What is the Certutil ?          from Technet

Certutil

Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003/2008 family.

You can also obtain Certutil.exe by downloading and installing the Windows Server 2003 Administration Tools Pack (http://go.microsoft.com/fwlink/?LinkID=8136).

You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

you can use this tool on the command-line and for other parameters;

 

certutil /?

 

Let use cetutil for; configuring a Certification Authority (CA)

           

Configuring a Certification Authority (CA) with Certutil tool.

You can use certutil to perform a number of CA configuration tasks.
To view the syntax for a specific task, click a task:

• To display CA property type information
• To display the configuration string for a CA
• To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server
• To display CA information
• To determine whether a CA has been renewed
• To change the length of the validity period for certificates issued from a CA
• To force a CA to include expired certificates in future base and delta CRLs
• To configure a CA to issue certificates beyond the default two year limit
• To increase the session limit on the CA database
• To disable or restore the enforcement of the distinguished name length on the CA

To display CA property type information

Syntax

certutil-capropinfo[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters

-capropinfo

Displays CA property type information.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

-config CAMachineName \ CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-?

Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To display the configuration string for a CA

Syntax

certutil-getconfig[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]

Parameters

-getconfig

Retrieves the default configuration string.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

-config CAMachineName \ CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

-?

Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server

Syntax

certutil-vroot[-gmt] [-seconds] [-v] [delete]

Parameters

-vroot

Creates the virtual roots for the Certificate Services Web server.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

delete

Deletes the virtual roots for the Certificate Services Web server.

-?

Displays a list of certutil commands.

Remarks

• If active server pages (ASP) is not enabled, this command enables ASP.
• If you installed the CA Web enrollment pages before installing IIS, the required virtual roots are not created. To create the virtual roots after installing IIS, at a command prompt, type:
  
  "certutil -vroot"
  
  This command does not install the Web enrollment pages. Instead, it creates the IIS virtual roots that point to the Web enrollment pages, CA certificate, certificate revocation lists (CRLs), and enrollment controls (that is, xenroll.dll and scrdenrl.dll).

To display CA information

Syntax

certutil-cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [InfoName]

Parameters

-cainfo

Displays CA information.

-f

Overwrites existing files or keys.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-config CAMachineName \ CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

InfoName

Specifies the CA information that you want to display. Use one of the values in the following table.

Value	Description
file	Displays information about the file version.
product	Displays the product version.
exitcount	Displays the exit module count.
exit [Index]	Displays the exit module description.
policy	Displays the policy module description.
name	Displays the CA name.
sanitizedname	Displays the sanitized CA name.
sharedfolder	Displays the shared folder.
error1ErrorCode	Displays the error code message in the local language. For ErrorCode, specify the error code that you want to retrieve.
error2ErrorCode	Displays the error code message and the error code in the local language. For ErrorCode, specify the error code that you want to retrieve.
type	Displays the CA type.
info	Displays the CA info.
parent	Displays the parent CA.
certcount	Displays the CA certificate count.
xchgcount	Displays the CA Exchange certificate count.
kracount	Displays the number of key recovery agent (KRA) certificates.
kraused	Displays the number of KRA certificate that are being used.
propidmax	Displays maximum CA PropID.
certstate [Index]	Displays CA certificate status.
certstatuscode [Index]	Displays CA certificate verification status.
crlstate [Index]	Displays a certificate revocation list (CRL).
krastate [Index]	Displays a KRA certificate.
crossstate+ [Index]	Forward cross-certification.
crossstate- [Index]	Backward cross-certification.
cert [Index]	Displays a CA certificate.
certchain [Index]	Displays a CA certificate chain.
certcrlchain [Index]	Displays a CA certificate chain with CRLs.
xchg [Index]	Displays a CA exchange certificate.
xchgchain [Index]	Displays a CA exchange certificate chain.
xchgcrlchain [Index]	Displays a CA exchange certificate chain with CRLs.
kra [Index]	Displays a KRA certificate.
cross+ [Index]	Forward cross-certification.
cross- [Index]	Backwards cross-certification.
crl [Index]	Displays a base CRL.
deltacrl [Index]	Displays a delta CRL.
crlstatus [Index]	Displays CRL publish status.
deltacrlstatus [Index]	Displays delta CRL publish status.
dns	Displays the DNS name.
role	Displays role separation.
ads	Displays Advanced Server.
templates	Displays the templates.

-?

Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

Examples

To display CA information, type:
certutil -cainfo
To display a CA certificate state disposition, type:
certutil -cainfo certstate
To display CRL information, type:
certutil -cainfo crlstate

To determine whether a CA has been renewed

Syntax

certutil-cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [certstate]

Parameters

-cainfo

Displays CA information.

-f

Overwrites existing files or keys.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-config CAMachineName \ CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

certstate

Returns a LONG containing a certificate state disposition.

-?

Displays a list of certutil commands.

Remarks

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
• If the CA's index is greater than 0, the CA certificate has been renewed. The command output displays the index information.
• If one of the older CA certificates expires and is regenerated by using the existing key, CRLs are not published for that CA key. If the CA has never been renewed for a new key, this prevents CRL generation. If you generate and publish a new CRL, you will not solve this problem, but you can use the CRL to help confirm the condition. To force the generation and publication a CRL, type:
  
  certutil -crl
• The update for this condition is provided in Windows 2000 Service Pack 3.

Examples

To display a CA certificate state disposition, type:
certutil -cainfo certstate

To change the length of the validity period for certificates issued from a CA

Syntax

certutil-setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriod{"days" | "weeks" | "months" | "years"}
certutil-setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriodUnits"UnitValue"

Parameters

-setreg

Sets or edits the registry key value.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

HKLM\system\currentcontrolset\services\certsvc\configuration\

Specifies the path to the ValidityPeriod and ValidityPeriodUnits registry keys.

CAName

Specifies the name of the CA.

ca

Specifies the default CA on the local computer.

\ValidityPeriod{ "days"| "weeks"| "months"| "years"}

Sets the period of time that you want the certificate to be valid. Specify days, weeks, months, or years. Wrap the time period in quotation marks.

\ValidityPeriodUnits " UnitValue "

Sets the numeric value for ValidityPeriod.

-?

Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

Examples

You can set an enterprise qualified subordinate CA to have a different certificate validity period than the parent CA. On the CA computer that is issuing the subordinate CA certificate, type the following commands to set the validity period to three months:
certutil -setreg ca\ValidityPeriod "months"
certutil -setreg ca\ValidityPeriodUnits "3"

To force a CA to include expired certificates in future base and delta CRLs

Syntax

certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\CRLFlags+CRLF_PUBLISH_EXPIRED_CERT_CRLS

Parameters

-setreg

Sets or edits the registry key value.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

ca

Specifies the CA registry key.

CRLFlags

Specifies the registry value name.

CRLF_PUBLISH_EXPIRED_CERT_CRLS

Specifies the new numeric or string registry value.

-?

Displays a list of certutil commands.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
• With this command, you can verify the revocation status of a time-stamped certificate that has expired.
• If a numeric registry value starts with a plus sign (+) or a dash (-), the bits specified in the new value are set or cleared in the existing registry value.
• If a string registry value starts with a plus sign (+) or a dash (-) and the existing value is a REG_MULTI_SZ value, the string value is either added to or removed from the existing registry value.

To configure a CA to issue certificates beyond the default two year limit

Syntax

certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\ValidityPeriod"years"
certutil-setregca\ValidityPeriodUnits"2"

Parameters

-setreg

Sets or edits the registry key value.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

ca\ValidityPeriod "years"

Sets the validity length of the certificate to years.

ca\ValidityPeriodUnits "2"

Sets the "years" validity period value to two.

-?

Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

To increase the session limit on the CA database

Syntax

certutil-setreg[-user] [-gmt] [-seconds] [-v] dbsessioncount 30

Parameters

-setreg

Sets or edits the registry key value.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

dbsessioncount 30

Specifies the new session limit.

-?

Displays a list of certutil commands.

Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.

To disable or restore the enforcement of the distinguished name length on the CA

Syntax

certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\ENFORCEX500NAMELENGTHS {0 | 1}

Parameters

-setreg

Sets or edits the specified registry value.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

ca \ ENFORCEX500NAMELENGTHS

Specifies the path to the REG_DWORD\ENFORCEX500NAMELENGTHS registry value.

{ 0| 1}

Specifies whether to disable (specify 0) or restore (specify 1) the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value.

-?

Displays a list of certutil commands.

Remarks

• You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
• Use this command in situations where the existing subject is okay, but the request is rejected by the certificate server.
  
  Examples

To disable the organizational unit length enforcement on the server, type:
certutil -setreg ca\enforceX500namelengths 0
To restore the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value, type:
certutil -setreg ca\enforceX500namelengths 1

How to publish CRL with UAG ?

With 2 easy :) steps:
Create a HTTP Portal on UAG.
and  publish your http://crl.yourdomain.com/CertEnroll/*  on UAG as an application.

Deploying a Forefront UAG DirectAccess Array in 10 Easy Steps!

Deploying a Forefront UAG DirectAccess Array in 10 Easy Steps!

This is not an exhaustive step-by-step walkthrough, but it should cover the key high-level tasks involved. More detail can be found in the Forefront UAG DirectAccess TechNet documentation or by looking at Tom’s excellent Test Lab Guides (TLGs).

These steps are based upon deploying Forefront UAG DirectAccess using an array topology combined with ISATAP to support IPv6 intranet connectivity and NAT64 to support IPv4 intranet resources. This is a likely scenario for deployments with a larger number of users, or specific high availability needs, and an existing IPv4 based intranet.

Please Note: This deployment scenario does not include NAP or Smartcard authentication.

Step 1: Configure Supporting Infrastructure

• Create ISATAP, NLS and IP-HTTPS DNS records
• Create DirectAccess client and server security groups
• Create DirectAccess certificate templates
• Create service account for UAG array management

Step 2: Configure Network Location Servers

• Create website and enrol/bind NLS certificate
• Repeat for additional NLS servers and potentially implement NLB

Step 3: Prepare and Install UAG Servers

• Install OS, activate, run Windows Update, join AD domain
• Configure network interfaces and amend bind order – see here
• Configure static routes – see here
• Enrol IP-HTTPS and IPsec certificates
• Install UAG + UAG Update 1 + UAG Update 2 + TMG SP1 + TMG SP1U1
• Repeat for additional UAG servers

Step 4: Configure UAG Array

• Configure first UAG server as the array manager
• Add additional UAG servers to the ‘Managed Server Computers’ computer set in TMG
• Join additional UAG servers to the array

Step 5: Configure UAG NLB

• Define internal NLB virtual IP address with unicast mode
• Define external NLB virtual IP addresses (at least two) with unicast mode
• Start NLB on each array member

Step 6: Configure UAG DirectAccess

• Enable NAT64/DNS64
• Define appropriate NRPT entries

Step 7: Configure DirectAccess Clients

• Enrol IPsec certificates
• Add clients to DirectAccess security group and reboot
• Install DCA client

Step 8: Configure Active Directory and DNS

• Add IPv6 prefixes and assign to AD sites
• Add DNS reverse lookup zones for IPv6 prefixes

Step 9: Test DirectAccess

• Test internal ISATAP
• Test external Teredo, 6to4 and IP-HTTPS

Step 10: Complete Post-Installation Tasks

• Define custom TMG rules for systems management (SCOM, SCCM, Cert Enrolment etc.)
• Apply UAG SCW hardening template using Group Policy
• Install and run UAG BPA

Hopefully this provides some structure to the recommended deployment process and should allow you to define a high-level checklist of the key tasks for an array deployment.

Microsoft PKI Certificate Authority (CA) Design Overview Before you configure a Public Key Infrastructure (PKI) and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). If your organization does not have such policy statements, you should consider creating them. When you do plan your CA hierarchy for your organization's PKI, you can use the following table to get an idea of the type of hierarchy and CAs to implement. Design Option Best for Pros Cons Enterprise Root CA on a Domain Controller online Not recommended. Lab environments only when PKI design is no a priority. Resources severely constrained (worst case scenario) None Configuration dependencies make domain controller maintenance and restore complex. CA is online and more susceptible to compromise. Enterprise Root CA online Small organizations with limited security needs. environments that don’t have high security needs and don’t want to manage an offline system, large companies with limited certificate needs like internal SSL online Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS) CA is online an more susceptible to compromise. Cannot revoke online CA if compromised More difficult than multi-tier CA hierarchies to expand Enterprise Root CA offline Not ideal for any environment When offline the CA is not exposed to network-based attacks. • Cannot be installed offline because it requires Active Directory • Enterprise Root CA would not be able to service requests when offline • Enterprise Root CA would have to be online sometimes and a member of the domain • Creation of an Enterprise Subordinate would be needed to utilize any of the benefits of having an Active Directory integrated CA • Enterprise Root CA would be online during subordinate CA renewal (in a multi-tier CA hierarchy) • In a single-tier hierarchy, the Enterprise Root CA would not be available when offline to issue certificates • Secure channel password would likely need to be reset in order to communicate with domain when it was brought online, if it was offline for more than 30 days. Standalone offline root CA Secure environment, multiple Issuing CAs Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company. Helps control physical and logical control to CA Easy to forget about and allow CDP/AIA to expire and break PKI. Expensive – requires dedicated hardware that is infrequently used. More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment. Two-tier CA hierarchy Most environments that don’t have a need to create security boundaries in their CA architectures No unnecessary offline systems. Less CAs to manage and renew offline No ability to restrict subordinate CAs or administrators. Can/should also incur expense of an HSM Three-tier CA hierarchy Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted Ability to restrict CAs from issuing certs that shouldn’t (DMZ CAs shouldn’t issue Smart cards, etc..). Allows greatest flexibility of PKI Middle tier often never utilized and is wasted. Extra machine/OS/HSM expense, one more system to remember to renew and maintain in an offline state.