CERTUTIL.exe

Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, verify certificates, key pairs or certificate chains.

CertUtil AD — Display AD templates / CAs / Computer object / Domain Controller

CertUtil [Options] -ADTemplate [Template] Options: [-f] [-v] [-user] [-ut] [-mt] [-dc DCName]

CertUtil [Options] -ADCA [CAName] [-f] [-split] [-dc DCName]

Display Active Directory computer object information:

CertUtil [Options] -MachineInfo DomainName\MachineName$ [-v]

Display domain controller information:

CertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll] [-f] [-v] [-user] [-urlfetch] [-dc DCName] [-t Timeout] [Modifiers] To successfully run this command, use an account that is a member of Domain Admins or Enterprise Admins.

Display directory service (DS) distinguished names (DNs).:

CertUtil [Options] -ds [CommonName] Options: [-f] [-user] [-split] [-dc DCName]

CertUtil [Options] -dsDel [CommonName] Options: [-user] [-split] [-dc DCName]

Publish certificate or CRL to Active Directory:

CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] Options: [-f] [-v] [-user] [-dc DCName] CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]] [-f] [-user] [-dc DCName] Options: [-f] [-v] [-user] [-dc DCName]

CertFile : certificate file to publish
NTAuthCA : Publish cert to DS Enterprise store
RootCA : Publish cert to DS Trusted Root store
SubCA : Publish CA cert to DS CA object
CrossCA : Publish cross cert to DS CA object
KRA : Publish cert to DS Key Recovery Agent object
User : Publish cert to User DS object
Machine : Publish cert to Machine DS object
CRLFile : CRL file to publish
DSCDPContainer : DS CDP container CN, usually the CA machine name
DSCDPCN : DS CDP object CN, usually based on the sanitized CA short name and key index
Use -f to create DS object.

Display DS certificates:

CertUtil [Options] -dsCert [FullDSDN] | [CertId [OutFile]] Options: [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

Display DS CRLs:

CertUtil [Options] -dsCRL [FullDSDN] | [CRLIndex [OutFile]] Options: [-idispatch] [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

Display DS delta CRLs:

CertUtil [Options] -dsDeltaCRL [FullDSDN] | [CRLIndex [OutFile]] Options: [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

Display DS template attributes:

CertUtil [Options] -dsTemplate [Template] Options: [Silent] [-dc DCName]

Add DS templates:

CertUtil [Options] -dsAddTemplate TemplateInfFile Options: [-dc DCName]

Ping Active Directory Certificate Services Request interface:

CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList] [-v] [-config Machine\CAName] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

CAMachineList -- Comma-separated CA machine name list.
For a single machine, use a terminating comma.
Displays the site cost for each CA machine. Modifiers: SCEP CES CEP

Ping Active Directory Certificate Services Admin interface:

CertUtil [Options] -pingadmin [MaxSecondsToWait | CAMachineList] [-v] [-config Machine\CAName]

CAMachineList -- Comma-separated CA machine name list.
For a single machine, use a terminating comma.
Displays the site cost for each CA machine.

Shutdown Active Directory Certificate Services:

CertUtil [Options] -shutdown [-v] [-config Machine\CAName]

Backup Active Directory Certificate Services:

CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog] [-f] [-v] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList]

BackupDirectory : directory to store backed up data.
Incremental : perform incremental backup only (default is full backup).
KeepLog : preserve database log files (default is to truncate log files).

Backup Active Directory Certificate Services database:

CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog] [-f] [-v] [-config Machine\CAName]

BackupDirectory : directory to store backed up data.
Incremental : perform incremental backup only (default is full backup).
KeepLog : preserve database log files (default is to truncate log files).

Backup Active Directory Certificate Services certificate and private key:

CertUtil [Options] -backupKey BackupDirectory [-f] [-v] [-config Machine\CAName] [-p Password] [-t Timeout]

BackupDirectory : directory to store backed up PFX file.

Restore Active Directory Certificate Services:

CertUtil [Options] -restore BackupDirectory [-f] [-v] [-config Machine\CAName] [-p Password]

BackupDirectory : directory containing data to be restored.

Restore Active Directory Certificate Services database:

CertUtil [Options] -restoreDB BackupDirectory Options: [-f] [-v] [-config Machine\CAName] [-p Password]

BackupDirectory : directory containing database files to be restored.

Restore Active Directory Certificate Services certificate and private key:

CertUtil [Options] -restoreKey [ BackupDirectory | PFXFile ] [-f] [-v] [-config Machine\CAName] [-p Password]

BackupDirectory : directory containing PFX file to be restored.
PFXFile : PFX file to be restored.

Convert PFX files to EPF file:

CertUtil [Options] -ConvertEPF PFXInFileList EPFOutFile [cast | cast-] [V3CACertId][,Salt] [-f] [-Silent] [-split] [-dc DCName] [-p Password] [-csp Provider]

PFXInFileList : Comma separated PFX input file list
EPFOutFile : EPF output file
cast : Use CAST 64 encryption
cast- : Use CAST 64 encryption (export)
V3CACertId : V3 CA Certificate match token. See -store CertId description.
Salt: EPF output file salt string

The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is "*", the user will be prompted for
the output file password.

Import user keys and certificates into server database for key archival:

CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId] [-f] [-v] [-silent] [-split] [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]]

UserKeyAndCertFile : Data file containing user private keys and certificates to be archived.
This can be any of the following:
Exchange Key Management Server (KMS) export file
PFX file
CertId : KMS export file decryption certificate match token. See -store.
Use -f to import certificates not issued by the CA.

Import a certificate file into the database:

CertUtil [Options] -ImportCert Certfile [ExistingRow] Options: [-f] [-v] [-config Machine\CAName]

Use ExistingRow to import the certificate in place of a pending request for the same key.
Use -f to import certificates not issued by the CA. The CA might also need to be configured to support foreign certificate import: certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

Export the certificates and private keys:

CertUtil [Options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]

CertificateStoreName : Certificate store name. See -store.
CertId : The certificate or CRL match token. PFXFile : PFX file to be imported.
Modifiers : Comma separated list of one or more of the following [defaults to personal machine store]:

CryptoAlgorithm= specifies the cryptographic algorithm to use for encrypting the PFX file, such as TripleDES-Sha1 or Aes256-Sha256.
EncryptCert : Encrypt the private key associated with the certificate with a password.
ExportParameters : Export the private key parameters in addition to the certificate and private key.
ExtendedProperties : Include all extended properties associated with the certificate in the output file.
NoEncryptCert : Export the private key without encrypting it.
NoChain : Don't import the certificate chain.
NoRoot : Don't import the root certificate.

Import certificate and private key:

CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers] [-Enterprise] [-f] [-v] [-user] [-p Password] [-GroupPolicy] [-Silent] [-csp Provider]

CertificateStoreName : Certificate store name. See -store.
PFXFile : PFX file to be imported.
Modifiers : Comma separated list of one or more of the following [defaults to personal machine store]:

AT_SIGNATURE : Change the KeySpec to Signature.
AT_KEYEXCHANGE : Change the KeySpec to Key Exchange.
ExportEncrypted
FriendlyName=
KeyFriendlyName=
KeyDescription=
NoExport : Make the private key non-exportable.
NoCert : Do not import the certificate.
NoChain : Do not import the certificate chain, End Entity certificate only.
NoRoot : Do not import the root certificate.
Protect : Protect keys with password.
NoProtect : Do not password protect keys.
Protect
ProtectHigh
Pkcs8
VSM

Merge PFX files:

CertUtil [Options] -MergePFX PFXInFileList PFXOutFile [ExtendedProperties] [-f] [-user] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [Modifiers]

PFXInFileList : Comma separated PFX input file list
PFXOutFile : PFX output file
ExtendedProperties : Include extended properties.

Modifiers : Comma separated list of one or more of the following:

ExtendedProperties : Include extended properties.
NoEncryptCert : Do not encrypt the certificates.
EncryptCert : Encrypt the certificates.

The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is "*", the user will be prompted for
the output file password.

CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]

CertificateStoreName : Certificate store name.

Examples:
"My", "CA" (default), "Root",

" ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=. cACertificate?one?objectClass=certificationAuthority " (View Root Certificates)

" ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=. cACertificate?base?objectClass=certificationAuthority " (Modify Root Certificates)

" ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=. certificateRevocationList?base?objectClass=cRLDistributionPoint " (View CRLs)

" ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=. cACertificate?base?objectClass=certificationAuthority " (Enterprise CA Certificates)

ldap: (AD machine object certificates)
-user ldap: ( AD user object certificates)

CertId : Certificate or CRL match token. This can be:

a serial number, an SHA-1 certificate, CRL, CTL or public key hash,
a numeric cert index (0, 1, and so on),
a numeric CRL index (.0, .1, and so on),
a numeric CTL index (..0, ..1, and so on),
a public key, signature or extension ObjectId,
a certificate subject Common Name,
an e-mail address, UPN or DNS name,
a key container name or CSP name,
a template name or ObjectId,
an EKU or Application Policies ObjectId, or a CRL issuer Common Name.
Many of the above may result in multiple matches.

OutputFile : File to save matching cert.

Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.

Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

CertUtil [Options] -enumstore [\\MachineName] [-Enterprise] [-user] [-GroupPolicy] MachineName -- remote machine name.

Verify certificate in store:

CertUtil [Options] -verifystore CertificateStoreName [CertId] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]

Verify Key Attestation Request:

CertUtil [Options] -attest RequestFile [-user] [-Silent] [-split]

Verify public/private key set:

CertUtil [Options] -verifykeys [KeyContainerName CACertFile] [-f] [-v] [-user] [-silent] [-config Machine\CAName]

KeyContainerName : Key container name of the key to verify. Defaults to machine keys. Use -user for user keys.
CACertFile : Signing or encryption certificate file
If no arguments are specified, each signing CA cert is verified against its private key.
This operation can only be performed against a local CA or local keys.

CertUtil addstore — Add / Delete certificate to store / List Keys / Delete a Named key/Hello logon container

CertUtil [Options] -addstore CertificateStoreName InFile [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
InFile : Certificate or CRL file to add to store.

Modifiers: Certs CRLs CTLs Root NoRoot

Delete certificate from store:

CertUtil [Options] -delstore CertificateStoreName CertId [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-Silent] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store.
Valid only for deleting certificates and CRLs. Use -delkey to delete keys.

Delete Hello Logon container:

CertUtil [Options] -DeleteHelloContainer ** Users need to sign out after using this option for it to complete. **

List the keys stored in a key container:

CertUtil [Options] -key [KeyContainerName | -] Options: [-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation] Where: KeyContainerName is the key container name for the key to verify. This option defaults to machine keys. To switch to user keys, use -user. Using the - sign refers to using the default key container.

Delete a named key container:

CertUtil [Options] -delkey KeyContainerName [-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation]

CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store for a list of formats.
OutputFile : file to save matching cert.

Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.

Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

Delete certificate from store:

CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]] Options: [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

CertificateStoreName : Certificate store name. See -store for examples.
CertId : Certificate or CRL match token. See -store for a list of formats.
OutputFile : File to save matching cert.

Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.

Examples:
-enterprise NTAuth
-enterprise Root 37
-user My 26e0aaaf000000000004
CA .11

Use either of the following commands to delete certificates from within the NTAuthCertificates store:

certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=certificationAuthority" certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=pKIEnrollmentService

source: KB889250 Step by Step Decommission a Windows Enterprise CA.

Repair key association or update certificate properties or key security descriptor:

CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor] [-f] [-v] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]

CertificateStoreName : Certificate store name. See -store for examples.
CertIdList : comma separated list of Certificate or CRL match tokens. See -store CertId description.
PropertyInfFile : INF file containing external properties:

[Properties]
19 = Empty ; Add archived property, OR:
19 = ; Remove archived property

11 = "Friendly Name" ; Add friendly name property

127 = "" ; Add custom hexadecimal property
_continue_ = "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"
_continue_ = "10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f"

2 = "" ; Add Key Provider Information property
_continue_ = "Container=Container Name&"
_continue_ = "Provider=Microsoft Strong Cryptographic Provider&"
_continue_ = "ProviderType=1&"
_continue_ = "Flags=0&"
_continue_ = "KeySpec=2"

9 = "" ; Add Enhanced Key Usage property
_continue_ = "1.3.6.1.5.5.7.3.2,"
_continue_ = "1.3.6.1.5.5.7.3.1,"

Decode a Hex-encoded file to binary:

CertUtil [-f] [-v] -decodehex InFile OutFile [encoding_type]

Decode Base64-encoded file to binary:

CertUtil [-f] [-v] -decode InFile OutFile

If InFile and OutFile are the same, then the file will be read and then overwritten.
It is also possible to convert between binary and character stings in PowerShell by calling [PKI.Crypt32] examples.

Encode a binary file to Base64:

CertUtil [-f] [-v] -encode InFile OutFile [-UnicodeText]

Encode a file as Hex:

CertUtil [-f] [-v] -encodehex InFile OutFile Format Hex encoded files are around 3x larger than base64 Examples of the Hex formats: CertUtil -encodehex -f strings64.exe strHex0.txt 0 - base64 with certificate headers. CertUtil -encodehex -f strings64.exe strHex1.txt 1 - base64 without certificate headers. CertUtil -encodehex -f strings64.exe strHex2.txt 2 - Pure binary (rarely used). CertUtil -encodehex -f strings64.exe strHex3.txt 3 - Base64, with request beginning and ending headers. CertUtil -encodehex -f strings64.exe strHex4.txt 4 - Hexadecimal only. (in columns with spaces). CertUtil -encodehex -f strings64.exe strHex5.txt 5 - Hexadecimal, with ASCII character display. CertUtil -encodehex -f strings64.exe strHex9.txt 9 - Base64, with X.509 CRL beginning and ending headers. CertUtil -encodehex -f strings64.exe strHx10.txt 10 - Hexadecimal, with address display. CertUtil -encodehex -f strings64.exe strHx11.txt 11 - Hexadecimal, with ASCII character and address display. CertUtil -encodehex -f strings64.exe strHx12.txt 12 - A raw hexadecimal string in one line.

CertUtil [Options] -addEccCurve [CurveClass:]CurveName CurveParameters [CurveOID] [CurveType] [-f] CurveClass: -- ECC Curve Class Type: - WEIERSTRASS [Default] - MONTGOMERY - TWISTED_EDWARDS CurveName -- ECC Curve Name CurveParameters -- ECC Curve Parameters. It is one of the following - Certificate Filename Containing ASN Encoded Parameters - File Containing ASN Encoded Parameters CurveOID -- ECC Curve OID. It is one of the following: - Certificate Filename Containing ASN Encoded OID - Explicit ECC Curve OID CurveType -- Schannel ECC NamedCurve Point (Numeric)

Delete ECC Curve:

CertUtil [Options] -deleteEccCurve CurveName | CurveOID [-f] CurveName : ECC Curve Name CurveOID : ECC Curve OID

Display ECC Curve:

CertUtil [Options] -displayEccCurve [CurveName | CurveOID] [-f] CurveName : ECC Curve Name CurveOID : ECC Curve OID

CertUtil [Options] -add-chain LogId certificate OutFile [-f]

Add pre-certificate chain:

CertUtil [Options] -add-pre-chain LogId pre-certificate OutFile [-f]

Add an Enrollment Server application:

CertUtil [Options] -addEnrollmentServer Kerberos | UserName | ClientCertificate options: [AllowRenewalsOnly] [AllowKeyBasedRenewal] [-f] [-config Machine\CAName] [Modifiers]

Add an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not install binaries or packages.

addEnrollmentServer requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:

Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials

Modifiers:
AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allows use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly mode.

Delete an Enrollment Server application:

CertUtil [Options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate options: [-f] [-config Machine\CAName]

Delete an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.

Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials

Display, add or delete enrollment server URLs associated with a CA:

CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]] [-f] [-config Machine\CAName] [-dc DCName] CertUtil [Options] -enrollmentServerURL URL delete [-f] [-config Machine\CAName] [-dc DCName]

AuthenticationType : Specify one of the following client authentication methods while adding a URL:

Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
Anonymous : Use anonymous SSL credentials.

delete : Delete the specified URL associated with the CA
Priority : Defaults to '1' if not specified when adding a URL
Modifiers : Comma separated list of one or more of the following:

AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allow use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly Mode

Add a Policy Server application:

CertUtil [Options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Add a policy server application and application pool if necessary.
This command does not install binaries or packages.
addPolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:

Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.

KeyBasedRenewal : Allows use of policies returned to the client containing keybasedrenewal templates. This flag applies only for UserName and ClientCertificate authentication.

Delete a Policy Server application:

CertUtil [Options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Delete a policy server application and application pool if necessary.
This command does not remove binaries or packages.
deletePolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:

Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.

KeyBasedRenewal : Allows use of a KeyBasedRenewal policy server.

Abstract Syntax Notation One (ASN.1) is a standard interface description language for data structures:

CertUtil [-f] -asn File [decoding_type]

CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]] [-v] [-f] [-split] [-config Machine\CAName]

Index : Optional zero-based property index.
ErrorCode : Numeric error code.
InfoName : Indicates the CA property to display:

Use "*" for all properties.
ads - Advanced Server
aia [Index] - AIA URLs
cdp [Index] - CDP URLs
cert [Index] - CA cert
certchain [Index] - CA cert chain
certcount - CA cert count
certcrlchain [Index] - CA cert chain with CRLs
certstate [Index] - CA cert
certstatuscode [Index] - CA cert verify status
certversion [Index] - CA cert version
CRL [Index] - Base CRL
crlstate [Index] - CRL
crlstatus [Index] - CRL Publish Status
cross- [Index] - Backward cross cert
cross+ [Index] - Forward cross cert
crossstate- [Index] - Backward cross cert
crossstate+ [Index] - Forward cross cert
deltacrl [Index] - Delta CRL
deltacrlstatus [Index] - Delta CRL Publish Status
dns - DNS Name
dsname - Sanitized CA short name (DS name)
error1 ErrorCode - Error message text
error2 ErrorCode - Error message text and error code
exit [Index] - Exit module description
exitcount - Exit module count
file - File version
info - CA info
kra [Index] - KRA cert
kracount - KRA cert count
krastate [Index] - KRA cert
kraused - KRA cert used count
localename - CA locale name
name - CA name
ocsp [Index] - OCSP URLs
parent - Parent CA
policy - Policy module description
product - Product version
propidmax - Maximum CA PropId
role - Role Separation
sanitizedname - Sanitized CA name
sharedfolder - Shared folder
subjecttemplateoids - Subject Template OIDs
templates - Templates
type - CA type
xchg [Index] - CA exchange cert
xchgchain [Index] - CA exchange cert chain
xchgcount - CA exchange cert count
xchgcrlchain [Index] - CA exchange cert chain with CRLs

Retrieve the CA’s certificate:

CertUtil [Options] -ca.cert OutCACertFile [Index] [-f] [-v] [-split] [-config Machine\CAName]

OutCACertFile : output file.
Index : CA certificate renewal index (defaults to most recent).

Retrieve the CA’s certificate chain:

CertUtil [Options] -ca.chain OutCACertChainFile [Index] [-f] [-v] [-split] [-config Machine\CAName]

OutCACertChainFile : output file.
Index : CA certificate renewal index (defaults to most recent).

Display Enrollment Policy CAs:

CertUtil [Options] -CA [CAName | TemplateName] [-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

Display Enterprise CA information:

CertUtil [Options] -EntInfo DomainName\MachineName$ Options: [-f] [-v] [-user]

Display CA information:

CertUtil [Options] -TCAInfo [DomainDN | -] Options: [-f] [-v] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

Display COM registry information:

CertUtil [Options] -Class [ClassId | ProgId | DllName | *] Options: -f -- Force overwrite -Unicode -- Write redirected output in Unicode -gmt -- Display times as GMT -seconds -- Display times with seconds and milliseconds -v -- Verbose operation -privatekey -- Display password and private key data -pin PIN -- Smart Card PIN -sid WELL_KNOWN_SID_TYPE -- Numeric SID 22 -- Local System 23 -- Local Service 24 -- Network Service The ClassID can be found under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID e.g. certutil -class 04731B67-D933-450A-90E6-4ACD2E9408FE

CertUtil [Options] -GetCRL OutFile [Index] [delta] [-f] [-v] [-split] [-config Machine\CAName]

Index : CRL index or key index (defaults to CRL for newest key).
delta : delta CRL (default is base CRL).

Publish new CRLs [or delta CRLs only]:

CertUtil [Options] -CRL [dd:hh | republish] [delta] [-v] [-split] [-config Machine\CAName]

dd:hh -- new CRL validity period in days and hours.
republish : republish most recent CRLs.
delta : delta CRLs only (default is base and delta CRLs).

Display, add or delete Credential Store entries:

CertUtil [Options] -CredStore [URL] [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] CertUtil [Options] -CredStore URL add [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password] CertUtil [Options] -CredStore URL delete [-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

URL : Target URL. Use * to match all entries. Use https://machine* to match a URL prefix.
add : Add a Credential Store entry. SSL credentials must also be specified.
delete : Delete Credential Store entries
-f : use -f to overwrite an entry or to delete multiple entries.

List the cryptographic service providers (CSPs) installed on this machine for cryptographic operations:

CertUtil [Options] -csplist [Algorithm] Options: [-user] [-Silent] [-csp Provider]

Test the CSPs installed on this machine:

CertUtil [Options] -csptest [Algorithm] Options: [-user] [-Silent] [-csp Provider]

Display CNG cryptographic configuration on this machine:

CertUtil [Options] -CNGConfig Options: [-Silent]

Download Online Certificate Status Protocol (OCSP) Responses and Write to Directory:

CertUtil [Options] -downloadOcsp CertificateDir OcspDir [ThreadCount] [Modifiers] CertificateDir : directory of certificate, store and PFX files. OcspDir : directory to write OCSP responses. ThreadCount : optional maximum number of threads for concurrent downloading. Default is 10. Modifiers : Comma separated list of one or more of the following: DownloadOnce : Download once and exit ReadOcsp : Read from OcspDir instead of writing By default, CertUtil won’t exit and must be explicitly terminated. An OCSP response will contain either ‘good’, ‘revoked’ or ‘unknown’.

CertUtil [Options] -dynamicfilelist [-v] [-config Machine\CAName]

Display database locations:

CertUtil [Options] -databaselocations [-v] [-config Machine\CAName]

Generate and display cryptographic hash over a file:

CertUtil [Options] -hashfile InFile [HashAlgorithm] [-v]

Dump (read config information) from a certificate file:

CertUtil [Options] [-dump] [File] [-f] [-silent] [-split] [-p Password] [-t Timeout]

Dump PFX structure:

CertUtil [Options] -dumpPFX File options: [-f] [-Silent] [-split] [-p Password] [-csp Provider]

CertUtil [Options] -schema [Ext | Attrib | CRL] options: [-v] [-split] [-config Machine\CAName]

Ext : Extension table.
Attrib : Attribute table.
CRL : CRL table.
Defaults to Request and Certificate table.

Dump Certificate View:

CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv] options: [-v] [-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

Queue : Request queue.
Log : Issued or revoked certificates, plus failed requests.
LogFail : Failed requests.
Revoked : Revoked certificates.
Ext : Extension table.
Attrib : Attribute table.
CRL : CRL table.
csv : Output as Comma Separated Values.

To display the StatusCode column for all entries: -out StatusCode
To display all columns for the last entry: -restrict "RequestId==$"
To display RequestId and Disposition for three requests:
-restrict "RequestId>=37,RequestId To display Row Ids and CRL Numbers for all Base CRLs: -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL
To display Base CRL Number 3: -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL
To display the entire CRL table: CRL Use " Date[+|-dd:hh ]" for date restrictions Use " now+dd:hh " for a date relative to the current time.

Dump Raw Database:

CertUtil [Options] -db [-v] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

CertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL] [-f] [-v] [-config Machine\CAName]

Request : Failed and pending requests (submission date).
Cert : Expired and revoked certificates (expiration date).
Ext : Extension table Attrib: Attribute table.
Attrib : Attribute table.
CRL : CRL table (expiration date).

To delete failed and pending requests submitted by January 22, 2024: 1/22/2024 Request
To delete all certificates that expired by January 22, 2024: 1/22/2024 Cert
To delete the certificate row, attributes and extensions for RequestId 37: 37
To delete CRLs that expired by January 22, 2024: 1/22/2024 CRL [-f] [-config Machine\CAName]

CertUtil [Options] -deny RequestId [-v] [-config Machine\CAName]

Resubmit pending request:

CertUtil [Options] -resubmit RequestId [-v] [-config Machine\CAName]

Set attributes for pending request:

CertUtil [Options] -setattributes RequestId AttributeString [-v] [-config Machine\CAName]

RequestId : Numeric Request Id of pending request.
AttributeString : Request Attribute name and value pairs.

Names and values are colon separated. Multiple name, value pairs are newline separated.
Example: " CertificateTemplate:User\nEMail:User@Domain.com "
Each "\n" sequence is converted to a newline separator.

Set extension for pending request:

CertUtil [Options] -setextension RequestId ExtensionName Flags [-v] [-config Machine\CAName]

RequestId : Numeric Request Id of a pending request.
ExtensionName : ObjectId string of the extension.
Flags : 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both.

If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date.
If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.
Anything else is taken as a String.

Set, Verify or Delete CA site names:

CertUtil [Options] -SetCASites [set] [Sitename] CertUtil [Options] -SetCASites verify [Sitename] CertUtil [Options] -SetCASites delete Options: [-f] [-v] [-config Machine\CAName] [-dc DCName]

Use the -config option to target a single CA (Default is all CAs)
Sitename is allowed only when targeting a single CA
Use -f to override validation errors for the specified Sitename
Use -f to delete all CA site names

Display error code message text:

CertUtil [-v] -error ErrorCode

Flush specified caches in selected process, such as, lsass.exe:

CertUtil [Options] -flushCache ProcessId CacheMask [Modifiers] ProcessId : numeric id of process to flush. Set to 0 to flush all processes where flush is enabled. CacheMask : bit mask of caches to be flushed. Numeric OR of following bits: 0x01 : CERT_WNF_FLUSH_CACHE_REVOCATION 0x02 : CERT_WNF_FLUSH_CACHE_OFFLINE_URL 0x04 : CERT_WNF_FLUSH_CACHE_MACHINE_CHAIN_ENGINE 0x08 : CERT_WNF_FLUSH_CACHE_USER_CHAIN_ENGINES 0x10 : CERT_WNF_FLUSH_CACHE_SERIAL_CHAIN_CERTS 0x20 : CERT_WNF_FLUSH_CACHE_SSL_TIME_CERTS 0x40 : CERT_WNF_FLUSH_CACHE_OCSP_STAPLING 0 : ShowOnly Modifiers : Comma separated list of one or more of the following: Show : Show caches being flushed. Certutil must be explicitly terminated.

CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile [QueryFilesPrefix]] [-f] XMLFile : Input XML file to be parsed. CTLFile : Output CTL file to be generated. SSTFile : optional .sst file to be created. The .sst file contains all of the certificates used for pinning. QueryFilesPrefix -- optional Domains.csv and Keys.csv files to be created for database query. The QueryFilesPrefix string is prepended to each created file. The Domains.csv file contains rule name, domain rows. The Keys.csv file contains rule name, key SHA256 thumbprint rows.

HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header.
Generate HPKP header using certificates in specified file or directory:

CertUtil [Options] -generateHpkpHeader CertFileOrDir MaxAge [ReportUri] [Modifiers] CertFileOrDir : file or directory of certificates. Source of pin-sha256. MaxAge : max-age value in seconds. ReportUri : optional report-uri. Modifiers : Comma separated list of one or more of the following: includeSubDomains : append includeSubDomains.

Select a certificate from a selection UI:

certutil [Options] -getcert [ObjectId | ERA | KRA [CommonName]] options: [-Silent] [-split]

CertUtil [Options] -getreg [\[ProgId\]] [RegistryName] RegistryValue [-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

ca : Use CA’s registry key
restore : Use CA’s restore registry key
policy : Use policy module’s registry key
exit : Use first exit module’s registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module’s ProgId (registry subkey name)
RegistryName : registry value name (use " Name* " to prefix match)
RegistryValue : Numeric, string or date registry value or filename:

If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value.

If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from
the existing registry value.
To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value.

If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation
of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional
days and hours. If both are specified, use a plus sign (+) or minus sign (-) separator. Use "now+dd:hh" for a date relative to the current time.
Use "i64" as a suffix to create a REG_QWORD value.

Registry Aliases: Config CA Policy PolicyModules Exit ExitModules Restore RestoreInProgress Template Software\Microsoft\Cryptography\CertificateTemplateCache Enroll Software\Microsoft\Cryptography\AutoEnrollment (Software\Policies\Microsoft\Cryptography\AutoEnrollment) MSCEP Software\Microsoft\Cryptography\MSCEP Chain Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config PolicyServers Software\Microsoft\Cryptography\PolicyServers (Software\Policies\Microsoft\Cryptography\PolicyServers) Crypt32 System\CurrentControlSet\Services\crypt32 NGC System\CurrentControlSet\Control\Cryptography\Ngc AutoUpdate Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Passport Software\Policies\Microsoft\PassportForWork MDM Software\Microsoft\Policies\PassportForWork Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

Set registry value:

CertUtil [Options] -setreg [\[ProgId\]] [RegistryValueName] Value Options: [-f] [-user] [-GroupPolicy] [-config Machine\CAName]

Key:
ca : Use CA’s registry key
restore : Use CA’s restore registry key
policy : Use policy module’s registry key
exit : Use first exit module’s registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module’s ProgId (registry subkey name)
RegistryValueName : registry value name (use "Name*" to prefix match)
Value : New numeric, string or date registry value or filename:

Value : new numeric, string or date registry value or filename.
If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value. If a string value
starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value.
To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value. If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value.
If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours.
If both are specified, use a plus sign (+) or minus sign (-) separator.
Use " now+dd:hh " for a date relative to the current time.
Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

Delete registry value:

CertUtil [Options] -delreg [\[ProgId\]] [RegistryValueName] [-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

ca : Use CA’s registry key
restore : Use CA’s restore registry key
policy : Use policy module’s registry key
exit : Use first exit module’s registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module’s ProgId (registry subkey name)
RegistryValueName : Registry value name (use "Name*" to prefix match)

Registry Aliases: See CertUtil -getreg above

CertUtil [Options] -get-sth [LogId] [-f]

Get signed tree head changes: