{
	"id": "97efc7a2-ac54-4740-a6ad-8ce9db621215",
	"created_at": "2026-04-06T01:30:09.079897Z",
	"updated_at": "2026-04-10T03:21:59.90046Z",
	"deleted_at": null,
	"sha1_hash": "aed39847e8ff9f063db3b6a402dfd26d71901344",
	"title": "Certutil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 200101,
	"plain_text": "Certutil\r\nBy Archiveddocs\r\nArchived: 2026-04-06 01:03:49 UTC\r\nApplies To: Windows Server 2012, Windows 8\r\nCertutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to\r\ndump and display certification authority (CA) configuration information, configure Certificate Services, backup\r\nand restore CA components, and verify certificates, key pairs, and certificate chains.\r\nWhen certutil is run on a certification authority without additional parameters, it displays the current certification\r\nauthority configuration. When cerutil is run on a non-certification authority, the command defaults to running the\r\ncertutil -dump verb.\r\nWarning\r\nEarlier versions of certutil may not provide all of the options that are described in this document. You can see all\r\nthe options that a specific version of certutil provides by running the commands shown in the Syntax notations\r\nsection.\r\nThe major sections in this document are:\r\nVerbs\r\nSyntax notations\r\nOptions\r\nAdditional certutil examples\r\nThe following table describes the verbs that can be used with the certutil command.\r\nVerbs Description\r\n-dump Dump configuration information or files\r\n-asn Parse ASN.1 file\r\n-decodehex-decodehex Decode hexadecimal-encoded file\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 1 of 43\n\nVerbs Description\r\n-decode Decode a Base64-encoded file\r\n-encode Encode a file to Base64\r\n-deny Deny a pending certificate request\r\n-resubmit Resubmit a pending certificate request\r\n-setattributes Set attributes for a pending certificate request\r\n-setextension Set an extension for a pending certificate request\r\n-revoke Revoke a certificate\r\n-isvalid Display the disposition of the current certificate\r\n-getconfig Get the default configuration string\r\n-ping Attempt to contact the Active Directory Certificate Services Request interface\r\n-pingadmin Attempt to contact the Active Directory Certificate Services Admin interface\r\n-CAInfo Display information about the certification authority\r\n-ca.cert Retrieve the certificate for the certification authority\r\n-ca.chain Retrieve the certificate chain for the certification authority\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 2 of 43\n\nVerbs Description\r\n-GetCRL Get a certificate revocation list (CRL)\r\n-CRL Publish new certificate revocation lists (CRLs) [or only delta CRLs]\r\n-shutdown Shutdown Active Directory Certificate Services\r\n-installCert Install a certification authority certificate\r\n-renewCert Renew a certification authority certificate\r\n-schema Dump the schema for the certificate\r\n-view Dump the certificate view\r\n-db Dump the raw database\r\n-deleterow Delete a row from the server database\r\n-backup Backup Active Directory Certificate Services\r\n-backupDB Backup the Active Directory Certificate Services database\r\n-backupKey Backup the Active Directory Certificate Services certificate and private key\r\n-restore Restore Active Directory Certificate Services\r\n-restoreDB Restore the Active Directory Certificate Services database\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 3 of 43\n\nVerbs Description\r\n-restoreKey Restore the Active Directory Certificate Services certificate and private key\r\n-importPFX Import certificate and private key\r\n-dynamicfilelist Display a dynamic file list\r\n-databaselocations Display database locations\r\n-hashfile Generate and display a cryptographic hash over a file\r\n-store Dump the certificate store\r\n-addstore Add a certificate to the store\r\n-delstore Delete a certificate from the store\r\n-verifystore Verify a certificate in the store\r\n-repairstore\r\nRepair a key association or update certificate properties or the key security\r\ndescriptor\r\n-viewstore Dump the certificates store\r\n-viewdelstore Delete a certificate from the store\r\n-dsPublish Publish a certificate or certificate revocation list (CRL) to Active Directory\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 4 of 43\n\nVerbs Description\r\n-ADTemplate Display AD templates\r\n-Template Display certificate templates\r\n-TemplateCAs Display the certification authorities (CAs) for a certificate template\r\n-CATemplates Display templates for CA\r\n-SetCASites Manage Site Names for CAs\r\n-enrollmentServerURL Display, add or delete enrollment server URLs associated with a CA\r\n-ADCA Display AD CAs\r\n-CA Display Enrollment Policy CAs\r\n-Policy Display Enrollment Policy\r\n-PolicyCache Display or delete Enrollment Policy Cache entries\r\n-CredStore Display, add or delete Credential Store entries\r\n-\r\nInstallDefaultTemplates\r\nInstall default certificate templates\r\n-URLCache Display or delete URL cache entries\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 5 of 43\n\nVerbs Description\r\n-pulse Pulse auto enrollment events\r\n-MachineInfo Display information about the Active Directory machine object\r\n-DCInfo Display information about the domain controller\r\n-EntInfo Display information about an enterprise CA\r\n-TCAInfo Display information about the CA\r\n-SCInfo Display information about the smart card\r\n-SCRoots Manage smart card root certificates\r\n-verifykeys Verify a public or private key set\r\n-verify Verify a certificate, certificate revocation list (CRL), or certificate chain\r\n-verifyCTL Verify AuthRoot or Disallowed Certificates CTL\r\n-sign Re-sign a certificate revocation list (CRL) or certificate\r\n-vroot Create or delete web virtual roots and file shares\r\n-vocsproot Create or delete web virtual roots for an OCSP web proxy\r\n-addEnrollmentServer Add an Enrollment Server application\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 6 of 43\n\nVerbs Description\r\n-deleteEnrollmentServer Delete an Enrollment Server application\r\n-addPolicyServer Add a Policy Server application\r\n-deletePolicyServer Delete a Policy Server application\r\n-oid Display the object identifier or set a display name\r\n-error Display the message text associated with an error code\r\n-getreg Display a registry value\r\n-setreg Set a registry value\r\n-delreg Delete a registry value\r\n-ImportKMS Import user keys and certificates into the server database for key archival\r\n-ImportCert Import a certificate file into the database\r\n-GetKey Retrieve an archived private key recovery blob\r\n-RecoverKey Recover an archived private key\r\n-MergePFX Merge PFX files\r\n-ConvertEPF Convert a PFX file into an EPF file\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 7 of 43\n\nVerbs Description\r\n-? Displays the list of verbs\r\n-\u003cverb\u003e -? Displays help for the verb specified.\r\n-? -v Displays a full list of verbs and\r\nReturn to Menu\r\nFor basic command line syntax, run certutil -?\r\nFor the syntax on using certutil with a specific verb, run certutil \u003cverb\u003e -?\r\nTo send all of the certutil syntax into a text file, run the following commands:\r\ncertutil -v -? \u003e certutilhelp.txt\r\nnotepad certutilhelp.txt\r\nThe following table describes the notation used to indicate command-line syntax.\r\nNotation Description\r\nText without brackets or braces Items you must type as shown\r\n\u003cText inside angle brackets\u003e Placeholder for which you must supply a value\r\n[Text inside square brackets] Optional items\r\n{Text inside braces} Set of required items; choose one\r\nVertical bar (|) Separator for mutually exclusive items; choose one\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 8 of 43\n\nNotation Description\r\nEllipsis (…) Items that can be repeated\r\nReturn to Menu\r\nCertUtil [Options] [-dump]\r\nCertUtil [Options] [-dump] File\r\nDump configuration information or files\r\n[-f] [-silent] [-split] [-p Password] [-t Timeout]\r\nReturn to Menu\r\nCertUtil [Options] -asn File [type]\r\nParse ASN.1 file\r\ntype: numeric CRYPT_STRING_* decoding type\r\nReturn to Menu\r\nCertUtil [Options] -decodehex InFile OutFile [type]\r\ntype: numeric CRYPT_STRING_* encoding type\r\n[-f]\r\nReturn to Menu\r\nCertUtil [Options] -decode InFile OutFile\r\nDecode Base64-encoded file\r\n[-f]\r\nReturn to Menu\r\nCertUtil [Options] -encode InFile OutFile\r\nEncode file to Base64\r\n[-f] [-UnicodeText]\r\nReturn to Menu\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 9 of 43\n\nCertUtil [Options] -deny RequestId\r\nDeny pending request\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -resubmit RequestId\r\nResubmit pending request\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -setattributes RequestId AttributeString\r\nSet attributes for pending request\r\nRequestId -- numeric Request Id of pending request\r\nAttributeString -- Request Attribute name and value pairs\r\nNames and values are colon separated.\r\nMultiple name, value pairs are newline separated.\r\nExample: \"CertificateTemplate:User\\nEMail:User@Domain.com\"\r\nEach \"\\n\" sequence is converted to a newline separator.\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}\r\nSet extension for pending request\r\nRequestId -- numeric Request Id of a pending request\r\nExtensionName -- ObjectId string of the extension\r\nFlags -- 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both.\r\nIf the last parameter is numeric, it is taken as a Long.\r\nIf it can be parsed as a date, it is taken as a Date.\r\nIf it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 10 of 43\n\nAnything else is taken as a String.\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -revoke SerialNumber [Reason]\r\nRevoke Certificate\r\nSerialNumber: Comma separated list of certificate serial numbers to revoke\r\nReason: numeric or symbolic revocation reason\r\n0: CRL_REASON_UNSPECIFIED: Unspecified (default)\r\n1: CRL_REASON_KEY_COMPROMISE: Key Compromise\r\n2: CRL_REASON_CA_COMPROMISE: CA Compromise\r\n3: CRL_REASON_AFFILIATION_CHANGED: Affiliation Changed\r\n4: CRL_REASON_SUPERSEDED: Superseded\r\n5: CRL_REASON_CESSATION_OF_OPERATION: Cessation of Operation\r\n6: CRL_REASON_CERTIFICATE_HOLD: Certificate Hold\r\n8: CRL_REASON_REMOVE_FROM_CRL: Remove From CRL\r\n-1: Unrevoke: Unrevoke\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -isvalid SerialNumber | CertHash\r\nDisplay current certificate disposition\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -getconfig\r\nGet default configuration string\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 11 of 43\n\nCertUtil [Options] -ping [MaxSecondsToWait | CAMachineList]\r\nPing Active Directory Certificate Services Request interface\r\nCAMachineList -- Comma-separated CA machine name list\r\n1. For a single machine, use a terminating comma\r\n2. Displays the site cost for each CA machine\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]]\r\nDisplay CA Information\r\nInfoName -- indicates the CA property to display (see below). Use \"*\" for all properties.\r\nIndex -- optional zero-based property index\r\nErrorCode -- numeric error code\r\n[-f] [-split] [-config Machine\\CAName]\r\nInfoName argument syntax:\r\nfile: File version\r\nproduct: Product version\r\nexitcount: Exit module count\r\nexit [Index]: Exit module description\r\npolicy: Policy module description\r\nname: CA name\r\nsanitizedname: Sanitized CA name\r\ndsname: Sanitized CA short name (DS name)\r\nsharedfolder: Shared folder\r\nerror1 ErrorCode: Error message text\r\nerror2 ErrorCode: Error message text and error code\r\ntype: CA type\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 12 of 43\n\ninfo: CA info\r\nparent: Parent CA\r\ncertcount: CA cert count\r\nxchgcount: CA exchange cert count\r\nkracount: KRA cert count\r\nkraused: KRA cert used count\r\npropidmax: Maximum CA PropId\r\ncertstate [Index]: CA cert\r\ncertversion [Index]: CA cert version\r\ncertstatuscode [Index]: CA cert verify status\r\ncrlstate [Index]: CRL\r\nkrastate [Index]: KRA cert\r\ncrossstate+ [Index]: Forward cross cert\r\ncrossstate- [Index]: Backward cross cert\r\ncert [Index]: CA cert\r\ncertchain [Index]: CA cert chain\r\ncertcrlchain [Index]: CA cert chain with CRLs\r\nxchg [Index]: CA exchange cert\r\nxchgchain [Index]: CA exchange cert chain\r\nxchgcrlchain [Index]: CA exchange cert chain with CRLs\r\nkra [Index]: KRA cert\r\ncross+ [Index]: Forward cross cert\r\ncross- [Index]: Backward cross cert\r\nCRL [Index]: Base CRL\r\ndeltacrl [Index]: Delta CRL\r\ncrlstatus [Index]: CRL Publish Status\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 13 of 43\n\ndeltacrlstatus [Index]: Delta CRL Publish Status\r\ndns: DNS Name\r\nrole: Role Separation\r\nads: Advanced Server\r\ntemplates: Templates\r\nocsp [Index]: OCSP URLs\r\naia [Index]: AIA URLs\r\ncdp [Index]: CDP URLs\r\nlocalename: CA locale name\r\nsubjecttemplateoids: Subject Template OIDs\r\nReturn to Menu\r\nCertUtil [Options] -ca.cert OutCACertFile [Index]\r\nRetrieve the CA's certificate\r\nOutCACertFile: output file\r\nIndex: CA certificate renewal index (defaults to most recent)\r\n[-f] [-split] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -ca.chain OutCACertChainFile [Index]\r\nRetrieve the CA's certificate chain\r\nOutCACertChainFile: output file\r\nIndex: CA certificate renewal index (defaults to most recent)\r\n[-f] [-split] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -GetCRL OutFile [Index] [delta]\r\nGet CRL\r\nIndex: CRL index or key index (defaults to CRL for newest key)\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 14 of 43\n\ndelta: delta CRL (default is base CRL)\r\n[-f] [-split] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -CRL [dd:hh | republish] [delta]\r\nPublish new CRLs [or delta CRLs only]\r\ndd:hh -- new CRL validity period in days and hours\r\nrepublish -- republish most recent CRLs\r\ndelta -- delta CRLs only (default is base and delta CRLs)\r\n[-split] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -shutdown\r\nShutdown Active Directory Certificate Services\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -installCert [CACertFile]\r\nInstall Certification Authority certificate\r\n[-f] [-silent] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -renewCert [ReuseKeys] [Machine\\ParentCAName]\r\nRenew Certification Authority certificate\r\nUse -f to ignore an outstanding renewal request, and generate a new request.\r\n[-f] [-silent] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -schema [Ext | Attrib | CRL]\r\nDump Certificate Schema\r\nDefaults to Request and Certificate table\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 15 of 43\n\nExt: Extension table\r\nAttrib: Attribute table\r\nCRL: CRL table\r\n[-split] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]\r\nDump Certificate View\r\nQueue: Request queue\r\nLog: Issued or revoked certificates, plus failed requests\r\nLogFail: Failed requests\r\nRevoked: Revoked certificates\r\nExt: Extension table\r\nAttrib: Attribute table\r\nCRL: CRL table\r\ncsv: Output as Comma Separated Values\r\nTo display the StatusCode column for all entries: -out StatusCode\r\nTo display all columns for the last entry: -restrict \"RequestId==$\"\r\nTo display RequestId and Disposition for three requests: -restrict \"RequestId\u003e=37,RequestId\u003c40\" -out\r\n\"RequestId,Disposition\"\r\nTo display Row Ids and CRL Numbers for all Base CRLs: -restrict \"CRLMinBase=0\" -out\r\n\"CRLRowId,CRLNumber\" CRL\r\nTo display Base CRL Number 3: -v -restrict \"CRLMinBase=0,CRLNumber=3\" -out \"CRLRawCRL\" CRL\r\nTo display the entire CRL table: CRL\r\nUse \"Date[+|-dd:hh]\" for date restrictions\r\nUse \"now+dd:hh\" for a date relative to the current time\r\n[-silent] [-split] [-config Machine\\CAName] [-restrict RestrictionList] [-out ColumnList]\r\nReturn to Menu\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 16 of 43\n\nCertUtil [Options] -db\r\nDump Raw Database\r\n[-config Machine\\CAName] [-restrict RestrictionList] [-out ColumnList]\r\nReturn to Menu\r\nCertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL]\r\nDelete server database row\r\nRequest: Failed and pending requests (submission date)\r\nCert: Expired and revoked certificates (expiration date)\r\nExt: Extension table\r\nAttrib: Attribute table\r\nCRL: CRL table (expiration date)\r\nTo delete failed and pending requests submitted by January 22, 2001: 1/22/2001 Request\r\nTo delete all certificates that expired by January 22, 2001: 1/22/2001 Cert\r\nTo delete the certificate row, attributes and extensions for RequestId 37: 37\r\nTo delete CRLs that expired by January 22, 2001: 1/22/2001 CRL\r\n[-f] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog]\r\nBackup Active Directory Certificate Services\r\nBackupDirectory: directory to store backed up data\r\nIncremental: perform incremental backup only (default is full backup)\r\nKeepLog: preserve database log files (default is to truncate log files)\r\n[-f] [-config Machine\\CAName] [-p Password]\r\nReturn to Menu\r\nCertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog]\r\nBackup Active Directory Certificate Services database\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 17 of 43\n\nBackupDirectory: directory to store backed up database files\r\nIncremental: perform incremental backup only (default is full backup)\r\nKeepLog: preserve database log files (default is to truncate log files)\r\n[-f] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -backupKey BackupDirectory\r\nBackup Active Directory Certificate Services certificate and private key\r\nBackupDirectory: directory to store backed up PFX file\r\n[-f] [-config Machine\\CAName] [-p Password] [-t Timeout]\r\nReturn to Menu\r\nCertUtil [Options] -restore BackupDirectory\r\nRestore Active Directory Certificate Services\r\nBackupDirectory: directory containing data to be restored\r\n[-f] [-config Machine\\CAName] [-p Password]\r\nReturn to Menu\r\nCertUtil [Options] -restoreDB BackupDirectory\r\nRestore Active Directory Certificate Services database\r\nBackupDirectory: directory containing database files to be restored\r\n[-f] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -restoreKey BackupDirectory | PFXFile\r\nRestore Active Directory Certificate Services certificate and private key\r\nBackupDirectory: directory containing PFX file to be restored\r\nPFXFile: PFX file to be restored\r\n[-f] [-config Machine\\CAName] [-p Password]\r\nReturn to Menu\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 18 of 43\n\nCertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers]\r\nImport certificate and private key\r\nCertificateStoreName: Certificate store name. See -store.\r\nPFXFile: PFX file to be imported\r\nModifiers: Comma separated list of one or more of the following:\r\n1. AT_SIGNATURE: Change the KeySpec to Signature\r\n2. AT_KEYEXCHANGE: Change the KeySpec to Key Exchange\r\n3. NoExport: Make the private key non-exportable\r\n4. NoCert: Do not import the certificate\r\n5. NoChain: Do not import the certificate chain\r\n6. NoRoot: Do not import the root certificate\r\n7. Protect: Protect keys with password\r\n8. NoProtect: Do not password protect keys\r\nDefaults to personal machine store.\r\n[-f] [-user] [-p Password] [-csp Provider]\r\nReturn to Menu\r\nCertUtil [Options] -dynamicfilelist\r\nDisplay dynamic file List\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -databaselocations\r\nDisplay database locations\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -hashfile InFile [HashAlgorithm]\r\nGenerate and display cryptographic hash over a file\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 19 of 43\n\nReturn to Menu\r\nCertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]\r\nDump certificate store\r\nCertificateStoreName: Certificate store name. Examples:\r\n\"My\", \"CA\" (default), \"Root\",\r\n\"ldap:///CN=Certification Authorities,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?\r\nobjectClass=certificationAuthority\" (View Root Certificates)\r\n\"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?\r\nobjectClass=certificationAuthority\" (Modify Root Certificates)\r\n\"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?\r\nobjectClass=cRLDistributionPoint\" (View CRLs)\r\n\"ldap:///CN=NTAuthCertificates,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?\r\nobjectClass=certificationAuthority\" (Enterprise CA Certificates)\r\nldap: (AD computer object certificates)\r\n-user ldap: (AD user object certificates)\r\nCertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public\r\nkey hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index\r\n(..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail\r\naddress, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or\r\nApplication Policies ObjectId, or a CRL issuer Common Name. Many of these may result in multiple matches.\r\nOutputFile: file to save matching cert\r\nUse -user to access a user store instead of a machine store.\r\nUse -enterprise to access a machine enterprise store.\r\nUse -service to access a machine service store.\r\nUse -grouppolicy to access a machine group policy store.\r\nExamples:\r\n-enterprise NTAuth\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 20 of 43\n\n-enterprise Root 37\r\n-user My 26e0aaaf000000000004\r\nCA .11\r\n[-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -addstore CertificateStoreName InFile\r\nAdd certificate to store\r\nCertificateStoreName: Certificate store name. See -store.\r\nInFile: Certificate or CRL file to add to store.\r\n[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -delstore CertificateStoreName CertId\r\nDelete certificate from store\r\nCertificateStoreName: Certificate store name. See -store.\r\nCertId: Certificate or CRL match token. See -store.\r\n[-enterprise] [-user] [-GroupPolicy] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -verifystore CertificateStoreName [CertId]\r\nVerify certificate in store\r\nCertificateStoreName: Certificate store name. See -store.\r\nCertId: Certificate or CRL match token. See -store.\r\n[-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]\r\nReturn to Menu\r\nCertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]\r\nRepair key association or update certificate properties or key security descriptor\r\nCertificateStoreName: Certificate store name. See -store.\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 21 of 43\n\nCertIdList: comma separated list of Certificate or CRL match tokens. See -store CertId description.\r\nPropertyInfFile -- INF file containing external properties:\r\n[Properties]\r\n 19 = Empty ; Add archived property, OR:\r\n 19 = ; Remove archived property\r\n 11 = \"{text}Friendly Name\" ; Add friendly name property\r\n 127 = \"{hex}\" ; Add custom hexadecimal property\r\n _continue_ = \"00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\"\r\n _continue_ = \"10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f\"\r\n 2 = \"{text}\" ; Add Key Provider Information property\r\n _continue_ = \"Container=Container Name\u0026\"\r\n _continue_ = \"Provider=Microsoft Strong Cryptographic Provider\u0026\"\r\n _continue_ = \"ProviderType=1\u0026\"\r\n _continue_ = \"Flags=0\u0026\"\r\n _continue_ = \"KeySpec=2\"\r\n 9 = \"{text}\" ; Add Enhanced Key Usage property\r\n _continue_ = \"1.3.6.1.5.5.7.3.2,\"\r\n _continue_ = \"1.3.6.1.5.5.7.3.1,\"\r\n[-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]\r\nReturn to Menu\r\nCertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]]\r\nDump certificate store\r\nCertificateStoreName: Certificate store name. Examples:\r\n\"My\", \"CA\" (default), \"Root\",\r\n\"ldap:///CN=Certification Authorities,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?\r\nobjectClass=certificationAuthority\" (View Root Certificates)\r\n\"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?\r\nobjectClass=certificationAuthority\" (Modify Root Certificates)\r\n\"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 22 of 43\n\nobjectClass=cRLDistributionPoint\" (View CRLs)\r\n\"ldap:///CN=NTAuthCertificates,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?\r\nobjectClass=certificationAuthority\" (Enterprise CA Certificates)\r\nldap: (AD machine object certificates)\r\n-user ldap: (AD user object certificates)\r\nCertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public\r\nkey hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index\r\n(..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail\r\naddress, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or\r\nApplication Policies ObjectId, or a CRL issuer Common Name. Many of these may result in multiple matches.\r\nOutputFile: file to save matching cert\r\nUse -user to access a user store instead of a machine store.\r\nUse -enterprise to access a machine enterprise store.\r\nUse -service to access a machine service store.\r\nUse -grouppolicy to access a machine group policy store.\r\nExamples:\r\n1. -enterprise NTAuth\r\n2. -enterprise Root 37\r\n3. -user My 26e0aaaf000000000004\r\n4. CA .11\r\n[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]]\r\nDelete certificate from store\r\nCertificateStoreName: Certificate store name. Examples:\r\n\"My\", \"CA\" (default), \"Root\",\r\n\"ldap:///CN=Certification Authorities,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 23 of 43\n\nobjectClass=certificationAuthority\" (View Root Certificates)\r\n\"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?\r\nobjectClass=certificationAuthority\" (Modify Root Certificates)\r\n\"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?\r\nobjectClass=cRLDistributionPoint\" (View CRLs)\r\n\"ldap:///CN=NTAuthCertificates,CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?\r\nobjectClass=certificationAuthority\" (Enterprise CA Certificates)\r\nldap: (AD machine object certificates)\r\n-user ldap: (AD user object certificates)\r\nCertId: Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public\r\nkey hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index\r\n(..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail\r\naddress, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or\r\nApplication Policies ObjectId, or a CRL issuer Common Name. Many of these may result in multiple matches.\r\nOutputFile: file to save matching cert\r\nUse -user to access a user store instead of a machine store.\r\nUse -enterprise to access a machine enterprise store.\r\nUse -service to access a machine service store.\r\nUse -grouppolicy to access a machine group policy store.\r\nExamples:\r\n1. -enterprise NTAuth\r\n2. -enterprise Root 37\r\n3. -user My 26e0aaaf000000000004\r\n4. CA .11\r\n[-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 24 of 43\n\nCertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]\r\nPublish certificate or CRL to Active Directory\r\nCertFile: certificate file to publish\r\nNTAuthCA: Publish cert to DS Enterprise store\r\nRootCA: Publish cert to DS Trusted Root store\r\nSubCA: Publish CA cert to DS CA object\r\nCrossCA: Publish cross cert to DS CA object\r\nKRA: Publish cert to DS Key Recovery Agent object\r\nUser: Publish cert to User DS object\r\nMachine: Publish cert to Machine DS object\r\nCRLFile: CRL file to publish\r\nDSCDPContainer: DS CDP container CN, usually the CA machine name\r\nDSCDPCN: DS CDP object CN, usually based on the sanitized CA short name and key index\r\nUse -f to create DS object.\r\n[-f] [-user] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -ADTemplate [Template]\r\nDisplay AD templates\r\n[-f] [-user] [-ut] [-mt] [-dc DCName]\r\nCertUtil [Options] -Template [Template]\r\nDisplay Enrollment Policy templates\r\n[-f] [-user] [-silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-\r\nUserName UserName] [-p Password]\r\nReturn to Menu\r\nCertUtil [Options] -TemplateCAs Template\r\nDisplay CAs for template\r\n[-f] [-user] [-dc DCName]\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 25 of 43\n\nReturn to Menu\r\nCertUtil [Options] -CATemplates [Template]\r\nDisplay templates for CA\r\n[-f] [-user] [-ut] [-mt] [-config Machine\\CAName] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -SetCASites [set] [SiteName]\r\nCertUtil [Options] -SetCASites verify [SiteName]\r\nCertUtil [Options] -SetCASites delete\r\nSet, Verify or Delete CA site names\r\nUse the -config option to target a single CA (Default is all CAs)\r\nSiteName is allowed only when targeting a single CA\r\nUse -f to override validation errors for the specified SiteName\r\nUse -f to delete all CA site names\r\n[-f] [-config Machine\\CAName] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]]\r\nCertUtil [Options] -enrollmentServerURL URL delete\r\nDisplay, add or delete enrollment server URLs associated with a CA\r\nAuthenticationType: Specify one of the following client authentication methods while adding a URL\r\n1. Kerberos: Use Kerberos SSL credentials\r\n2. UserName: Use named account for SSL credentials\r\n3. ClientCertificate: Use X.509 Certificate SSL credentials\r\n4. Anonymous: Use anonymous SSL credentials\r\ndelete: deletes the specified URL associated with the CA\r\nPriority: defaults to '1' if not specified when adding a URL\r\nModifiers -- Comma separated list of one or more of the following:\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 26 of 43\n\n1. AllowRenewalsOnly: Only renewal requests can be submitted to this CA via this URL\r\n2. AllowKeyBasedRenewal: Allows use of a certificate that has no associated account in the AD. This applies\r\nonly with ClientCertificate and AllowRenewalsOnly Mode\r\n[-config Machine\\CAName] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -ADCA [CAName]\r\nDisplay AD CAs\r\n[-f] [-split] [-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -CA [CAName | TemplateName]\r\nDisplay Enrollment Policy CAs\r\n[-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId]\r\n[-UserName UserName] [-p Password]\r\nReturn to Menu\r\nDisplay Enrollment Policy\r\n[-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId]\r\n[-UserName UserName] [-p Password]\r\nReturn to Menu\r\nCertUtil [Options] -PolicyCache [delete]\r\nDisplay or delete Enrollment Policy Cache entries\r\ndelete: delete Policy Server cache entries\r\n-f: use -f to delete all cache entries\r\n[-f] [-user] [-PolicyServer URLOrId]\r\nReturn to Menu\r\nCertUtil [Options] -CredStore [URL]\r\nCertUtil [Options] -CredStore URL add\r\nCertUtil [Options] -CredStore URL delete\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 27 of 43\n\nDisplay, add or delete Credential Store entries\r\nURL: target URL. Use * to match all entries. Use https://machine* to match a URL prefix.\r\nadd: add a Credential Store entry. SSL credentials must also be specified.\r\ndelete: delete Credential Store entries\r\n-f: use -f to overwrite an entry or to delete multiple entries.\r\n[-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p\r\nPassword]\r\nReturn to Menu\r\nCertUtil [Options] -InstallDefaultTemplates\r\nInstall default certificate templates\r\n[-dc DCName]\r\nReturn to Menu\r\nCertUtil [Options] -URLCache [URL | CRL | * [delete]]\r\nDisplay or delete URL cache entries\r\nURL: cached URL\r\nCRL: operate on all cached CRL URLs only\r\n*: operate on all cached URLs\r\ndelete: delete relevant URLs from the current user's local cache\r\nUse -f to force fetching a specific URL and updating the cache.\r\n[-f] [-split]\r\nReturn to Menu\r\nCertUtil [Options] -pulse\r\nPulse autoenrollment events\r\n[-user]\r\nReturn to Menu\r\nCertUtil [Options] -MachineInfo DomainName\\MachineName$\r\nDisplay Active Directory computer object information\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 28 of 43\n\nReturn to Menu\r\nCertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]\r\nDisplay domain controller information\r\nDefault is to display DC certs without verification\r\n[-f] [-user] [-urlfetch] [-dc DCName] [-t Timeout]\r\nTip\r\nThe ability to specify an Active Directory Domain Services (AD DS) domain [Domain] and to specify a domain\r\ncontroller (-dc) was added in Windows Server 2012. To successfully run the command, you must use an account\r\nthat is a member of Domain Admins or Enterprise Admins. The behavior modifications of this command are as\r\nfollows: If a domain is not specified and a specific domain controller is not specified, this option returns a list of\r\ndomain controllers to process from the default domain controller. If a domain is not specified, but a domain\r\ncontroller is specified, a report of the certificates on the specified domain controller is generated. If a domain is\r\nspecified, but a domain controller is not specified, a list of domain controllers is generated along with reports on\r\nthe certificates for each domain controller in the list. If the domain and domain controller are specified, a list of\r\ndomain controllers is generated from the targeted domain controller. A report of the certificates for each domain\r\ncontroller in the list is also generated.\r\nFor example, assume there is a domain named CPANDL with a domain controller named CPANDL-DC1. You\r\ncould run the following command to a retrieve a list of domain controllers and their certificates that from\r\nCPANDL-DC1: certutil -dc cpandl-dc1 -dcinfo cpandl\r\nReturn to Menu\r\nCertUtil [Options] -EntInfo DomainName\\MachineName$\r\n[-f] [-user]\r\nReturn to Menu\r\nCertUtil [Options] -TCAInfo [DomainDN | -]\r\nDisplay CA information\r\n[-f] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]\r\nReturn to Menu\r\nCertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]]\r\nDisplay smart card information\r\nCRYPT_DELETEKEYSET: Delete all keys on the smart card\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 29 of 43\n\n[-silent] [-split] [-urlfetch] [-t Timeout]\r\nReturn to Menu\r\nCertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName]\r\nCertUtil [Options] -SCRoots save @OutputRootFile [ReaderName]\r\nCertUtil [Options] -SCRoots view [InputRootFile | ReaderName]\r\nCertUtil [Options] -SCRoots delete [ReaderName]\r\nManage smart card root certificates\r\n[-f] [-split] [-p Password]\r\nReturn to Menu\r\nCertUtil [Options] -verifykeys [KeyContainerName CACertFile]\r\nVerify public/private key set\r\nKeyContainerName: key container name of the key to verify. Defaults to machine keys. Use -user for user keys.\r\nCACertFile: signing or encryption certificate file\r\nIf no arguments are specified, each signing CA cert is verified against its private key.\r\nThis operation can only be performed against a local CA or local keys.\r\n[-f] [-user] [-silent] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]]\r\nCertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]]\r\nCertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile]\r\nCertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile]\r\nVerify certificate, CRL or chain\r\nCertFile: Certificate to verify\r\nApplicationPolicyList: optional comma separated list of required Application Policy ObjectIds\r\nIssuancePolicyList: optional comma separated list of required Issuance Policy ObjectIds\r\nCACertFile: optional issuing CA certificate to verify against\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 30 of 43\n\nCrossedCACertFile: optional certificate cross-certified by CertFile\r\nCRLFile: CRL to verify\r\nIssuedCertFile: optional issued certificate covered by CRLFile\r\nDeltaCRLFile: optional delta CRL\r\nIf ApplicationPolicyList is specified, chain building is restricted to chains valid for the specified Application\r\nPolicies.\r\nIf IssuancePolicyList is specified, chain building is restricted to chains valid for the specified Issuance Policies.\r\nIf CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile.\r\nIf CACertFile is not specified, CertFile is used to build and verify a full chain.\r\nIf CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile are\r\nverified against CertFile.\r\nIf IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile.\r\nIf DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.\r\n[-f] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout]\r\nReturn to Menu\r\nCertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile]\r\nVerify AuthRoot or Disallowed Certificates CTL\r\nCTLObject: Identifies the CTL to verify:\r\nAuthRootWU: read AuthRoot CAB and matching certificates from the URL cache. Use -f to download\r\nfrom Windows Update instead.\r\nDisallowedWU: read Disallowed Certificates CAB and disallowed certificate store file from the URL\r\ncache. Use -f to download from Windows Update instead.\r\nAuthRoot: read registry cached AuthRoot CTL. Use with -f and a CertFile that is not already trusted to\r\nforce updating the registry cached AuthRoot and Disallowed Certificate CTLs.\r\nDisallowed: read registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.\r\nCTLFileName: file or http: path to CTL or CAB\r\nCertDir: folder containing certificates matching CTL entries. An http: folder path must end with a path separator.\r\nIf a folder is not specified with AuthRoot or Disallowed, multiple locations will be searched for matching\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 31 of 43\n\ncertificates: local certificate stores, crypt32.dll resources and the local URL cache. Use -f to download from\r\nWindows Update when necessary. Otherwise defaults to the same folder or web site as the CTLObject.\r\nCertFile: file containing certificate(s) to verify. Certificates will be matched against CTL entries, and match results\r\ndisplayed. Suppresses most of the default output.\r\n[-f] [-user] [-split]\r\nReturn to Menu\r\nCertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [StartDate+dd:hh] [+SerialNumberList | -\r\nSerialNumberList | -ObjectIdList | @ExtensionFile\\]\r\nCertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [#HashAlgorithm]\r\n[+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm]\r\nRe-sign CRL or certificate\r\nInFileList: comma separated list of Certificate or CRL files to modify and re-sign\r\nSerialNumber: Serial number of certificate to create. Validity period and other options must not be present.\r\nCRL: Create an empty CRL. Validity period and other options must not be present.\r\nOutFileList: comma separated list of modified Certificate or CRL output files. The number of files must match\r\nInFileList.\r\nStartDate+dd:hh: new validity period: optional date plus; optional days and hours validity period; If both are\r\nspecified, use a plus sign (+) separator. Use \"now[+dd:hh]\" to start at the current time. Use \"never\" to have no\r\nexpiration date (for CRLs only).\r\nSerialNumberList: comma separated serial number list to add or remove\r\nObjectIdList: comma separated extension ObjectId list to remove\r\n@ExtensionFile: INF file containing extensions to update or remove:\r\n[Extensions]\r\n 2.5.29.31 = ; Remove CRL Distribution Points extension\r\n 2.5.29.15 = \"{hex}\" ; Update Key Usage extension\r\n _continue_=\"03 02 01 86\"\r\nHashAlgorithm: Name of the hash algorithm preceded by a # sign\r\nAlternateSignatureAlgorithm: alternate Signature algorithm specifier\r\nA minus sign causes serial numbers and extensions to be removed. A plus sign causes serial numbers to be added\r\nto a CRL. When removing items from a CRL, the list may contain both serial numbers and ObjectIds. A minus\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 32 of 43\n\nsign before AlternateSignatureAlgorithm causes the legacy signature format to be used. A plus sign before\r\nAlternateSignatureAlgorithm causes the alternature signature format to be used. If AlternateSignatureAlgorithm is\r\nnot specified then the signature format in the certificate or CRL is used.\r\n[-nullsign] [-f] [-silent] [-Cert CertId]\r\nReturn to Menu\r\nCertUtil [Options] -vroot [delete]\r\nCreate/delete web virtual roots and file shares\r\nReturn to Menu\r\nCertUtil [Options] -vocsproot [delete]\r\nCreate/delete web virtual roots for OCSP web proxy\r\nReturn to Menu\r\nCertUtil [Options] -addEnrollmentServer Kerberos | UserName | ClientCertificate [AllowRenewalsOnly]\r\n[AllowKeyBasedRenewal]\r\nAdd an Enrollment Server application\r\nAdd an Enrollment Server application and application pool if necessary, for the specified CA. This command does\r\nnot install binaries or packages. One of the following authentication methods with which the client connects to a\r\nCertificate Enrollment Server.\r\nKerberos: Use Kerberos SSL credentials\r\nUserName: Use named account for SSL credentials\r\nClientCertificate: Use X.509 Certificate SSL credentials\r\nAllowRenewalsOnly: Only renewal requests can be submitted to this CA via this URL\r\nAllowKeyBasedRenewal -- Allows use of a certificate that has no associated account in the AD. This\r\napplies only with ClientCertificate and AllowRenewalsOnly mode.\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate\r\nDelete an Enrollment Server application\r\nDelete an Enrollment Server application and application pool if necessary, for the specified CA. This command\r\ndoes not remove binaries or packages. One of the following authentication methods with which the client connects\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 33 of 43\n\nto a Certificate Enrollment Server.\r\n1. Kerberos: Use Kerberos SSL credentials\r\n2. UserName: Use named account for SSL credentials\r\n3. ClientCertificate: Use X.509 Certificate SSL credentials\r\n[-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]\r\nAdd a Policy Server application\r\nAdd a Policy Server application and application pool if necessary. This command does not install binaries or\r\npackages. One of the following authentication methods with which the client connects to a Certificate Policy\r\nServer:\r\nKerberos: Use Kerberos SSL credentials\r\nUserName: Use named account for SSL credentials\r\nClientCertificate: Use X.509 Certificate SSL credentials\r\nKeyBasedRenewal: Only policies that contain KeyBasedRenewal templates are returned to the client. This\r\nflag applies only for UserName and ClientCertificate authentication.\r\nReturn to Menu\r\nCertUtil [Options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]\r\nDelete a Policy Server application\r\nDelete a Policy Server application and application pool if necessary. This command does not remove binaries or\r\npackages. One of the following authentication methods with which the client connects to a Certificate Policy\r\nServer:\r\n1. Kerberos: Use Kerberos SSL credentials\r\n2. UserName: Use named account for SSL credentials\r\n3. ClientCertificate: Use X.509 Certificate SSL credentials\r\n4. KeyBasedRenewal: KeyBasedRenewal policy server\r\nReturn to Menu\r\nCertUtil [Options] -oid ObjectId [DisplayName | delete [LanguageId [Type]]]\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 34 of 43\n\nCertUtil [Options] -oid GroupId\r\nCertUtil [Options] -oid AlgId | AlgorithmName [GroupId]\r\nDisplay ObjectId or set display name\r\nObjectId -- ObjectId to display or to add display name\r\nGroupId -- decimal GroupId number for ObjectIds to enumerate\r\nAlgId -- hexadecimal AlgId for ObjectId to look up\r\nAlgorithmName -- Algorithm Name for ObjectId to look up\r\nDisplayName -- Display Name to store in DS\r\ndelete -- delete display name\r\nLanguageId -- Language Id (defaults to current: 1033)\r\nType -- DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy\r\nUse -f to create DS object.\r\n[-f]\r\nReturn to Menu\r\nCertUtil [Options] -error ErrorCode\r\nDisplay error code message text\r\nReturn to Menu\r\nCertUtil [Options] -getreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\\[ProgId\\]]\r\n[RegistryValueName]\r\nDisplay registry value\r\nca: Use CA's registry key\r\nrestore: Use CA's restore registry key\r\npolicy: Use policy module's registry key\r\nexit: Use first exit module's registry key\r\ntemplate: Use template registry key (use -user for user templates)\r\nenroll: Use enrollment registry key (use -user for user context)\r\nchain: Use chain configuration registry key\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 35 of 43\n\nPolicyServers: Use Policy Servers registry key\r\nProgId: Use policy or exit module's ProgId (registry subkey name)\r\nRegistryValueName: registry value name (use \"Name*\" to prefix match)\r\nValue: new numeric, string or date registry value or filename. If a numeric value starts with \"+\" or \"-\", the bits\r\nspecified in the new value are set or cleared in the existing registry value.\r\nIf a string value starts with \"+\" or \"-\", and the existing value is a REG_MULTI_SZ value, the string is added to or\r\nremoved from the existing registry value. To force creation of a REG_MULTI_SZ value, add a \"\\n\" to the end of\r\nthe string value.\r\nIf the value starts with \"@\", the rest of the value is the name of the file containing the hexadecimal text\r\nrepresentation of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an\r\noptional date plus or minus optional days and hours. If both are specified, use a plus sign (+) or minus sign (-)\r\nseparator. Use \"now+dd:hh\" for a date relative to the current time.\r\nUse \"chain\\ChainCacheResyncFiletime @now\" to effectively flush cached CRLs.\r\n[-f] [-user] [-GroupPolicy] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -setreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\\\r\n[ProgId\\]]RegistryValueName Value\r\nSet registry value\r\nca: Use CA's registry key\r\nrestore: Use CA's restore registry key\r\npolicy: Use policy module's registry key\r\nexit: Use first exit module's registry key\r\ntemplate: Use template registry key (use -user for user templates)\r\nenroll: Use enrollment registry key (use -user for user context)\r\nchain: Use chain configuration registry key\r\nPolicyServers: Use Policy Servers registry key\r\nProgId: Use policy or exit module's ProgId (registry subkey name)\r\nRegistryValueName: registry value name (use \"Name*\" to prefix match)\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 36 of 43\n\nValue: new numeric, string or date registry value or filename. If a numeric value starts with \"+\" or \"-\", the bits\r\nspecified in the new value are set or cleared in the existing registry value.\r\nIf a string value starts with \"+\" or \"-\", and the existing value is a REG_MULTI_SZ value, the string is added to or\r\nremoved from the existing registry value. To force creation of a REG_MULTI_SZ value, add a \"\\n\" to the end of\r\nthe string value.\r\nIf the value starts with \"@\", the rest of the value is the name of the file containing the hexadecimal text\r\nrepresentation of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an\r\noptional date plus or minus optional days and hours. If both are specified, use a plus sign (+) or minus sign (-)\r\nseparator. Use \"now+dd:hh\" for a date relative to the current time.\r\nUse \"chain\\ChainCacheResyncFiletime @now\" to effectively flush cached CRLs.\r\n[-f] [-user] [-GroupPolicy] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -delreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\\[ProgId\\]]\r\n[RegistryValueName]\r\nDelete registry value\r\nca: Use CA's registry key\r\nrestore: Use CA's restore registry key\r\npolicy: Use policy module's registry key\r\nexit: Use first exit module's registry key\r\ntemplate: Use template registry key (use -user for user templates)\r\nenroll: Use enrollment registry key (use -user for user context)\r\nchain: Use chain configuration registry key\r\nPolicyServers: Use Policy Servers registry key\r\nProgId: Use policy or exit module's ProgId (registry subkey name)\r\nRegistryValueName: registry value name (use \"Name*\" to prefix match)\r\nValue: new numeric, string or date registry value or filename. If a numeric value starts with \"+\" or \"-\", the bits\r\nspecified in the new value are set or cleared in the existing registry value.\r\nIf a string value starts with \"+\" or \"-\", and the existing value is a REG_MULTI_SZ value, the string is added to or\r\nremoved from the existing registry value. To force creation of a REG_MULTI_SZ value, add a \"\\n\" to the end of\r\nthe string value.\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 37 of 43\n\nIf the value starts with \"@\", the rest of the value is the name of the file containing the hexadecimal text\r\nrepresentation of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an\r\noptional date plus or minus optional days and hours. If both are specified, use a plus sign (+) or minus sign (-)\r\nseparator. Use \"now+dd:hh\" for a date relative to the current time.\r\nUse \"chain\\ChainCacheResyncFiletime @now\" to effectively flush cached CRLs.\r\n[-f] [-user] [-GroupPolicy] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId]\r\nImport user keys and certificates into server database for key archival\r\nUserKeyAndCertFile -- Data file containing user private keys and certificates to be archived. This can be any of\r\nthe following:\r\nExchange Key Management Server (KMS) export file\r\nPFX file\r\nCertId: KMS export file decryption certificate match token. See -store.\r\nUse -f to import certificates not issued by the CA.\r\n[-f] [-silent] [-split] [-config Machine\\CAName] [-p Password] [-symkeyalg\r\nSymmetricKeyAlgorithm[,KeyLength]]\r\nReturn to Menu\r\nCertUtil [Options] -ImportCert Certfile [ExistingRow]\r\nImport a certificate file into the database\r\nUse ExistingRow to import the certificate in place of a pending request for the same key.\r\nUse -f to import certificates not issued by the CA.\r\nThe CA may also need to be configured to support foreign certificate import: certutil -setreg ca\\KRAFlags\r\n+KRAF_ENABLEFOREIGN\r\n[-f] [-config Machine\\CAName]\r\nReturn to Menu\r\nCertUtil [Options] -GetKey SearchToken [RecoveryBlobOutFile]\r\nCertUtil [Options] -GetKey SearchToken script OutputScriptFile\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 38 of 43\n\nCertUtil [Options] -GetKey SearchToken retrieve | recover OutputFileBaseName\r\nRetrieve archived private key recovery blob, generate a recovery script, or recover archived keys\r\nscript: generate a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are\r\nfound, or if the output file is not specified).\r\nretrieve: retrieve one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is\r\nfound, and if the output file is specified)\r\nrecover: retrieve and recover private keys in one step (requires Key Recovery Agent certificates and private keys)\r\nSearchToken: Used to select the keys and certificates to be recovered.\r\nCan be any of the following:\r\n1. Certificate Common Name\r\n2. Certificate Serial Number\r\n3. Certificate SHA-1 hash (thumbprint)\r\n4. Certificate KeyId SHA-1 hash (Subject Key Identifier)\r\n5. Requester Name (domain\\user)\r\n6. UPN (user@domain)\r\nRecoveryBlobOutFile: output file containing a certificate chain and an associated private key, still encrypted to\r\none or more Key Recovery Agent certificates.\r\nOutputScriptFile: output file containing a batch script to retrieve and recover private keys.\r\nOutputFileBaseName: output file base name. For retrieve, any extension is truncated and a certificate-specific\r\nstring and the .rec extension are appended for each key recovery blob. Each file contains a certificate chain and an\r\nassociated private key, still encrypted to one or more Key Recovery Agent certificates. For recover, any extension\r\nis truncated and the .p12 extension is appended. Contains the recovered certificate chains and associated private\r\nkeys, stored as a PFX file.\r\n[-f] [-UnicodeText] [-silent] [-config Machine\\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp\r\nProvider]\r\nReturn to Menu\r\nCertUtil [Options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]]\r\nRecover archived private key\r\n[-f] [-user] [-silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout]\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 39 of 43\n\nReturn to Menu\r\nCertUtil [Options] -MergePFX PFXInFileList PFXOutFile [ExtendedProperties]\r\nPFXInFileList: Comma separated PFX input file list\r\nPFXOutFile: PFX output file\r\nExtendedProperties: Include extended properties\r\nThe password specified on the command line is a comma separated password list. If more than one password is\r\nspecified, the last password is used for the output file. If only one password is provided or if the last password is\r\n\"*\", the user will be prompted for the output file password.\r\n[-f] [-user] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]\r\nReturn to Menu\r\nCertUtil [Options] -ConvertEPF PFXInFileList EPFOutFile [cast | cast-] [V3CACertId][,Salt]\r\nConvert PFX files to EPF file\r\nPFXInFileList: Comma separated PFX input file list\r\nEPF: EPF output file\r\ncast: Use CAST 64 encryption\r\ncast-: Use CAST 64 encryption (export)\r\nV3CACertId: V3 CA Certificate match token. See -store CertId description.\r\nSalt: EPF output file salt string\r\nThe password specified on the command line is a comma separated password list. If more than one password is\r\nspecified, the last password is used for the output file. If only one password is provided or if the last password is\r\n\"*\", the user will be prompted for the output file password.\r\n[-f] [-silent] [-split] [-dc DCName] [-p Password] [-csp Provider]\r\nReturn to Menu\r\nThis section defines the options that you can specify with the command.\r\nOptions Description\r\n-nullsign Use hash of data as signature\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 40 of 43\n\nOptions Description\r\n-f Force overwrite\r\n-enterprise Use local machine Enterprise registry certificate store\r\n-user Use HKEY_CURRENT_USER keys or certificate store\r\n-GroupPolicy Use Group Policy certificate store\r\n-ut Display user templates\r\n-mt Display machine templates\r\n-Unicode Write redirected output in Unicode\r\n-UnicodeText Write output file in Unicode\r\n-gmt Display times as GMT\r\n-seconds Display times with seconds and milliseconds\r\n-silent Use silent flag to acquire crypt context\r\n-split Split embedded ASN.1 elements, and save to files\r\n-v Verbose operation\r\n-privatekey Display password and private key data\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 41 of 43\n\nOptions Description\r\n-pin PIN Smart Card PIN\r\n-urlfetch Retrieve and verify AIA Certs and CDP CRLs\r\n-config Machine\\CAName CA and computer name string\r\n-PolicyServer URLOrId\r\nPolicy Server URL or Id. For selection U/I, use -PolicyServer.\r\nFor all Policy Servers, use -PolicyServer *\r\n-Anonymous Use anonymous SSL credentials\r\n-Kerberos Use Kerberos SSL credentials\r\n-ClientCertificate ClientCertId\r\nUse X.509 Certificate SSL credentials. For selection U/I, use -\r\nclientCertificate.\r\n-UserName UserName\r\nUse named account for SSL credentials. For selection U/I, use -\r\nUserName.\r\n-Cert CertId Signing certificate\r\n-dc DCName Target a specific Domain Controller\r\n-restrict RestrictionList Comma separated Restriction List. Each restriction consists of a\r\ncolumn name, a relational operator and a constant integer, string\r\nor date. One column name may be preceded by a plus or minus\r\nsign to indicate the sort order. Examples:\r\n\"RequestId = 47\"\r\n\"+RequesterName \u003e= a, RequesterName \u003c b\"\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 42 of 43\n\nOptions Description\r\n\"-RequesterName \u003e DOMAIN, Disposition = 21\"\r\n-out ColumnList Comma separated Column List\r\n-p Password Password\r\n-ProtectTo SAMNameAndSIDList Comma separated SAM Name/SID List\r\n-csp Provider Provider\r\n-t Timeout URL fetch timeout in milliseconds\r\n-symkeyalg\r\nSymmetricKeyAlgorithm[,KeyLength]\r\nName of Symmetric Key Algorithm with optional key length,\r\nexample: AES,128 or 3DES\r\nReturn to Menu\r\nFor some examples of how to use this command, see\r\n1. Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line\r\n2. Certutil tasks for managing certificates\r\n3. Binary Request Export Using the CertUtil.exe Command-Line Tool Walkthrough\r\n4. Root CA certificate renewal\r\n5. Certutil\r\nReturn to Menu\r\nSource: https://technet.microsoft.com/library/cc732443.aspx\r\nhttps://technet.microsoft.com/library/cc732443.aspx\r\nPage 43 of 43",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/library/cc732443.aspx"
	],
	"report_names": [
		"cc732443.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775439009,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aed39847e8ff9f063db3b6a402dfd26d71901344.pdf",
		"text": "https://archive.orkl.eu/aed39847e8ff9f063db3b6a402dfd26d71901344.txt",
		"img": "https://archive.orkl.eu/aed39847e8ff9f063db3b6a402dfd26d71901344.jpg"
	}
}