Certutil

Applies To: Windows Server 2008

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

For examples of how to use this command, see Examples.

Syntax

	Copy Code
Certutil <-parameter> [-parameter]

Parameters

Description

	Copy Code
-dump

Dump configuration information or files

	Copy Code
-asn

Parse ASN.1 file

	Copy Code
-decodehex

Decode hexadecimal-encoded file

	Copy Code
-decode

Decode a Base64-encoded file

	Copy Code
-encode

Encode a file to Base64

	Copy Code
-deny

Deny a pending certificate request

	Copy Code
-resubmit

Resubmit a pending certificate request

	Copy Code
-setattributes

Set attributes for a pending certificate request

	Copy Code
-setextension

Set an extension for a pending certificate request

	Copy Code
-revoke

Revoke a certificate

	Copy Code
-isvalid

Display the disposition of the current certificate

	Copy Code
-getconfig

Get the default configuration string

	Copy Code
-ping

Attempt to contact the Active Directory Certificate Services Request interface

	Copy Code
-pingadmin

Attempt to contact the Active Directory Certificate Services Admin interface

	Copy Code
-CAInfo

Display information about the certification authority

	Copy Code
-ca.cert

Retrieve the certificate for the certification authority

	Copy Code
-ca.chain

Retrieve the certificate chain for the certification authority

	Copy Code
-GetCRL

Get a certificate revocation list (CRL)

	Copy Code
-CRL

Publish new certificate revocation lists (CRLs) [or only delta CRLs]

	Copy Code
-shutdown

Shutdown Active Directory Certificate Services

	Copy Code
-installCert

Install a certification authority certificate

	Copy Code
-renewCert

Renew a certification authority certificate

	Copy Code
-schema

Dump the schema for the certificate

	Copy Code
-view

Dump the certificate view

	Copy Code
-db

Dump the raw database

	Copy Code
-deleterow

Delete a row from the server database

	Copy Code
-back up

Backup Active Directory Certificate Services

	Copy Code
-backupDB

Backup the Active Directory Certificate Services database

	Copy Code
-backupKey

Backup the Active Directory Certificate Services certificate and private key

	Copy Code
-restore

Restore Active Directory Certificate Services

	Copy Code
-restoreDB

Restore the Active Directory Certificate Services database

	Copy Code
-restoreKey

Restore the Active Directory Certificate Services certificate and private key

	Copy Code
-dynamicfilelist

Display a dynamic file list

	Copy Code
-databaselocation

Display database locations

	Copy Code
-hashfile

Generate and display a cryptographic hash over a file

	Copy Code
-store

Dump the certificate store

	Copy Code
-addstore

Add a certificate to the store

	Copy Code
-delstore

Delete a certificate from the store

	Copy Code
-verifystore

Verify a certificate in the store

	Copy Code
-repairstore

Repair a key association or update certificate properties or the key security descriptor

	Copy Code
-viewstore

Dump the certificates store

	Copy Code
-viewdelstore

Delete a certificate from the store

	Copy Code
-dsPublish

Publish a certificate or certificate revocation list (CRL) to Active Directory

	Copy Code
-Template

Display certificate templates

	Copy Code
-TemplateCAs

Display the certification authorities (CAs) for a certificate template

	Copy Code
-CATemplates

Display the certificate templates for a certification authority (CA)

	Copy Code
-InstallDefaultTemplates

Install default certificate templates

	Copy Code
-URLCache

Display or delete URL cache entries

	Copy Code
-pulse

Pulse auto enrollment events

	Copy Code
-MachineInfo

Display information about the Active Directory machine object

	Copy Code
-DCInfo

Display information about the domain controller

	Copy Code
-EntInfo

Display information about an enterprise CA

	Copy Code
-TCAInfo

Display information about the CA

	Copy Code
-SCInfo

Display information about the smart card

	Copy Code
-SCRoots

Manage smart card root certificates

	Copy Code
-verifykeys

Verify a public or private key set

	Copy Code
-verify

Verify a certificate, certificate revocation list (CRL), or certificate chain

	Copy Code
-sign

Re-sign a certificate revocation list (CRL) or certificate

	Copy Code
-vroot

Create or delete web virtual roots and file shares

	Copy Code
-vocsproot

Create or delete web virtual roots for an OCSP web proxy

	Copy Code
-oid

Display the object identifier or set a display name

	Copy Code
-error

Display the message text associated with an error code

	Copy Code
-getreg

Display a registry value

	Copy Code
-setreg

Set a registry value

	Copy Code
-delreg

Delete a registry value

	Copy Code
-ImportKMS

Import user keys and certificates into the server database for key archival

	Copy Code
-ImportCert

Import a certificate file into the database

	Copy Code
-GetKey

Retrieve an archived private key recovery blob

	Copy Code
-RecoverKey

Recover an archived private key

	Copy Code
-MergePFX

Merge PFX files

	Copy Code
-ConvertEPF

Convert a PFX file into an EPF file