What is the Certutil ? from Technet
Certutil
Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003/2008 family.
You can also obtain Certutil.exe by downloading and installing the Windows Server 2003 Administration Tools Pack (http://go.microsoft.com/fwlink/?LinkID=8136).
You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.
you can use this tool on the command-line and for other parameters;
certutil /?
Let use cetutil for; configuring a Certification Authority (CA)
Configuring a Certification Authority (CA) with Certutil tool.
You can use certutil to perform a number of CA configuration tasks.
To view the syntax for a specific task, click a task:
To view the syntax for a specific task, click a task:
- To display CA property type information
- To display the configuration string for a CA
- To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server
- To display CA information
- To determine whether a CA has been renewed
- To change the length of the validity period for certificates issued from a CA
- To force a CA to include expired certificates in future base and delta CRLs
- To configure a CA to issue certificates beyond the default two year limit
- To increase the session limit on the CA database
- To disable or restore the enforcement of the distinguished name length on the CA
To display CA property type information
Syntax
certutil-capropinfo[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]
Parameters
- -capropinfo
- Displays CA property type information.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- -config CAMachineName \ CAName
- processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
- -?
- Displays a list of certutil commands.
Remarks
- You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
To display the configuration string for a CA
Syntax
certutil-getconfig[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]
Parameters
- -getconfig
- Retrieves the default configuration string.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- -config CAMachineName \ CAName
- processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
- -?
- Displays a list of certutil commands.
Remarks
- You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server
Syntax
certutil-vroot[-gmt] [-seconds] [-v] [delete]
Parameters
- -vroot
- Creates the virtual roots for the Certificate Services Web server.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- delete
- Deletes the virtual roots for the Certificate Services Web server.
- -?
- Displays a list of certutil commands.
Remarks
- If active server pages (ASP) is not enabled, this command enables ASP.
- If you installed the CA Web enrollment pages before installing IIS, the required virtual roots are not created. To create the virtual roots after installing IIS, at a command prompt, type:
"certutil -vroot"
This command does not install the Web enrollment pages. Instead, it creates the IIS virtual roots that point to the Web enrollment pages, CA certificate, certificate revocation lists (CRLs), and enrollment controls (that is, xenroll.dll and scrdenrl.dll).
To display CA information
Syntax
certutil-cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [InfoName]
Parameters
- -cainfo
- Displays CA information.
- -f
- Overwrites existing files or keys.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -split
- Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
- -v
- Specifies verbose output.
- -config CAMachineName \ CAName
- processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
- InfoName
- Specifies the CA information that you want to display. Use one of the values in the following table.
Value Description file Displays information about the file version. product Displays the product version. exitcount Displays the exit module count. exit [Index] Displays the exit module description. policy Displays the policy module description. name Displays the CA name. sanitizedname Displays the sanitized CA name. sharedfolder Displays the shared folder. error1ErrorCode Displays the error code message in the local language. For ErrorCode, specify the error code that you want to retrieve. error2ErrorCode Displays the error code message and the error code in the local language. For ErrorCode, specify the error code that you want to retrieve. type Displays the CA type. info Displays the CA info. parent Displays the parent CA. certcount Displays the CA certificate count. xchgcount Displays the CA Exchange certificate count. kracount Displays the number of key recovery agent (KRA) certificates. kraused Displays the number of KRA certificate that are being used. propidmax Displays maximum CA PropID. certstate [Index] Displays CA certificate status. certstatuscode [Index] Displays CA certificate verification status. crlstate [Index] Displays a certificate revocation list (CRL). krastate [Index] Displays a KRA certificate. crossstate+ [Index] Forward cross-certification. crossstate- [Index] Backward cross-certification. cert [Index] Displays a CA certificate. certchain [Index] Displays a CA certificate chain. certcrlchain [Index] Displays a CA certificate chain with CRLs. xchg [Index] Displays a CA exchange certificate. xchgchain [Index] Displays a CA exchange certificate chain. xchgcrlchain [Index] Displays a CA exchange certificate chain with CRLs. kra [Index] Displays a KRA certificate. cross+ [Index] Forward cross-certification. cross- [Index] Backwards cross-certification. crl [Index] Displays a base CRL. deltacrl [Index] Displays a delta CRL. crlstatus [Index] Displays CRL publish status. deltacrlstatus [Index] Displays delta CRL publish status. dns Displays the DNS name. role Displays role separation. ads Displays Advanced Server. templates Displays the templates.
- -?
- Displays a list of certutil commands.
Remarks
- You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
Examples
To display CA information, type:
certutil -cainfo
To display a CA certificate state disposition, type:
certutil -cainfo certstate
To display CRL information, type:
certutil -cainfo crlstate
certutil -cainfo
To display a CA certificate state disposition, type:
certutil -cainfo certstate
To display CRL information, type:
certutil -cainfo crlstate
To determine whether a CA has been renewed
Syntax
certutil-cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [certstate]
Parameters
- -cainfo
- Displays CA information.
- -f
- Overwrites existing files or keys.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -split
- Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
- -v
- Specifies verbose output.
- -config CAMachineName \ CAName
- processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
- certstate
- Returns a LONG containing a certificate state disposition.
- -?
- Displays a list of certutil commands.
Remarks
- You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
- If the CA's index is greater than 0, the CA certificate has been renewed. The command output displays the index information.
- If one of the older CA certificates expires and is regenerated by using the existing key, CRLs are not published for that CA key. If the CA has never been renewed for a new key, this prevents CRL generation. If you generate and publish a new CRL, you will not solve this problem, but you can use the CRL to help confirm the condition. To force the generation and publication a CRL, type:
certutil -crl - The update for this condition is provided in Windows 2000 Service Pack 3.
Examples
To display a CA certificate state disposition, type:
certutil -cainfo certstate
certutil -cainfo certstate
To change the length of the validity period for certificates issued from a CA
Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriod{"days" | "weeks" | "months" | "years"}
certutil-setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriodUnits"UnitValue"
certutil-setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriodUnits"UnitValue"
Parameters
- -setreg
- Sets or edits the registry key value.
- -user
- Uses the HKEY_CURRENT_USER keys or certificate store.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- HKLM\system\currentcontrolset\services\certsvc\configuration\
- Specifies the path to the ValidityPeriod and ValidityPeriodUnits registry keys.
- CAName
- Specifies the name of the CA.
- ca
- Specifies the default CA on the local computer.
- \ValidityPeriod{ "days"| "weeks"| "months"| "years"}
- Sets the period of time that you want the certificate to be valid. Specify days, weeks, months, or years. Wrap the time period in quotation marks.
- \ValidityPeriodUnits " UnitValue "
- Sets the numeric value for ValidityPeriod.
- -?
- Displays a list of certutil commands.
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
- You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
Examples
You can set an enterprise qualified subordinate CA to have a different certificate validity period than the parent CA. On the CA computer that is issuing the subordinate CA certificate, type the following commands to set the validity period to three months:
certutil -setreg ca\ValidityPeriod "months"
certutil -setreg ca\ValidityPeriodUnits "3"
certutil -setreg ca\ValidityPeriod "months"
certutil -setreg ca\ValidityPeriodUnits "3"
To force a CA to include expired certificates in future base and delta CRLs
Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\CRLFlags+CRLF_PUBLISH_EXPIRED_CERT_CRLS
Parameters
- -setreg
- Sets or edits the registry key value.
- -user
- Uses the HKEY_CURRENT_USER keys or certificate store.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- ca
- Specifies the CA registry key.
- CRLFlags
- Specifies the registry value name.
- CRLF_PUBLISH_EXPIRED_CERT_CRLS
- Specifies the new numeric or string registry value.
- -?
- Displays a list of certutil commands.
Remarks
- You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
- With this command, you can verify the revocation status of a time-stamped certificate that has expired.
- If a numeric registry value starts with a plus sign (+) or a dash (-), the bits specified in the new value are set or cleared in the existing registry value.
- If a string registry value starts with a plus sign (+) or a dash (-) and the existing value is a REG_MULTI_SZ value, the string value is either added to or removed from the existing registry value.
To configure a CA to issue certificates beyond the default two year limit
Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\ValidityPeriod"years"
certutil-setregca\ValidityPeriodUnits"2"
certutil-setregca\ValidityPeriodUnits"2"
Parameters
- -setreg
- Sets or edits the registry key value.
- -user
- Uses the HKEY_CURRENT_USER keys or certificate store.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- ca\ValidityPeriod "years"
- Sets the validity length of the certificate to years.
- ca\ValidityPeriodUnits "2"
- Sets the "years" validity period value to two.
- -?
- Displays a list of certutil commands.
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
- You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
To increase the session limit on the CA database
Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] dbsessioncount 30
Parameters
- -setreg
- Sets or edits the registry key value.
- -user
- Uses the HKEY_CURRENT_USER keys or certificate store.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- dbsessioncount 30
- Specifies the new session limit.
- -?
- Displays a list of certutil commands.
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Remarks
- You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
To disable or restore the enforcement of the distinguished name length on the CA
Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\ENFORCEX500NAMELENGTHS {0 | 1}
Parameters
- -setreg
- Sets or edits the specified registry value.
- -user
- Uses the HKEY_CURRENT_USER keys or certificate store.
- -gmt
- Displays time as Greenwich mean time.
- -seconds
- Displays time with seconds and milliseconds.
- -v
- Specifies verbose output.
- ca \ ENFORCEX500NAMELENGTHS
- Specifies the path to the REG_DWORD\ENFORCEX500NAMELENGTHS registry value.
- { 0| 1}
- Specifies whether to disable (specify 0) or restore (specify 1) the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value.
- -?
- Displays a list of certutil commands.
Remarks
- You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
- Use this command in situations where the existing subject is okay, but the request is rejected by the certificate server.
Examples
To disable the organizational unit length enforcement on the server, type:
certutil -setreg ca\enforceX500namelengths 0
To restore the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value, type:
certutil -setreg ca\enforceX500namelengths 1
certutil -setreg ca\enforceX500namelengths 0
To restore the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value, type:
certutil -setreg ca\enforceX500namelengths 1
No comments:
Post a Comment