Home > Commands A-M > Commands Ca-Cg


Description | Syntax | Parameters | Switches | Related | Notes | Examples | Errorlevels | Availability

Certutil tasks for managing a Certification Authority (CA).


CERTUTIL [-dump] [/?]

To display the information stored in public key related files:
CERTUTIL -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p password] [configuration_file]

To restrict which rows from the CA schema are displayed when viewing CA database information:
CERTUTIL -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config machine\user] [-restrict restriction_list] [-out column_list] [request_id]

To view a list of templates supported by the local CA:
CERTUTIL -catemplates [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] [-config machine\user] [-dc dc_name] [template]

To display a list of tagged database files and database directories:
CERTUTIL -databaselocations [-gmt] [-seconds] [-v] [-config machine\user]

To deny a certificate request:
CERTUTIL -deny [-gmt] [-seconds] [-v] [-config machine\user] [request_id]

To publish a certificate or CRL to Active Directory:
CERTUTIL -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc dc_name] certificate_file certificate_store

CERTUTIL -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc dc_name] crl_file [DSCDP_container [DSCDP_object]]

To display a list of dynamic files that must be backed up separately:
CERTUTIL -dynamicfilelist [-gmt] [-seconds] [-v] [-config machine\user]

To delete unwanted requests from the CA database:
CERTUTIL -deleterow [-f] [-gmt] [-seconds] [-v] [-config machine\user] row_id date table

To add a display name that appears in the local language to a certificate template:
CERTUTIL -oid [-f] [-gmt] [-seconds] [-v] "template_oid" local_friendly_name [language_id]

To revoke the certificate by serial number:
CERTUTIL -revoke [-gmt] [-seconds] [-v] [-config machine\user] serial_number [reason]

To set attributes on pending certificate requests:
CERTUTIL -setattributes [-gmt] [-seconds] [-v] request_id attribute_string

To set the extension in the certificate request:
CERTUTIL -setextension [-gmt] [-seconds] [-v] request_id expansion_name flags {long_value | date_value | string_value | @in_file}

To resubmit a pending certificate request:
CERTUTIL -resubmit [-gmt] [-seconds] [-v] [-config machine\user] request_id

To shut down the CA server:
CERTUTIL -shutdown [-gmt] [-seconds] [-v] [-config machine\user]

To verify a key set:
CERTUTIL -verifykeys [-gmt] [-silent] [-v] [-config machine\user] [key_container_name] [certificate_file]

To back up the CA certificate and keys:
CERTUTIL -backupkey [-f] [-gmt] [-seconds] [-v] [-config machine\user] [-p password] backup_directory

To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file:
CERTUTIL -restorekey [-f] [-gmt] [-seconds] [-v] [-config machine\user] [-p password] backup_directory \PFX_file

attribute_string (NT2003)
Specifies the request attribute string to be set on the request identifier certificate.
Use \n to separate multiple values in a string.
Requests the attribute name and value pairs. Separate names and value pairs with a colon. Multiple name and value pairs are separated by placing them on a new line.
backup_directory (NT2003)
Specifies the backup directory.
You can use the -f to overwrite existing files in backup_directory.
expansion_name (NT2003)
certificate_file (NT2003)
Specifies the certificate.
Specifies the CA signature certificate that contains the public key used to verify digital signatures.
certificate_store (NT2003)
Specifies the certificate will be published to:
configuration_file (NT2003)
Specifies the file name of the configuration file that you want to display.
crl_file (NT2003)
Specifies the certificate revocation list.
date (NT2003)
Specifies a date restriction on which to query.
You can use the mm/dd/yyyy 00:00 date format, where 00:00 is standard time that must be designated as either AM or PM.
If you specify Date without a time of day, deletes all of the requests issued before the specified date, but it does not delete the requests issued on the specified date.
If you delete rows by Date, does not delete the CA certificate or the CA certificate chain rows. To delete the CA certificate and the CA certificate chain rows, you must delete rows by row_id.
If Date occurs in the future, fails and displays an invalid parameter error. Use -f to override the invalid parameter error.
date_value (NT2003)
DSCDP_container (NT2003)
Specifies the Active Directory Certificate revocation list Distribution Point (CDP) container Common Name (CN), usually the CA computer name.
DSCDP_object (NT2003)
Specifies the Active Directory Certificate revocation list Distribution Point (CDP) object Common Name (CN), usually based on the sanitized CA short name and key index.
extension_name (NT2003)
Specifies the ObjectID string of the extension.
flags (NT2003)
Sets the extension:
@in_file (NT2003)
Specifies a string that is accepted in one of the following formats if the string meets the specified criteria: @In_File If the value starts with the @ symbol, the rest of the token is the file name containing binary data or an ASCII-text hexadecimal dump.
key_container_name (NT2003)
Specifies the key container name of the key to verify.
language_id (NT2003)
Sets the local language identifier for the specified object. local_friendly_name appears in the specified language.
Decimal representation of a hexadecimal local identifier (LCID) value.
If you do not specify, uses the current system default, which is 1033.
local_friendly_name (NT2003)
Specifies the display name that you want to add to the certificate template.
long_value (NT2003)
reason (NT2003)
Specifies one of:
PFX_file (NT2003)
ies the PKCS #12 PFX file.
request_id (NT2003)
Specifies the request identifier number.
Must be in decimal format (or hexadecimal format with a leading 0x).
row_id (NT2003)
Specifies the request identifier of the row that you want to delete.
serial_number (NT2003)
Specifies the serial number of the certificate that you want to revoke.
Must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. No leading 0x is allowed.
string_value (NT2003)
table (NT2003)
One of:
template (NT2003)
Specifies the template.
"template_oid" (NT2003)
Specifies the object identifier of the certificate template.

/? (NT2003)
Display help.
-backupkey (NT2003)
Backs up the Certificate Services certificate and private key.
-catemplates (NT2003)
Displays CA templates.
-config machine\user (NT2003)
Processes the operation by using the CA specified in the machine/user configuration string.
You must specify the machine or user in -config. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use "-config -", the operation is processed using the default CA.
-databaselocations (NT2003)
Displays database locations.
The hexadecimal buffer offset and hexadecimal type tag are displayed on each line.
-dc dc_name (NT2003)
Targets a specific domain controller.
-deleterow (NT2003)
Deletes a row in the CA database.
You can use this to delete "denial of service" errors.
When deleting more than one row with this command, you must be both a CA Administrator and a Certificate Manager to complete the task. The CA must not be configured to enforce role separation in this case.
-deny (NT2003)
Denies the pending certificate request.
-dsPublish (NT2003)
Publishes a new certificate or CRL to the CA object in Active Directory.
You must be logged on as a computer administrator to complete this procedure.
-dump (NT2003)
Dumps configuration information or files.
-dynamicfilelist (NT2003)
Displays dynamic file list.
Includes the local copy of the certificate revocation list (CRL) on the server.
The hexadecimal buffer offset is displayed on each line.
-f (NT2003)
Overwrites existing files or keys.
-gmt (NT2003)
Displays time as Greenwich mean time.
-mt (NT2003)
Displays the computer templates.
-oid (NT2003)
Defines a display name in a certificate template.
-out column_list (NT2003)
Specifies a comma-separated column list.
-p password (NT2003)
Specifies a password.
The maximum length allowed for a PFX file password is 32 characters.
-restrict restriction_list (NT2003)
Restricts which rows from the schema are displayed. Specifies a comma-separated restriction list.
-restorekey (NT2003)
Restores Certificate Services certificate and private key from the specified backup_directory or PKCS #12 PFXFile.
-resubmit (NT2003)
Resubmits the pending request.
-revoke (NT2003)
Revokes the certificate.
-seconds (NT2003)
Displays time with seconds and milliseconds.
-setattributes (NT2003)
Sets the attributes for the pending request.
-setextension (NT2003)
Sets the extension for the pending request.
-shutdown (NT2003)
Shuts down the CA server.
-silent (NT2003)
Uses a silent flag to acquire CryptContext.
-split (NT2003)
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
-user (NT2003)
Uses the HKEY_CURRENT_USER keys or certificate store.
-ut (NT2003)
Displays the user templates.
-v (NT2003)
Specifies verbose output.
-verifykeys (NT2003)
Verifies the public and private keys for the specified CA.
-view (NT2003)
Dumps the certification authority database view.


CERTUTIL backup/restore
CERTUTIL configure
CERTUTIL decode/encode
CERTUTIL certificates
CERTUTIL archival/recovery
CERTUTIL troubleshooting







Windows NT