Condividi tramite

Certutil tasks for managing a Certification Authority (CA)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certutil tasks for managing a Certification Authority (CA)

You can use certutil to perform a number of CA management tasks.

To view the syntax for a specific task, click a task:

  • To display the information stored in public key related files

  • To restrict which rows from the CA schema are displayed when viewing CA database information

  • To display CA information

  • To determine if a CA has not been renewed

  • To retrieve a template list from a CA

  • To view a list of templates supported by the local CA

  • To display a list of tagged database files and database directories

  • To deny a certificate request

  • To publish a certificate or CRL to Active Directory

  • To add certificates to the NTAuth store

  • To subordinate a Microsoft CA under a non-Microsoft CA

  • To publish a cross-certificate to the Active Directory cross-certification store

  • To display a list of dynamic files that must be backed up separately

  • To delete unwanted requests from the CA database

  • To add a display name that appears in the local language to a certificate template

  • To revoke the certificate by serial number

  • To set attributes on pending certificate requests

  • To set the extension in the certificate request

  • To resubmit a pending certificate request

  • To shut down the CA server

  • To verify a key set

  • To back up the CA certificate and keys

  • To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file

  • To add extensions to a certificate that will be issued by the CA


certutil -dump [-f] [-gmt] [-seconds] [-split] [-v] [-p Password] [File]

  • -dump
    Dumps configuration information or files.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -p Password
    Specifies a password.
  • File
    Specifies the file name of the configuration file that you want to display.
  • -?
    Displays a list of certutil commands.

To restrict which rows from the CA schema are displayed when viewing CA database information


certutil -view [-gmt] [-seconds] [-silent] [-split] [-v] [-config CAMachineName**\CAName] [-restrict** RestrictionList] [-out ColumnList] [-out] [RequestID]

  • -view
    Dumps the certification authority database view.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -restrict RestrictionList
    Restricts which rows from the schema are displayed. Specifies a comma-separated restriction list.
  • -out ColumnList
    Specifies a comma-separated column list.
  • RequestID
    Specifies the request identifier number.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.


To list the subject e-mail names from all certificates issued from a CA named Myentrootca that is located on Cacomputer1, type:

certutil -config cacomputer1\myentrootca -view -out

To restrict the rows displayed to those with request identifiers greater than 10,000 and then display only the request disposition from a CA named Myentrootca, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid>10,000"

To view only the last row, type:

Certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $"

To view only the second to last row, type:

certutil -config cacomputer1\myentrootca -view -out disposition -restrict "requestid == $ - 1"

To view the subject e-mail names for all requests made to a CA, type:

certutil -view -out email

To display the numeric request identifiers of certificates based on the User template, type:

certutil -view -restrict "Certificate Template=User" -out requestid

To display the numeric request identifiers of certificates based on the template object identifier,, type:

certutil -view -restrict "Certificate Template=" -out requestid

To display all serial numbers and request identifier numbers for unrevoked certificates issued by the CA, type:

certutil -view -restrict disposition==20 /out "serialnumber,requestid"

To view e-mail of the users who made the request for a template named MyTemplate and to also view when the request was issued, type:

certutil -config cacomputer1\myentrootca -view -out email -restrict "CertificateTemplate == myTemplate, Disposition == 20"

To display CA information


certutil -cainfo [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [InfoName [{Index | ErrorCode}]]

  • -cainfo
    Displays CA information.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • InfoName
    Specifies which information you want to display about the CA from one of the values in the following table.
<col style="width: 50%" />
<col style="width: 50%" />
<tr class="header">
<tr class="odd">
<td><p>Displays information about the file version.</p></td>
<tr class="even">
<td><p>Displays the product version.</p></td>
<tr class="odd">
<td><p>Displays the exit module count.</p></td>
<tr class="even">
<td><p><strong>exit</strong> [<em>Index</em>]</p></td>
<td><p>Displays the exit module description</p></td>
<tr class="odd">
<td><p>Displays the policy module description.</p></td>
<tr class="even">
<td><p>Displays the CA name.</p></td>
<tr class="odd">
<td><p>Displays the sanitized CA name.</p></td>
<tr class="even">
<td><p>Displays the shared folder.</p></td>
<tr class="odd">
<td><p>Displays the localized error code message.</p></td>
<tr class="even">
<td><p>Displays the localized error code message and the error code.</p></td>
<tr class="odd">
<td><p>Displays the CA type.</p></td>
<tr class="even">
<td><p>Displays the CA information.</p></td>
<tr class="odd">
<td><p>Displays the parent CA.</p></td>
<tr class="even">
<td><p>Displays the CA certificate count.</p></td>
<tr class="odd">
<td><p>Displays the CA exchange certificate count.</p></td>
<tr class="even">
<td><p>Displays the KRA certificate count.</p></td>
<tr class="odd">
<td><p>Displays the KRA certificate used count.</p></td>
<tr class="even">
<td><p>Displays maximum CA PropID.</p></td>
<tr class="odd">
<td><p><strong>certstate</strong> [<em>Index</em>]</p></td>
<td><p>Displays CA certificate status.</p></td>
<tr class="even">
<td><p><strong>certstatuscode</strong> [<em>Index</em>]</p></td>
<td><p>Displays CA certificate verify status.</p></td>
<tr class="odd">
<td><p><strong>crlstate</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CRL.</p></td>
<tr class="even">
<td><p><strong>krastate</strong> [<em>Index</em>]</p></td>
<td><p>Displays a KRA certificate.</p></td>
<tr class="odd">
<td><p><strong>crossstate+</strong> [<em>Index</em>]</p></td>
<td><p>Forward cross-certification.</p></td>
<tr class="even">
<td><p><strong>crossstate-</strong> [<em>Index</em>]</p></td>
<td><p>Backward cross-certification.</p></td>
<tr class="odd">
<td><p><strong>cert</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA certificate.</p></td>
<tr class="even">
<td><p><strong>certchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA certificate chain.</p></td>
<tr class="odd">
<td><p><strong>certcrlchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA certificate chain with CRLs.</p></td>
<tr class="even">
<td><p><strong>xchg</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA exchange certificate.</p></td>
<tr class="odd">
<td><p><strong>xchgchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA exchange certificate chain.</p></td>
<tr class="even">
<td><p><strong>xchgcrlchain</strong> [<em>Index</em>]</p></td>
<td><p>Displays a CA exchange certificate chain with CRLs.</p></td>
<tr class="odd">
<td><p><strong>kra</strong> [<em>Index</em>]</p></td>
<td><p>Displays a KRA certificate.</p></td>
<tr class="even">
<td><p><strong>cross+</strong> [<em>Index</em>]</p></td>
<td><p>Forward cross-certification.</p></td>
<tr class="odd">
<td><p><strong>cross-</strong> [<em>Index</em>]</p></td>
<td><p>Backwards cross-certification.</p></td>
<tr class="even">
<td><p><strong>crl</strong> [<em>Index</em>]</p></td>
<td><p>Displays a base CRL.</p></td>
<tr class="odd">
<td><p><strong>deltacrl</strong> [<em>Index</em>]</p></td>
<td><p>Displays a Delta CRL.</p></td>
<tr class="even">
<td><p><strong>crlstatus</strong> [<em>Index</em>]</p></td>
<td><p>Displays CRL Publish Status.</p></td>
<tr class="odd">
<td><p><strong>deltacrlstatus</strong> [<em>Index</em>]</p></td>
<td><p>Displays Delta CRL Publish Status.</p></td>
<tr class="even">
<td><p>Displays the DNS name.</p></td>
<tr class="odd">
<td><p>Displays Role Separation.</p></td>
<tr class="even">
<td><p>Displays Advanced Server.</p></td>
<tr class="odd">
<td><p>Displays the templates.</p></td>
  • Index
    Identifies a unique element from the InfoName table.
  • ErrorCode
    Specifies the error code retrieved from the error message.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To determine if a CA has not been renewed


certutil -cainfo [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] [certstate]

  • -cainfo
    Displays CA information.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • certstate
    Returns a LONG containing a certificate state disposition.
  • -?
    Displays a list of certutil commands.

To retrieve a template list from a CA


certutil -cainfo [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName**\**CAName] templates

  • -cainfo
    Displays CA information.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -split
    Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • templates
    Specifies the templates InfoName argument.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To view a list of templates supported by the local CA


certutil -catemplates [-user] [-ut] [-mt] [-gmt] [-seconds] [-v] [-config CAMachineName**\CAName] [-dc** DCName] [Template]

  • -catemplates
    Displays CA templates.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -ut
    Displays the user templates.
  • -mt
    Displays the computer templates.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -dc DCName
    Targets a specific domain controller.
  • Template
    Specifies the template.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To display a list of tagged database files and database directories


certutil -databaselocations [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

  • -databaselocations
    Displays database locations.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The hexadecimal buffer offset and hexadecimal type tag are displayed on each line.

  • For information about type tag definitions, see Cryptography Functions.

To deny a certificate request


certutil -deny [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] RequestID

  • -deny
    Denies the pending certificate request.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • RequestID
    Specifies the request identifier number.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format or hexadecimal format with a leading 0x.

To publish a certificate or CRL to Active Directory


certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] CertFile{ntauthca | rootca | subca | crossca | kra | user | machine}

certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] CRLFile [DSCDPContainer [DSCDPCN]]

  • -dsPublish
    Publishes a new certificate or CRL to the CA object in Active Directory.
  • -f
    Overwrites existing files or keys.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • CertFile
    Specifies the certificate.
  • ntauthca
    Specifies that the certificate will be published to the NTAuth store.
  • rootca
    Specifies that the certificate will be published to the root CA store.
  • subca
    Specifies that the certificate will be published to the subordinate CA store.
  • crossca
    Specifies that the certificate will be published to the cross-certified CA store.
  • kra
    Specifies that the certificate will be published to the key recovery agent store.
  • user
    Specifies that the certificate will be published to the user store.
  • machine
    Specifies that the certificate will be published to the computer store.
  • CRLFile
    Specifies the certificate revocation list.
  • DSCDPContainer
    Specifies the Active Directory Certificate revocation list Distribution Point (CDP) container Common Name (CN), usually the CA computer name.
    Specifies the Active Directory Certificate revocation list Distribution Point (CDP) object Common Name (CN), usually based on the sanitized CA short name and key index.
  • -?
    Displays a list of certutil commands.
  • You must be logged on as a computer administrator to complete this procedure.

  • Publishing the certificate of a CA to NTAuth is necessary if that CA issues certificates for smart card logon.

To add certificates to the NTAuth store


certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] NewCert ntauthca

  • -dspublish
    Publishes a new certificate or CRL to the CA object that lives in Active Directory.
  • -f
    Overwrites existing files or keys.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • NewCert
    Specifies the certificate to be published.
  • ntauthca
    Specifies that the certificate will be published to the NTAuth store.
  • -?
    Displays a list of certutil commands.
  • You must have Enterprise Administrator access to use this command.

To subordinate a Microsoft CA under a non-Microsoft CA


certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] non-MicrosoftCert rootca

  • -dspublish
    Publishes a new certificate to the CA object in Active Directory.
  • -f
    Overwrites existing files or keys.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • non-MicrosoftCert
    Specifies a non-Microsoft certificate name.
  • rootca
    Specifies that the certificate is to be published to the root CA store.
  • -?
    Displays a list of certutil commands.
  • You must be logged on as a computer administrator to complete this procedure.

To publish a cross-certificate to the Active Directory cross-certification store


certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] CrossCert crossca

  • -dspublish
    Publishes a new certificate to the CA object in Active Directory.
  • -f
    Overwrites existing files or keys.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -dc DCName
    Targets a specific domain controller.
  • CrossCert
    Specifies the cross-certificate file that you want to publish.
  • crossca
    Specifies that the cross-certificate is to be published to the Active Directory CA object.
  • -?
    Displays a list of certutil commands.
  • You must be logged on as a computer administrator to complete this procedure.

To display a list of dynamic files that must be backed up separately


certutil -dynamicfilelist [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

  • -dynamicfilelist
    Displays dynamic file list.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • Includes the local copy of the certificate revocation list (CRL) on the server.

  • The hexadecimal buffer offset is displayed on each line.

To delete unwanted requests from the CA database


certutil -deleterow [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] RowIDDate {request | cert | attribcrl}

  • -deleterow
    Deletes a row in the CA database.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • RowID
    Specifies the request identifier of the row that you want to delete.
  • Date
    Specifies a date restriction on which to query.
  • request
    Specifies the request table.
  • cert
    Specifies the certificate table.
  • ext
    Specifies the certificate extensions table.
  • attrib
    Specifies the attribute table.
  • crl
    Specifies the certificate revocation list (CRL) table.
  • -?
    Displays a list of certutil commands.
  • When deleting more than one row with this command, you must be both a CA Administrator and a Certificate Manager to complete the task. The CA must not be configured to enforce role separation in this case. For more information about role-based administration, see Related Topics.

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • Using Date

    You can use the mm/dd/yyyy 00:00 date format, where 00:00 is standard time that must be designated as either AM or PM.

    If you specify Date without a time of day, Certutil.exe deletes all of the requests issued before the specified date, but it does not delete the requests issued on the specified date.

    If you delete rows by Date, Certutil.exe does not delete the CA certificate or the CA certificate chain rows. To delete the CA certificate and the CA certificate chain rows, you must delete rows by RowID.

    If Date occurs in the future, Certutil.exe fails and displays an invalid parameter error. Use -f to override the invalid parameter error.

  • You can use this command to delete "denial of service" errors.


To delete failed and pending requests last modified by January 22, 2001, type:

certutil -deleterow 1/22/2001 request

To delete all certificates that expired by January 22, 2001, type:

certutil -deleterow 1/22/2001 cert

To delete the certificate row, attributes and extensions for RequestID 37, type:

certutil -deleterow 37

To delete CRLs that expired by January 22, 2001, type:

certutil -deleterow 1/22/2001 crl

To add a display name that appears in the local language to a certificate template


certutil -oid [-f] [-gmt] [-seconds] [-v] **"TemplateOID"**LocalizedFriendlyName [LanguageID]

  • -oid
    Defines a display name in a certificate template.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • " TemplateOID "
    Specifies the object identifier of the certificate template, surrounded by quotation marks.
  • LocalizedFriendlyName
    Specifies the display name that you want to add to the certificate template.
  • LanguageID
    Sets the local language identifier for the specified object. LocalizedFriendlyName appears in the specified language.
  • -?
    Displays a list of certutil commands.
  • For the changes to take effect, you must restart the computer.

  • If you do not specify LanguageID, Certutil.exe uses the current system default, which is 1033.

  • LanguageID is a decimal representation of a hexadecimal local identifier (LCID) value. For more information about LCID values, see Table Appendix F Locale-Specific Code Page Information at the Microsoft Web Site.


To create a localized display name for the template "Client logon" on the Chinese Traditional language where "" is the object identifier number (TemplateOID) and CHT is the Translated to Chinese display name (LocalizedFriendlyName) of the existing V2 Template, type:

certutil -oid "" "CHT" 1028


  • 1028 is the decimal representation of the hexadecimal value 0x0404, the LCID of Chinese Traditional language.

The output of the command looks like this:

certutil -oid "" CHT 10281. -- Client LogonNo display namesLocalized name added to the Active Directory store.0: 1028,CHTCertUtil: -oid command completed successfully.

To revoke the certificate by serial number


certutil -revoke [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] SerialNumber [Reason]

  • -revoke
    Revokes the certificate.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • SerialNumber
    Specifies the serial number of the certificate that you want to revoke.
  • Reason
    Specifies one of the following reason codes:
<col style="width: 50%" />
<col style="width: 50%" />
<tr class="header">
<th>Reason code value</th>
<tr class="odd">
<tr class="even">
<td><p>Key compromise</p></td>
<tr class="odd">
<td><p>CA compromise</p></td>
<tr class="even">
<td><p>Affiliation change</p></td>
<tr class="odd">
<tr class="even">
<td><p>Cessation of operation</p></td>
<tr class="odd">
<td><p>Hold revocation</p></td>
<tr class="even">
<td><p>Remove from CRL</p></td>
<tr class="odd">
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • SerialNumber must be in hexadecimal format with an even number of digits. A single zero (0) can be prefaced to a value with an odd number of digits. No leading 0x is allowed.

  • The reason code value 6 is the only value that can be unrevoked.

  • Reason code 0 does not provide information about revocation reasons.

To set attributes on pending certificate requests


certutil -setattributes [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] RequestID AttributeString

  • -setattributes
    Sets the attributes for the pending request.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • RequestID
    Specifies the request identified by the request identifier.
  • AttributeString
    Specifies the request attribute string to be set on the request identifier certificate.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format (or hexadecimal format with a leading 0x). The specified request must be in the pending state.

  • Use \n to separate multiple values in a string.

  • AttributeString requests the attribute name and value pairs. Separate names and value pairs with a colon. Multiple name and value pairs are separated by placing them on a new line. For example:


    Each "\n" sequence is converted to a new-line character.

To set the extension in the certificate request


certutil -setextension [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] RequestID ExtensionName Flags {LongValue | DateValue | StringValue | **@**InFile}

  • -setextension
    Sets the extension for the pending request.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • RequestID
    Specifies the numeric request identifier of a pending request.
  • ExtensionName
    Specifies the ObjectID string of the extension.
  • Flags
    Specifies one of the following flags:
<col style="width: 50%" />
<col style="width: 50%" />
<tr class="header">
<tr class="odd">
<td><p>Sets the extension as noncritical.</p></td>
<tr class="even">
<td><p>Sets the extension as critical.</p></td>
  • @ InFileValue
    Specifies a string that is accepted in one of the following formats if the string meets the specified criteria: **@**InFileValue If the value starts with the @ symbol, the rest of the token is the file name containing binary data or an ASCII-text hexadecimal dump.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format or in hexadecimal format with a leading 0x.

  • If you have an existing request or certificate with the exact encoding of the extension that you want to add to a pending request, you can dump the request or certificate, along with the ASCII-text hexadecimal dump of each extension, to a file.


The following is a valid example for a noncritical extension:

certutil -setextension 123 0 Subcertification authority (CA)

The specified request must be in the pending state.

If you have an existing certificate, named MyCert.cer, with the exact encoding of the extension you want to add to a pending request, you can dump the request, along with the ASCII-text hexadecimal dump of each extension, by using the following command:

certutil -v mycert.cer

You can then copy the ASCII-text hexadecimal extension,, to a text file and then name that file Example.txt.

To add the extension to the pending request with the numeric request identifier of 37, use the following command:

**certutil -setextension 37 0 @example.txt**

To issue the certificate, type:

certutil -resubmit 37

To retrieve the issued certificate, type:

certreq -retrieve 37 example.crt example.p7b

To resubmit a pending certificate request


certutil -resubmit [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName] RequestID

  • -resubmit
    Resubmits the pending request.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • RequestID
    Specifies the request identifier number.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • RequestID must be in decimal format or hexadecimal format with a leading 0x.

To shut down the CA server


certutil -shutdown [-gmt] [-seconds] [-v] [-config CAMachineName**\**CAName]

  • -shutdown
    Shuts down the CA server.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To verify a key set


certutil -verifykeys [-gmt] [-silent] [-v] [-config CAMachineName**\**CAName] [KeyContainerName] [CACertFile]

  • -verifykeys
    Verifies the public and private keys for the specified CA.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -silent
    Uses a silent flag to acquire CryptContext.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • KeyContainerName
    Specifies the key container name of the key to verify.
  • CACertFile
    Specifies the CA signature certificate that contains the public key used to verify digital signatures.
  • -?
    Displays a list of certutil commands.
  • Used without parameters, certutil -verifykeys verifies each signing CA certificate against its private key.

  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • You can run this command against local CAs or keys only.

To back up the CA certificate and keys


certutil -backupkey [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\CAName] [-p** Password] BackupDirectory

  • -backupkey
    Backs up the Certificate Services certificate and private key.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -p Password
    Specifies a password.
  • BackupDirectory
    Specifies the backup directory.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The maximum length allowed for a PFX file password is 32 characters.

  • You can use the -f option to overwrite existing files in BackupDirectory.

To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file


certutil -restorekey [-f] [-gmt] [-seconds] [-v] [-config CAMachineName**\CAName] [-p** Password] BackupDirectory**\**PFXFile

  • -restorekey
    Restores Certificate Services certificate and private key from the specified BackupDirectory or PKCS #12 PFXFile.
  • -f
    Overwrites existing files or keys.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName).
  • -p Password
    Specifies a password.
  • BackupDirectory
    Specifies the backup location of the PFX file.
  • PFXFile
    Specifies the PKCS #12 PFX file.
  • -?
    Displays a list of certutil commands.
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • The maximum length allowed for a PFX file password is 32 characters.

To add extensions to a certificate that will be issued by the CA


certutil -setreg [-user] [-gmt] [-seconds] [-v] policy\enablerequestextensionlist[{0 | 1}] ExtensionOID

  • -setreg
    Sets or edits registry information.
  • -user
    Uses the HKEY_CURRENT_USER keys or certificate store.
  • -gmt
    Displays time as Greenwich mean time.
  • -seconds
    Displays time with seconds and milliseconds.
  • -v
    Specifies verbose output.
  • policy\enablerequestextensionlist+1
    Sets the list of request extensions that enable policy module.
  • ExtensionOID
    Specifies the object identifier of the extension.
  • 0
    Adds the extension to the list of request extensions that enable policy module.
  • 1
    Removes the extension from the list of request extensions that enable policy module.
  • -?
    Displays a list of certutil commands.


Formatting legend

Format Meaning


Information that the user must supply


Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also


Command-line reference A-Z
Command shell overview
Manage Role-based Administration