Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line

Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line

Applies to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012



Certutil.exe is a command-line program that is installed as part of Active Directory Certificate Services (AD CS). You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. This article was created to show examples of certutil commands. Sections in this article include:

View CA Configuration

If you want to view the configuration settings for the CA, which includes the type of information that is set by the CAPolicy.inf or afterward installation by running post configuration scripts, you can issue the following commands:

certutil -dump

certutil -getreg

certutil -getreg CA

Publish expired certificates in the CRL

If you want to maintain a revoked certificate in the CRL beyond the certificate’s expiration date, you can enable the publication of expired certificates to the CRL by running the following command at a command-line prompt and then restarting Certificate Services.

certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CR

Dump certificate templates and settings from the CA

certutil -v -template

Variations of that command

certutil -v -template > templatelist.txt

certutil -v -template clientauth > clientauthsettings.txt

Copy a CRL to a file

If you want to copy a certificate revocation list and name it corprootca.crl to removable media (like a floppy drive of a:), then you can run the following command:

certutil -getcrl a:\corprootca.crl

View Certificate Templates

If you want to dump a list of certificate templates and their settings to a text file (MyTemplates.txt), you can run the following command:

    certutil -v -template > MyTemplates.txt

View AIA container

To view the contents of the AIA container in Active Directory Domain Services (AD DS) for a domain named contoso.com, run the following command:

certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?

cACertificate?base?objectclass=certificationAuthority"

View Intermediate CA certificate store

To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore CA

View NTAuth Container

To view the content of the NTAuth container in AD DS for a domain named Corp.contoso.com, you would type the following command on a single line and press ENTER:

certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"

View Trusted Root CAs

To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore Root

Purge policy cache

When you are working with Certificate Enrollment Policy Web Services servers, there is a cache located on the local computer of cached policies. You may want to clear when the resulting certificate policies are not what you expect. You can clear this certificate policy cache by running the following command:

certutil -f -policyserver * -policycache delete

Check the certificate revocation chain

certutil -verify -urlfetch <certificatename>

certutil -URL <certificatename>

For more information on these commands, see the end of the Step by Step Guide - Two Tier PKI Hierarchy Deployment

Certutil Q & A

This could become a Frequently Asked Questions (FAQ) about Certutil at some point. For now, we will just keep it here:

When do you use ‘certutil –addstore’ versus ‘certutil –importcert?

  • Use Certutil -addstore to add a .cer file to anystore. Adds a raw certificate to a certificate store. A .cer file does not contain the private key, .pfx file usually contains the private key.
  • Use Certutil –importpfx to import a .pfx, usually to personal store (My store). Certutil –importcert is meant to import a cert into a CA’s database. This is useful when using the CA to archive certs and keys that were not issued by the CA, or to be able to manage CRLs for a cert lost from the CA’s database for some reason.
  • Certutil -repairstore can be used to associate a certificate with the matching private key. This could be useful if someone deleted a certificate from the store and lost the CERT_KEY_PROV_INFO_PROP_ID that points at the private key.
  • Certreq -accept installs an issued certificate when there is an pending certificate request in the Request store)
    • The command should be used if there is a pending request as it will pick up the CERT_KEY_PROV_INFO_PROP_ID property, friendly name, and other properties from the pending (also known as dummy) certificate. Then, it attaches to the new certificate and removes the pending (dummy) certificate.
    • The sequence of this flow follows this command order:
      • Certreq -new (creates a new request and dummy certificate)
      • Certreq -submit (or using some manual submission method via a Web page)
      • Certreq -retrieve (if there is a pending request that is later issued)
      • Certreq -accept (installs the certificate)

Additional references for CertUtil Examples

Certificate Revocation and Status Checking - A link to the whitepaper in the TechNet Library; the appendices (Appendixes) have many examples

Basic CRL checking with certutil - A link to an entry in the PKI blog

Additional details about certificate status codes

CERT_TRUST_STATUS Structure - provides certificate status code meanings

Command line references for CertUtil

Certutil on MSDN - A task oriented reference for the Certutil command, with great details.

Certutil Certificates - A link to TekWeb.dk, which is very much like a command reference

Certutil - The Windows Server 2008 command line reference in the TechNet Library

Certutil tasks for managing certificates - Windows Server 2003 Whitepaper that has command reference like information

Certutil tasks for key archival and recovery - Windows Server 2003 document



Sort by: Published Date | Most Recent | Most Useful
Comments
  • how exactly you use "CertUtil -deleteEnrollmentServer" as I want to delete a invalid address

    -----------------------

    Kurt Hudson's response

    First, run certutil -deleteEnrollmentServer -? (notice that you have three authentication options) Kerberos | UserName | ClientCertificate

    certutil -deleteEnrollmentServer Kerberos

    is one example. That should remove the CEP URL, if you are using Kerberos authentication. If using a different authentication method, then select the one that is appropriate.

  • Is there any way to find out the details of certificate template ? for.eg. I wan to find Key Usage or Extended Key usage of given template name.

    Thanks !

    ------------------------------

    Kurt Hudson's response:

    I have added that example to the article along with another about dumping all the certificates to a text file. You must have the certificate template name that you want to dump. For example, if you wanted the settings for a certificate template with a name of CEPEncryption sent to a .txt file, then you would run:

    certutil > -v -template CEPEncryption > CEPEncryptionSettings.txt

    notepad CEPEncryptionSettings.txt

    Notepad would display the settings you want. If you just want the output on the screen, remove the > CEPEncryptionSettings.txt part of the command and it will output to the screen.

  • Revision: edited tags

  • I ran the command and the output didn't seems staright forward, is there any specific way to parse the Message to get the certificate template information.

    following is the output

    ----***********

     Name: Active Directory Enrollment Policy

     Id: {E3796342-4363-40F2-9304-8A2B19D09E86}

     Url: ldap:

    34 Templates:

     Template[4]:

     TemplatePropCommonName = CEPEncryption

     TemplatePropFriendlyName = CEP Encryption

      TemplatePropSecurityDescriptor = O:EAG:EAD:PAI(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1801674531-1275210071-682003330-512)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;EA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1801674531-1275210071-682003330-512)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1801674531-1275210071-682003330-512)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;LCRPLORC;;;AU)

       Allow Enroll XXX\Domain Admins

       Allow Enroll XXX\Enterprise Admins

       Allow Enroll XXX\Domain Admins

       Allow Enroll XXX\Enterprise Admins

       Allow Full Control XXXX\Domain Admins

       Allow Full Control XXX\Enterprise Admins

        Allow Read NT AUTHORITY\Authenticated Users

    CertUtil: -Template command completed successfully.

    ----***********

    Thanks !

  • Great Article.

Page 1 of 1 (5 items)