryValue [-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]ca : Use CA’s registry key
restore : Use CA’s restore registry key
policy : Use policy module’s registry key
exit : Use first exit module’s registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module’s ProgId (registry subkey name)
RegistryName : registry value name (use "Name*" to prefix match)
RegistryValue : Numeric, string or date registry value or filename:If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value.
If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from
the existing registry value.
To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value.If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation
of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional
days and hours. If both are specified, use a plus sign (+) or minus sign (-) separator. Use "now+dd:hh" for a date relative to the current time.
Use "i64" as a suffix to create a REG_QWORD value.Registry Aliases: Config CA Policy PolicyModules Exit ExitModules Restore RestoreInProgress Template Software\Microsoft\Cryptography\CertificateTemplateCache Enroll Software\Microsoft\Cryptography\AutoEnrollment (Software\Policies\Microsoft\Cryptography\AutoEnrollment) MSCEP Software\Microsoft\Cryptography\MSCEP Chain Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config PolicyServers Software\Microsoft\Cryptography\PolicyServers (Software\Policies\Microsoft\Cryptography\PolicyServers) Crypt32 System\CurrentControlSet\Services\crypt32 NGC System\CurrentControlSet\Control\Cryptography\Ngc AutoUpdate Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Passport Software\Policies\Microsoft\PassportForWork MDM Software\Microsoft\Policies\PassportForWork Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.Set registry value:
CertUtil [Options] -setreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryValueName] Value Options: [-f] [-user] [-GroupPolicy] [-config Machine\CAName]Key:
ca : Use CA’s registry key
restore : Use CA’s restore registry key
policy : Use policy module’s registry key
exit : Use first exit module’s registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module’s ProgId (registry subkey name)
RegistryValueName : registry value name (use "Name*" to prefix match)
Value : New numeric, string or date registry value or filename:
Value : new numeric, string or date registry value or filename.
If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value. If a string value
starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value.
To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value. If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value.
If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours.
If both are specified, use a plus sign (+) or minus sign (-) separator.
Use "now+dd:hh" for a date relative to the current time.
Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.Delete registry value:
CertUtil [Options] -delreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]] [RegistryValueName] [-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]ca : Use CA’s registry key
restore : Use CA’s restore registry key
policy : Use policy module’s registry key
exit : Use first exit module’s registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module’s ProgId (registry subkey name)
RegistryValueName : Registry value name (use "Name*" to prefix match)Registry Aliases: See CertUtil -getreg above
Retrieve archived private key recovery blob, generate a recovery script, or recover archived keys:
CertUtil [Options] -GetKey SearchToken [RecoveryBlobOutFile] [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] CertUtil [Options] -GetKey SearchToken Script OutputScriptFile [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] CertUtil [Options] -GetKey SearchToken retrieve | recover OutputFileBaseName [-f] [-v] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]Script : generate a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if
the output file is not specified).
retrieve : retrieve one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified)
recover : retrieve and recover private keys in one step (requires Key Recovery Agent certificates and private keys)
SearchToken : Used to select the keys and certificates to be recovered, any of the following:
Certificate Common Name
Certificate Serial Number
Certificate SHA-1 hash (thumbprint)
Certificate KeyId SHA-1 hash (Subject Key Identifier)
Requester Name (domain\user)
UPN (user@domain)
RecoveryBlobOutFile : output file containing a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.
OutputScriptFile : output file containing a batch script to retrieve and recover private keys.
OutputFileBaseName : output file base name. For retrieve, any extension is truncated and a certificate-specific string and the .rec extension are appended for each key recovery blob. Each file contains a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates. For recover, any extension is truncated and the .p12 extension is appended.
Contains the recovered certificate chains and associated private keys, stored as a PFX file.
Recover archived private key:
CertUtil [Options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]] [-f] [-user] [-silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout]
Install Certification Authority certificate:
CertUtil [Options] -installCert [CACertFile] [-f] [-v] [-silent] [-config Machine\CAName]Renew Certification Authority certificate:
CertUtil [Options] -renewCert [ReuseKeys] [Machine\ParentCAName] [-f] [-v] [-silent] [-config Machine\CAName] Use -f to ignore an outstanding renewal request, and generate a new request.
Revoke Certificate:
CertUtil [Options] -revoke SerialNumber [Reason] [-v] [-config Machine\CAName] SerialNumber: Comma separated list of certificate serial numbers to revoke Reason: numeric or symbolic revocation reason 0: CRL_REASON_UNSPECIFIED: Unspecified (default) 1: CRL_REASON_KEY_COMPROMISE: Key Compromise 2: CRL_REASON_CA_COMPROMISE: CA Compromise 3: CRL_REASON_AFFILIATION_CHANGED: Affiliation Changed 4: CRL_REASON_SUPERSEDED: Superseded 5: CRL_REASON_CESSATION_OF_OPERATION: Cessation of Operation 6: CRL_REASON_CERTIFICATE_HOLD: Certificate Hold 8: CRL_REASON_REMOVE_FROM_CRL: Remove From CRL 9: CRL_REASON_PRIVILEGE_WITHDRAWN -- Privilege Withdrawn
10: CRL_REASON_AA_COMPROMISE -- AA Compromise -1: Unrevoke: Unrevoke
Display current certificate disposition:
CertUtil [Options] -isvalid SerialNumber | CertHash [-v] [-config Machine\CAName]Get default configuration string:
CertUtil [Options] -getconfig [-idispatch] [-v] [-config Machine\CAName]Get default configuration string via ICertGetConfig:
CertUtil [Options] -getconfig2 [-idispatch] -v] [-config Machine\CAName]Get default configuration string via ICertConfig:
CertUtil [Options] -getconfig3 [-idispatch] -v] [-config Machine\CAName]
Display ObjectId or set display name:
CertUtil [Options] -oid ObjectId [DisplayName | delete [LanguageId [Type]]] [-f] CertUtil [Options] -oid GroupId [-f] CertUtil [Options] -oid AlgId | AlgorithmName [GroupId] [-f]ObjectId : ObjectId to display or to add display name
GroupId : Decimal GroupId number for ObjectIds to enumerate
AlgId : Hexadecimal AlgId for ObjectId to look up
AlgorithmName : Algorithm Name for ObjectId to look up
DisplayName : Display Name to store in DS
delete : Delete display name
LanguageId : Language Id (defaults to current: 1033)
Type : DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy
Use -f to create DS object.
Display Enrollment Policy templates:
CertUtil [Options] -Template [Template] Options: [-f] [-v] [-user] [-dc DCName] [-user] [-silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]Display CAs for template:
CertUtil [Options] -TemplateCAs Template Options: [-f] [-v] [-user] [-dc DCName]Display templates for CA:
CertUtil [Options] -CATemplates [Template] Options: [-f] [-v] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]Sets the certificate templates that the Certificate Authority can issue:
CertUtil [Options] -SetCATemplates [+ | -] TemplateList Where: The + sign adds certificate templates to the CA's available template list. The - sign removes certificate templates from the CA's available template list.Install default certificate templates:
CertUtil [Options] -InstallDefaultTemplates [-f] [-v] [-dc DCName]Display Enrollment Policy:
CertUtil [Options] -Policy [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]Display or delete Enrollment Policy Cache entries:
CertUtil [Options] -PolicyCache [delete] [-f] [-user] [-PolicyServer URLOrId] delete: delete Policy Server cache entries -f: use -f to delete all cache entries
Pulse autoenrollment events or NGC task:
CertUtil [Options] -pulse [TaskName [SRKThumbprint]] [Modifiers] [-v] options: [-user]TaskName : The task to trigger:
Pregen : NGC Key Pregen task
AIKEnroll : NGC AIK certificate enrollment task.
defaults to autoenrollment event.SRKThumbprint : Thumprint of Storage Root Key.
Modifiers: Pregen PregenDelay AIKEnroll CryptoPolicy NgcPregenKey DIMSRoam
Default is to display DC certs without verification.
Modifiers: Verify DeleteBad DeleteAll
Display smart card information:
CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]] Options: [-v] [-silent] [-split] [-urlfetch] [-t Timeout]CRYPT_DELETEKEYSET : Delete all keys on the smart card
Manage smart card root certificates:
CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName] [-f] [-split] [-p Password] CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName] [-f] [-split] [-p Password] CertUtil [Options] -SCRoots view [InputRootFile | ReaderName] [-f] [-split] [-p Password] CertUtil [Options] -SCRoots delete [ReaderName] [-f] [-split] [-p Password]Get Simple Mail Transfer Protocol (SMTP) information:
CertUtil [Options] -getsmtpinfo Options: [-config Machine\CAName] [-p Password]Set SMTP information:
CertUtil [Options] -setsmtpinfo LogonName
Re-sign CRL or certificate:
CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [StartDate[+|-dd:hh]+|-dd:hh] [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile] options: [-nullsign] [-f] [-user] [-silent] [-Cert CertId] [-csp Provider] CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [#HashAlgorithm] [+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm] options: [-nullsign] [-f] [-user] [-silent] [-Cert CertId] [-csp Provider] CertUtil [Options] -sign InFileList OutFileList [Subject:CN=...] [Issuer:hex data]InFileList : comma separated list of Certificate or CRL files to modify and re-sign
SerialNumber : Serial number of certificate to create. Validity period and other options must not be present.
CRL : Create an empty CRL. Validity period and other options must not be present.
OutFileList : comma separated list of modified Certificate or CRL output files. The number of files must match InFileList.
StartDate+dd:hh : new validity period: optional date plus; optional days and hours validity period;
If both are specified, use a plus sign (+) separator.
Use "now[+dd:hh]" to start at the current time. Use "never" to have no expiration date (for CRLs only).
SerialNumberList : Comma separated serial number list to add or remove
ObjectIdList : Comma separated extension ObjectId list to remove
@ExtensionFile : INF file containing extensions to update or remove:[Extensions]
2.5.29.31 = ; Remove CRL Distribution Points extension
2.5.29.15 = "{hex}" ; Update Key Usage extension
_continue_="03 02 01 86"HashAlgorithm : Name of the hash algorithm preceded by a # sign: #MD2 #MD4 #MD5 #SHA1 #SHA256 #SHA384 or #SHA512
AlternateSignatureAlgorithm: alternate Signature algorithm specifier
A minus sign causes serial numbers and extensions to be removed. A plus sign causes serial numbers to be added to a CRL.
When removing items from a CRL, the list can contain both serial numbers and ObjectIds.
A minus sign before AlternateSignatureAlgorithm causes the legacy signature format to be used.
A plus sign before AlternateSignatureAlgorithm causes the alternature signature format to be used.
If AlternateSignatureAlgorithm is not specified then the signature format in the certificate or CRL is used.
Sync with Windows Update:
CertUtil [Options] -syncWithWU DestinationDir [-f] DestinationDir -- folder to copy to. The following files are downloaded from Windows Update: authrootstl.cab - contains CTL of Third Party Roots. disallowedcertstl.cab - contains CTL of Disallowed Certificates. disallowedcert.sst - Disallowed Certificates. pinrulesstl.cab - contains CTL of SSL Pin Rules. pinrules.sst - Pin Rules Certificates. thumbprint.crt - Third Party Roots.Generate SST from Windows Update:
CertUtil [Options] -generateSSTFromWU SSTFile [-f] [-split] SSTFile : .sst file to be created. The generated .sst file contains the Third Party Roots downloaded from Windows Update.
Display or delete URL cache entries:
CertUtil [Options] -URLCache [URL | CRL | * [delete]] [-f] [-v] [-split]URL : Cached URL
CRL : Operate on all cached CRL URLs only
* : Operate on all cached URLs
delete : Delete relevant URLs from the current user’s local cache
-f : Force fetch of a specific URL and update the cache.
-split : Dump the file to disk
-v : Will display the whole internet history and cache file locations.
e.g.
certutil.exe -urlcache -split -f "https://download.sysinternals.com/files/SysinternalsSuite.zip" pstools.zipVerify certificate or CRL URLs:
CertUtil [Options] -URL InFile | URL Options: [-f] [-split]
Verify certificate, CRL or chain:
CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] [Modifiers] [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName] CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]] [Modifiers] [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName] CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile] [Modifiers] [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName] CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile] [Modifiers] [-f] [-v] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName]CertFile : Certificate to verify Application
ApplicationPolicyList: Optional comma separated list of required Application Policy ObjectIds.
IssuancePolicyList : Optional comma separated list of required Issuance Policy ObjectIds.
CACertFile : Optional issuing CA certificate to verify against.
CrossedCACertFile : optional certificate cross-certified by CertFile.
CRLFile : CRL to verify IssuedCertFile: optional issued certificate covered by CRLFile.
IssuedCertFile : Optional issued certificate covered by CRLFile.
DeltaCRLFile : Optional delta CRL.
If ApplicationPolicyList is specified, chain building is restricted to chains valid for
the specified Application Policies.
If IssuancePolicyList is specified, chain building is restricted to chains valid for the
specified Issuance Policies.
If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile.
If CACertFile is not specified, CertFile is used to build and verify a full chain.
If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile
are verified against CertFile.
If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile.
If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.Modifiers:
Strong : Strong signature verification.
MSRoot : Must chain to a Microsoft root.
MSTestRoot : Must chain to a Microsoft test root.
AppRoot : Must chain to a Microsoft application root.
EV : Enforce Extended Validation Policy.Verify certificate Signed Certificate Timestamps (SCT):
CertUtil [Options] -VerifyCT Certificate SCT [precert][-f]Check certificate for 0x7f length encodings:
CertUtil [optiOptionsons] -7f CertFile
Verify AuthRoot or Disallowed Certificates CTL:
CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile] [-f] [-user] [-split]CTLObject : Identifies the CTL to verify:
AuthRootWU : read AuthRoot CAB and matching certificates from the URL cache. Use -f to download from Windows Update instead.
DisallowedWU : read Disallowed Certificates CAB and disallowed certificate store file from the URL cache. Use -f to download from Windows Update instead.
PinRulesWU : read PinRules CAB from the URL cache. Use -f to download from Windows Update instead.
AuthRoot : read registry cached AuthRoot CTL. Use with -f and a CertFile that is not already trusted to force updating the registry cached AuthRoot and Disallowed Certificate CTLs.
Disallowed : read registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.
PinRules : read registry cached PinRules CTL. -f has the same behavior as with PinRulesWU.
CTLFileName : file or http: path to CTL or CABCertDir : folder containing certificates matching CTL entries. An http: folder path must end with a path separator. If a folder is not specified with AuthRoot or Disallowed, multiple locations will be searched for matching certificates: local certificate stores, crypt32.dll resources and the local URL cache. Use -f to download from Windows Update when necessary.
Otherwise defaults to the same folder or web site as the CTLObject.
CertFile : file containing certificate(s) to verify. Certificates will be matched against CTL entries,
and match results displayed. Suppresses most of the default output.
Create/delete web virtual roots and file shares:
CertUtil [Options] -vroot [delete]Create/delete web virtual roots for OCSP web proxy:
CertUtil [Options] -vocsproot [delete]
Display the list of parameters:
CertUtil -? CertUtil name_of_parameter -? CertUtil -? -v Microsoft help page for CertUtil.There have been some documentation inconsistencies between the command-line help (CertUtil -?) and the MSDN help pages.
To see complete help for all CertUtil verbs and options, run CertUtil -v -uSAGE. The uSAGE switch is case-sensitive.
| Option | Description |
|---|---|
| -admin | Use ICertAdmin2 for CA properties. |
| -anonymous | Use anonymous SSL credentials. |
| -cert CertId | Signing certificate. |
| -clientcertificate clientCertId | Use X.509 Certificate SSL credentials. For selection UI, use -clientcertificate. |
| -config Machine\CAName | Certificate Authority and computer name string. |
| -csp provider | Provider: KSP - Microsoft Software Key Storage Provider TPM - Microsoft Platform Crypto Provider NGC - Microsoft Passport Key Storage Provider SC - Microsoft Smart Card Key Storage Provider |
| -dc DCName | Target a specific Domain Controller. |
| -enterprise | Use the local machine enterprise registry certificate store. |
| -f | Force overwrite. |
| -generateSSTFromWU SSTFile | Generate SST by using the automatic update mechanism. |
| -gmt | Display times using GMT. |
| -GroupPolicy | Use the group policy certificate store. |
| -idispatch | Use IDispatch instead of COM native methods. |
| -kerberos | Use Kerberos SSL credentials. |
| -location alternatestoragelocation | (-loc) AlternateStorageLocation. |
| -mt | Display machine templates. |
| -nocr | Encode text without CR characters. |
| -nocrlf | Encode text without CR-LF characters. |
| -nullsign | Use the hash of the data as a signature. |
| -oldpfx | Use old PFX encryption. |
| -out columnlist | Comma-separated column list. |
| -p password | Password |
| -pin PIN | Smart card PIN. |
| -policyserver URLorID | Policy Server URL or ID. For selection U/I, use -policyserver. For all Policy Servers, use -policyserver * |
| -privatekey | Display password and private key data. |
| -protect | Protect keys with password. |
| -protectto SAMnameandSIDlist | Comma-separated SAM name/SID list. |
| -restrict restrictionlist | Comma-separated Restriction List. Each restriction consists of a column name, a relational operator, and a constant integer, string, or date. One column name may be preceded by a plus or minus sign to indicate the sort order. For example: requestID = 47, +requestername >= a, requestername, or -requestername > DOMAIN, Disposition = 21. |
| -reverse | Reverse Log and Queue columns. |
| -seconds | Display times using seconds and milliseconds. |
| -service | Use service certificate store. |
| -sid | Numeric SID: 22 - Local System 23 - Local Service 24 - Network Service |
| -silent | Use the silent flag to acquire crypt context. |
| -split | Split embedded ASN.1 elements, and save to files. |
| -sslpolicy servername | SSL Policy matching ServerName. |
| -symkeyalg symmetrickeyalgorithm[,keylength] | Name of the Symmetric Key Algorithm with optional key length. For example: AES,128 or 3DES. |
| -syncWithWU DestinationDir | Sync with Windows Update. |
| -t timeout | URL fetch timeout in milliseconds. |
| -Unicode | Write redirected output in Unicode. |
| -UnicodeText | Write output file in Unicode. |
| -urlfetch | Retrieve and verify AIA Certs and CDP CRLs. |
| -user | Use the HKEY_CURRENT_USER keys or certificate store. |
| -username username | Use named account for SSL credentials. For selection UI, use -username. |
| -ut | Display user templates. |
| -v | Provide more detailed (verbose) information. |
| -v1 | Use V1 interfaces. |
Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512.
Certutil is sensitive to the order of command-line parameters.
Certutil isn't recommended to be used in any production code and doesn't provide any guarantees of live site support or application compatibilities. It's a tool utilized by developers and IT administrators to view certificate content information on devices. Certutil.exe is a command-line program installed as part of Certificate Services.
You can use certutil.exe to display certification authority (CA) configuration information, configure Certificate Services, and back up and restore CA components. The program also verifies certificates, key pairs, and certificate chains.
If certutil is run on a certification authority without other parameters, it displays the current certification authority configuration. If certutil is run on a non-certification authority without other parameters, the command defaults to running the certutil -dump command.
Certutil replaces the File Checksum Integrity Verifier (FCIV) found in earlier versions of Windows.
Display the SHA256 hash of a file:
CertUtil -hashfile c:\demo\anything.txt SHA256
Dump (read config information) from a certificate file:
CertUtil -dump c:\demo\sample.CER
Copy a certificate revocation list (CRL) to a file:
CertUtil -getcrl F:\ss64.crl
Purge local policy cache (Certificate Enrollment Policy Web Services):
CertUtil -f -policyserver * -policycache delete
Enumerate certificate stores:
CertUtil -enumstore
Note the names returned by this are not all the same as those shown in the PowerShell cert: Drive.
gci Cert:\LocalMachine
View the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store:
CertUtil -enterprise -viewstore Root
Check the browsers Trusted Certificate list against the WindowsUpdate servers:
CertUtil -f -verifyCTL AuthRootWU
Stop Certificate Services:
CertUtil -shutdown
Convert a hex-encoded file to a binary executable. This is primarily intended for converting X.509 certificates from a human-readable format (.asn) into a computer-readable format (.bin):
CertUtil -decodehex hex.dat ss64.exe
“And yet I do observe that audiences which used to be deeply affected by the inspiring sternness of the music of Livius and Naevius, now leap up and twist their necks and turn their eyes in time with our modern tunes” ~ Cicero (De Legibus II.39 c. 50 BCE) on the evils of modern music.
CertMgr.MSC - GUI for managing Certificates.
CERTREQ - Request certificate from a certification authority.
SIGNTOOL - Digitally sign files.
How Certificate Revocation Works - TechNet.
Equivalent PowerShell cmdlets: Get-FileHash - Compute the hash value for a file. Get-Certificate - Submit/retrieve certificate requests.
Equivalent bash command: cksum - Print CRC checksum and byte counts. / base64 - encode/decode and print to StdOut.