Certutil-windows command

Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003 family.

You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

For more information about how to use Certutil.exe to perform specific tasks, see the following topics:
•Certutil tasks for encoding and decoding certificates
http://technet.microsoft.com/en-us/library/cc772656(v=ws.10).aspx

•Certutil tasks for configuring a Certification Authority (CA)
http://technet.microsoft.com/en-us/library/cc772627(v=ws.10).aspx

•Certutil tasks for managing a Certification Authority (CA)
http://technet.microsoft.com/en-us/library/cc772751(v=ws.10).aspx

•Certutil tasks for managing certificates
http://technet.microsoft.com/en-us/library/cc772898(v=ws.10).aspx

•Certutil tasks for managing CRLs
http://technet.microsoft.com/en-us/library/cc772629(v=ws.10).aspx

•Certutil tasks for key archival and recovery
http://technet.microsoft.com/en-us/library/cc738780(v=ws.10).aspx

•Certutil tasks for backing up and restoring certificates
http://technet.microsoft.com/en-us/library/cc755341(v=ws.10).aspx

•Certutil tasks for troubleshooting certificates
http://technet.microsoft.com/en-us/library/cc772619(v=ws.10).aspx

To display the certificates in the Local Machine certificate store

Syntax

certutil-store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc DCName] CertificateStoreName [CertID [OutFile]]]

CertificateStoreName Specifies one of the following store names:

ca Specifies certificates in the Intermediate Certification Authorities store.
my Specifies certificates issued to the current user.
root Specifies certificates in the Trusted Root Certification Authorities store.

spc Specifies software publisher certificates.
UserCreatedStore Specifies the name of a user-created certificate store.

Eg.
C:\windows\system32>certutil -store
CA
================ Certificate 0 ================
Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
Issuer: CN=Root Agency
NotBefore: 29-05-1996 03:32
NotAfter: 01-01-2040 05:29
Subject: CN=Root Agency
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
No key provider information
Cannot find the certificate and private key for decryption.

================ Certificate 1 ================
Serial Number: 46fcebbab4d02f0f926098233f93078f
Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
S
NotBefore: 17-04-1997 05:30
NotAfter: 25-10-2016 05:29
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
=VeriSign International Server CA – Class 3, OU=VeriSign, Inc., O=VeriSign Trust
Network
Non-root Certificate
Template:
Cert Hash(sha1): d5 59 a5 86 66 9b 08 f4 6a 30 a1 33 f8 a9 ed 3d 03 8e 2e a8
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 2 ================
Serial Number: 198b11d13f9a8ffe69a0
Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
1997 Microsoft Corp.
NotBefore: 01-10-1997 12:30
NotAfter: 31-12-2002 12:30
Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
97 Microsoft Corp.
Non-root Certificate
Template:
Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
No key provider information
Cannot find the certificate and private key for decryption.
================ CRL 0 ================
Issuer:
OU=VeriSign Commercial Software Publishers CA
O=VeriSign, Inc.
L=Internet
CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab
CertUtil: -store command completed successfully.

usages
>certutil -?

Verbs:
-dump             — Dump configuration information or files
-asn              — Parse ASN.1 file

-decodehex        — Decode hexadecimal-encoded file
-decode           — Decode Base64-encoded file
-encode           — Encode file to Base64

-deny             — Deny pending request
-resubmit         — Resubmit pending request
-setattributes    — Set attributes for pending request
-setextension     — Set extension for pending request
-revoke           — Revoke Certificate
-isvalid          — Display current certificate disposition

-getconfig        — Get default configuration string
-ping             — Ping Active Directory Certificate Services Request interf
ace
-pingadmin        — Ping Active Directory Certificate Services Admin interfac
e
-CAInfo           — Display CA Information
-ca.cert          — Retrieve the CA’s certificate
-ca.chain         — Retrieve the CA’s certificate chain
-GetCRL           — Get CRL
-CRL              — Publish new CRLs [or delta CRLs only]
-shutdown         — Shutdown Active Directory Certificate Services

-installCert      — Install Certification Authority certificate
-renewCert        — Renew Certification Authority certificate

-schema           — Dump Certificate Schema
-view             — Dump Certificate View
-db               — Dump Raw Database
-deleterow        — Delete server database row

-backup           — Backup Active Directory Certificate Services
-backupDB         — Backup Active Directory Certificate Services database
-backupKey        — Backup Active Directory Certificate Services certificate
and private key
-restore          — Restore Active Directory Certificate Services
-restoreDB        — Restore Active Directory Certificate Services database
-restoreKey       — Restore Active Directory Certificate Services certificate
and private key
-importPFX        — Import certificate and private key
-dynamicfilelist  — Display dynamic file List
-databaselocations — Display database locations
-hashfile         — Generate and display cryptographic hash over a file

-store            — Dump certificate store
-addstore         — Add certificate to store
-delstore         — Delete certificate from store
-verifystore      — Verify certificate in store
-repairstore      — Repair key association or update certificate properties o
r key security descriptor
-viewstore        — Dump certificate store
-viewdelstore     — Delete certificate from store

-dsPublish        — Publish certificate or CRL to Active Directory

-ADTemplate       — Display AD templates
-Template         — Display Enrollment Policy templates
-TemplateCAs      — Display CAs for template
-CATemplates      — Display templates for CA
-enrollmentServerURL — Display, add or delete enrollment server URLs associat
ed with a CA
-ADCA             — Display AD CAs
-CA               — Display Enrollment Policy CAs
-Policy           — Display Enrollment Policy
-PolicyCache      — Display or delete Enrollment Policy Cache entries
-CredStore        — Display, add or delete Credential Store entries
-InstallDefaultTemplates — Install default certificate templates
-URLCache         — Display or delete URL cache entries
-pulse            — Pulse autoenrollment events
-MachineInfo      — Display Active Directory machine object information
-DCInfo           — Display domain controller information
-EntInfo          — Display enterprise information
-TCAInfo          — Display CA information
-SCInfo           — Display smart card information

-SCRoots          — Manage smart card root certificates

-verifykeys       — Verify public/private key set
-verify           — Verify certificate, CRL or chain
-sign             — Re-sign CRL or certificate

-vroot            — Create/delete web virtual roots and file shares
-vocsproot        — Create/delete web virtual roots for OCSP web proxy
-addEnrollmentServer — Add an Enrollment Server application
-deleteEnrollmentServer — Delete an Enrollment Server application
-oid              — Display ObjectId or set display name
-error            — Display error code message text
-getreg           — Display registry value
-setreg           — Set registry value
-delreg           — Delete registry value

-ImportKMS        — Import user keys and certificates into server database fo
r key archival
-ImportCert       — Import a certificate file into the database
-GetKey           — Retrieve archived private key recovery blob
-RecoverKey       — Recover archived private key
-MergePFX         — Merge PFX files
-ConvertEPF       — Convert PFX files to EPF file
-?                — Display this usage message
CertUtil -?              — Display a verb list (command list)
CertUtil -dump -?        — Display help text for the “dump” verb
CertUtil -v -?           — Display all help text for all verbs

Refferences
http://technet.microsoft.com/en-in/library/cc732443.aspx
http://ss64.com/nt/certutil.html
http://technet.microsoft.com/en-us/library/cc772898(v=ws.10).aspx

Advertisements

Posted on January 16, 2015, in Windows. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: