Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.
For examples of how to use this command, see Examples.
Syntax
Certutil <-parameter> [-parameter]
Parameters
| Parameters | Description |
|---|---|
-dump |
Dump configuration information or files |
-asn |
Parse ASN.1 file |
-decodehex |
Decode hexadecimal-encoded file |
-decode |
Decode a Base64-encoded file |
-encode |
Encode a file to Base64 |
-deny |
Deny a pending certificate request |
-resubmit |
Resubmit a pending certificate request |
-setattributes |
Set attributes for a pending certificate request |
-setextension |
Set an extension for a pending certificate request |
-revoke |
Revoke a certificate |
-isvalid |
Display the disposition of the current certificate |
-getconfig |
Get the default configuration string |
-ping |
Attempt to contact the Active Directory Certificate Services Request interface |
-pingadmin |
Attempt to contact the Active Directory Certificate Services Admin interface |
-CAInfo |
Display information about the certification authority |
-ca.cert |
Retrieve the certificate for the certification authority |
-ca.chain |
Retrieve the certificate chain for the certification authority |
-GetCRL |
Get a certificate revocation list (CRL) |
-CRL |
Publish new certificate revocation lists (CRLs) [or only delta CRLs] |
-shutdown |
Shutdown Active Directory Certificate Services |
-installCert |
Install a certification authority certificate |
-renewCert |
Renew a certification authority certificate |
-schema |
Dump the schema for the certificate |
-view |
Dump the certificate view |
-db |
Dump the raw database |
-deleterow |
Delete a row from the server database |
-back up |
Backup Active Directory Certificate Services |
-backupDB |
Backup the Active Directory Certificate Services database |
-backupKey |
Backup the Active Directory Certificate Services certificate and private key |
-restore |
Restore Active Directory Certificate Services |
-restoreDB |
Restore the Active Directory Certificate Services database |
-restoreKey |
Restore the Active Directory Certificate Services certificate and private key |
-dynamicfilelist |
Display a dynamic file list |
-databaselocation |
Display database locations |
-hashfile |
Generate and display a cryptographic hash over a file |
-store |
Dump the certificate store |
-addstore |
Add a certificate to the store |
-delstore |
Delete a certificate from the store |
-verifystore |
Verify a certificate in the store |
-repairstore |
Repair a key association or update certificate properties or the key security descriptor |
-viewstore |
Dump the certificates store |
-viewdelstore |
Delete a certificate from the store |
-dsPublish |
Publish a certificate or certificate revocation list (CRL) to Active Directory |
-Template |
Display certificate templates |
-TemplateCAs |
Display the certification authorities (CAs) for a certificate template |
-CATemplates |
Display the certificate templates for a certification authority (CA) |
-InstallDefaultTemplates |
Install default certificate templates |
-URLCache |
Display or delete URL cache entries |
-pulse |
Pulse auto enrollment events |
-MachineInfo |
Display information about the Active Directory machine object |
-DCInfo |
Display information about the domain controller |
-EntInfo |
Display information about an enterprise CA |
-TCAInfo |
Display information about the CA |
-SCInfo |
Display information about the smart card |
-SCRoots |
Manage smart card root certificates |
-verifykeys |
Verify a public or private key set |
-verify |
Verify a certificate, certificate revocation list (CRL), or certificate chain |
-sign |
Re-sign a certificate revocation list (CRL) or certificate |
-vroot |
Create or delete web virtual roots and file shares |
-vocsproot |
Create or delete web virtual roots for an OCSP web proxy |
-oid |
Display the object identifier or set a display name |
-error |
Display the message text associated with an error code |
-getreg |
Display a registry value |
-setreg |
Set a registry value |
-delreg |
Delete a registry value |
-ImportKMS |
Import user keys and certificates into the server database for key archival |
-ImportCert |
Import a certificate file into the database |
-GetKey |
Retrieve an archived private key recovery blob |
-RecoverKey |
Recover an archived private key |
-MergePFX |
Merge PFX files |
-ConvertEPF |
Convert a PFX file into an EPF file |
Remarks
Examples
For examples that show how to use certutil to perform a wide variety of tasks, see the following:
- Manage certificates
- Back up and restore certificates
- Manage key archival and recovery
- Encode and decode certificates
- Troubleshoot certificates
- Configure a certification authority (CA)
- Manage a CA
- Manage certificate revocation lists
Additional references
Command-Line Syntax Key