certutil

Certutil.exe 是作为证书服务的一部分安装的命令行程序。 可以使用 certutil.exe 显示证书颁发机构（CA）配置信息、配置证书服务以及备份和还原 CA 组件。 该计划还会验证证书、密钥对和证书链。

如果在 certutil 没有其他参数的证书颁发机构上运行，则会显示当前的证书颁发机构配置。 如果在 certutil 没有其他参数的非证书颁发机构上运行，则命令默认为运行该 certutil -dump 命令。 并非所有版本的 certutil 都提供本文档介绍的所有参数和选项。 可以通过运行 certutil -? 或 certutil <parameter> -?查看 certutil 版本提供的选项。

Parameters

-dump

转储配置信息或文件。

certutil [options] [-dump]
certutil [options] [-dump] File

Options:

[-f] [-user] [-Silent] [-split] [-p Password] [-t Timeout]

-dumpPFX

转储 PFX 结构。

certutil [options] [-dumpPFX] File

Options:

[-f] [-Silent] [-split] [-p Password] [-csp Provider]

-asn

使用抽象语法表示法（ASN.1）语法分析和显示文件的内容。 文件类型包括 。CER， .DER 和 PKCS #7 格式化文件。

certutil [options] -asn File [type]

• [type]：数值CRYPT_STRING_* 解码类型

-decodehex

解码十六进制编码的文件。

certutil [options] -decodehex InFile OutFile [type]

• [type]：数值CRYPT_STRING_* 解码类型

Options:

[-f]

-encodehex

以十六进制形式对文件进行编码。

certutil [options] -encodehex InFile OutFile [type]

• [type]：numeric CRYPT_STRING_* 编码类型

Options:

[-f] [-nocr] [-nocrlf] [-UnicodeText]

-decode

解码 Base64 编码的文件。

certutil [options] -decode InFile OutFile

Options:

[-f]

-encode

将文件编码为 Base64。

certutil [options] -encode InFile OutFile

Options:

[-f] [-unicodetext]

-deny

拒绝挂起的请求。

certutil [options] -deny RequestId

Options:

[-config Machine\CAName]

-resubmit

重新提交挂起的请求。

certutil [options] -resubmit RequestId

Options:

[-config Machine\CAName]

-setattributes

设置挂起的证书请求的属性。

certutil [options] -setattributes RequestId AttributeString

Where:

• RequestId is the numeric Request ID for the pending request.
• AttributeString is the request attribute name and value pairs.

Options:

[-config Machine\CAName]

Remarks

• 名称和值必须以冒号分隔，而多个名称和值对必须以换行符分隔。 例如： CertificateTemplate:User\nEMail:User@Domain.com 序列 \n 转换为换行符的位置。

-setextension

为挂起的证书请求设置扩展。

certutil [options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}

Where:

• requestID is the numeric Request ID for the pending request.
• ExtensionName is the ObjectId string for the extension.
• Flags sets the priority of the extension. 0 建议在将扩展设置为关键时 1 禁用 2 扩展，同时同时禁用扩展，同时 3 同时禁用两者。

Options:

[-config Machine\CAName]

Remarks

• If the last parameter is numeric, it's taken as a Long.
• If the last parameter can be parsed as a date, it's taken as a Date.
• 如果最后一个参数以 开头， \@则令牌的其余部分将作为包含二进制数据的文件名或 ASCII 文本十六进制转储。
• 如果最后一个参数是任何其他参数，则将其视为字符串。

-revoke

吊销证书。

certutil [options] -revoke SerialNumber [Reason]

Where:

• SerialNumber is a comma-separated list of certificate serial numbers to revoke.
• Reason is the numeric or symbolic representation of the revocation reason, including:
  • 0. CRL_REASON_UNSPECIFIED - Unspecified (default)
  • 1. CRL_REASON_KEY_COMPROMISE - Key compromise
  • 2. CRL_REASON_CA_COMPROMISE - Certificate Authority compromise
  • 3. CRL_REASON_AFFILIATION_CHANGED - Affiliation changed
  • 4. CRL_REASON_SUPERSEDED - Superseded
  • 5. CRL_REASON_CESSATION_OF_OPERATION - Cessation of operation
  • 6. CRL_REASON_CERTIFICATE_HOLD - Certificate hold
  • 8. CRL_REASON_REMOVE_FROM_CRL - Remove from CRL
  • 9: CRL_REASON_PRIVILEGE_WITHDRAWN - Privilege withdrawn
  • 10: CRL_REASON_AA_COMPROMISE - AA compromise
  • -1. Unrevoke - Unrevokes

Options:

[-config Machine\CAName]

-isvalid

显示当前证书的处置。

certutil [options] -isvalid SerialNumber | CertHash

Options:

[-config Machine\CAName]

-getconfig

获取默认配置字符串。

certutil [options] -getconfig

Options:

[-idispatch] [-config Machine\CAName]

-getconfig2

通过 ICertGetConfig 获取默认配置字符串。

certutil [options] -getconfig2

Options:

[-idispatch]

-getconfig3

通过 ICertConfig 获取配置。

certutil [options] -getconfig3

Options:

[-idispatch]

-ping

尝试联系 Active Directory 证书服务请求接口。

certutil [options] -ping [MaxSecondsToWait | CAMachineList]

Where:

• CAMachineList is a comma-separated list of CA machine names. 对于单个计算机，请使用终止逗号。 此选项还显示每个 CA 计算机的站点成本。

Options:

[-config Machine\CAName] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-pingadmin

尝试联系 Active Directory 证书服务管理界面。

certutil [options] -pingadmin

Options:

[-config Machine\CAName]

-CAInfo

显示有关证书颁发机构的信息。

certutil [options] -CAInfo [InfoName [Index | ErrorCode]]

Where:

• InfoName indicates the CA property to display, based on the following infoname argument syntax:
  • * - 显示所有属性
  • ads - Advanced Server
  • aia [Index] - AIA URLs
  • cdp [Index] - CDP URLs
  • cert [Index] - CA cert
  • certchain [Index] - CA cert chain
  • certcount - CA cert count
  • certcrlchain [Index] - CA cert chain with CRLs
  • certstate [Index] - CA cert
  • certstatuscode [Index] - CA cert verify status
  • certversion [Index] - CA cert version
  • CRL [Index] - Base CRL
  • crlstate [Index] - CRL
  • crlstatus [Index] - CRL Publish Status
  • cross- [Index] - Backward cross cert
  • cross+ [Index] - Forward cross cert
  • crossstate- [Index] - Backward cross cert
  • crossstate+ [Index] - Forward cross cert
  • deltacrl [Index] - Delta CRL
  • deltacrlstatus [Index] - Delta CRL Publish Status
  • dns - DNS Name
  • dsname - Sanitized CA short name (DS name)
  • error1 ErrorCode - Error message text
  • error2 ErrorCode - Error message text and error code
  • exit [Index] - Exit module description
  • exitcount - Exit module count
  • file - File version
  • info - CA info
  • kra [Index] - KRA cert
  • kracount - KRA cert count
  • krastate [Index] - KRA cert
  • kraused - KRA cert used count
  • localename - CA locale name
  • name - CA name
  • ocsp [Index] - OCSP URLs
  • parent - Parent CA
  • policy - Policy module description
  • product - Product version
  • propidmax - Maximum CA PropId
  • role - Role Separation
  • sanitizedname - Sanitized CA name
  • sharedfolder - Shared folder
  • subjecttemplateoids - Subject Template OIDs
  • templates - Templates
  • type - CA type
  • xchg [Index] - CA exchange cert
  • xchgchain [Index] - CA exchange cert chain
  • xchgcount - CA exchange cert count
  • xchgcrlchain [Index] - CA exchange cert chain with CRLs
• index is the optional zero-based property index.
• errorcode is the numeric error code.

Options:

[-f] [-split] [-config Machine\CAName]

-CAPropInfo

显示 CA 属性类型信息。

certutil [options] -CAInfo [InfoName [Index | ErrorCode]]

Options:

[-idispatch] [-v1] [-admin] [-config Machine\CAName]

-ca.cert

检索证书颁发机构的证书。

certutil [options] -ca.cert OutCACertFile [Index]

Where:

• OutCACertFile is the output file.
• Index is the CA certificate renewal index (defaults to most recent).

Options:

[-f] [-split] [-config Machine\CAName]

-ca.chain

检索证书颁发机构的证书链。

certutil [options] -ca.chain OutCACertChainFile [Index]

Where:

• OutCACertChainFile is the output file.
• Index is the CA certificate renewal index (defaults to most recent).

Options:

[-f] [-split] [-config Machine\CAName]

-GetCRL

获取证书吊销列表（CRL）。

certutil [options] -GetCRL OutFile [Index] [delta]

Where:

• Index is the CRL index or key index (defaults to CRL for most recent key).
• delta is the delta CRL (default is base CRL).

Options:

[-f] [-split] [-config Machine\CAName]

-CRL

发布新的证书吊销列表（CRL）或增量 CRL。

certutil [options] -CRL [dd:hh | republish] [delta]

Where:

• dd:hh is the new CRL validity period in days and hours.
• republish republishes the most recent CRLs.
• delta publishes the delta CRLs only (default is base and delta CRLs).

Options:

[-split] [-config Machine\CAName]

-shutdown

关闭 Active Directory 证书服务。

certutil [options] -shutdown

Options:

[-config Machine\CAName]

-installCert

安装证书颁发机构证书。

certutil [options] -installCert [CACertFile]

Options:

[-f] [-silent] [-config Machine\CAName]

-renewCert

续订证书颁发机构证书。

certutil [options] -renewCert [ReuseKeys] [Machine\ParentCAName]

Options:

[-f] [-silent] [-config Machine\CAName]

• 用于 -f 忽略未完成的续订请求并生成新请求。

-schema

转储证书的架构。

certutil [options] -schema [Ext | Attrib | CRL]

Where:

• 该命令默认为“请求”和“证书”表。
• Ext is the extension table.
• Attribute is the attribute table.
• CRL is the CRL table.

Options:

[-split] [-config Machine\CAName]

-view

转储证书视图。

certutil [options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]

Where:

• Queue dumps a specific request queue.
• Log dumps the issued or revoked certificates, plus any failed requests.
• LogFail dumps the failed requests.
• Revoked dumps the revoked certificates.
• Ext dumps the extension table.
• Attrib dumps the attribute table.
• CRL dumps the CRL table.
• csv provides the output using comma-separated values.

Options:

[-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

Remarks

• To display the StatusCode column for all entries, type -out StatusCode
• 若要显示最后一个条目的所有列，请键入： -restrict RequestId==$
• To display the RequestId and Disposition for three requests, type: -restrict requestID>=37,requestID<40 -out requestID,disposition
• To display Row IDs Row IDs and CRL numbers for all Base CRLs, type: -restrict crlminbase=0 -out crlrowID,crlnumber crl
• 若要显示基本 CRL 数字 3，请键入： -v -restrict crlminbase=0,crlnumber=3 -out crlrawcrl crl
• 若要显示整个 CRL 表，请键入： CRL
• 用于 Date[+|-dd:hh] 日期限制。
• 用于 now+dd:hh 相对于当前时间的日期。
• 模板包含扩展密钥用法（EKU），它们是描述证书使用方式的对象标识符（OID）。 证书并不总是包括模板公用名或显示名称，但它们始终包含模板 EKU。 可以从 Active Directory 中提取特定证书模板的 EKU，然后基于该扩展限制视图。

-db

转储原始数据库。

certutil [options] -db

Options:

[-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

-deleterow

从服务器数据库中删除行。

certutil [options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL]

Where:

• Request deletes the failed and pending requests, based on submission date.
• Cert deletes the expired and revoked certificates, based on expiration date.
• Ext deletes the extension table.
• Attrib deletes the attribute table.
• CRL deletes the CRL table.

Options:

[-f] [-config Machine\CAName]

Examples

• 若要删除在 2001 年 1 月 22 日之前提交的失败和挂起的请求，请键入： 1/22/2001 request
• 若要删除在 2001 年 1 月 22 日到期的所有证书，请键入： 1/22/2001 cert
• 若要删除 RequestID 37 的证书行、属性和扩展，请键入： 37
• 若要删除在 2001 年 1 月 22 日到期的 CRL，请键入： 1/22/2001 crl

-backup

备份 Active Directory 证书服务。

certutil [options] -backup BackupDirectory [Incremental] [KeepLog]

Where:

• BackupDirectory is the directory to store the backed up data.
• Incremental performs an incremental backup only (default is full backup).
• KeepLog preserves the database log files (default is to truncate log files).

Options:

[-f] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList]

-backupDB

备份 Active Directory 证书服务数据库。

certutil [options] -backupdb BackupDirectory [Incremental] [KeepLog]

Where:

• BackupDirectory is the directory to store the backed up database files.
• Incremental performs an incremental backup only (default is full backup).
• KeepLog preserves the database log files (default is to truncate log files).

Options:

[-f] [-config Machine\CAName]

-backupkey

备份 Active Directory 证书服务证书和私钥。

certutil [options] -backupkey BackupDirectory

Where:

• BackupDirectory is the directory to store the backed up PFX file.

Options:

[-f] [-config Machine\CAName] [-p password] [-ProtectTo SAMNameAndSIDList] [-t Timeout]

-restore

还原 Active Directory 证书服务。

certutil [options] -restore BackupDirectory

Where:

• BackupDirectory is the directory containing the data to be restored.

Options:

[-f] [-config Machine\CAName] [-p password]

-restoredb

还原 Active Directory 证书服务数据库。

certutil [options] -restoredb BackupDirectory

Where:

• BackupDirectory is the directory containing the database files to be restored.

Options:

[-f] [-config Machine\CAName]

-restorekey

还原 Active Directory 证书服务证书和私钥。

certutil [options] -restorekey BackupDirectory | PFXFile

Where:

• BackupDirectory is the directory containing PFX file to be restored.
• PFXFile is the PFX file to be restored.

Options:

[-f] [-config Machine\CAName] [-p password]

-exportPFX

导出证书和私钥。 有关详细信息，请参阅 -store 本文中的参数。

certutil [options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]

Where:

• CertificateStoreName is the name of the certificate store.
• CertId is the certificate or CRL match token.
• PFXFile is the PFX file to be exported.
• Modifiers are the comma-separated list, which can include one or more of the following:
  • CryptoAlgorithm= specifies the cryptographic algorithm to use for encrypting the PFX file, such as TripleDES-Sha1 or Aes256-Sha256.
  • EncryptCert - Encrypts the private key associated with the certificate with a password.
  • ExportParameters -Exports the private key parameters in addition to the certificate and private key.
  • ExtendedProperties - Includes all extended properties associated with the certificate in the output file.
  • NoEncryptCert - Exports the private key without encrypting it.
  • NoChain - Doesn't import the certificate chain.
  • NoRoot - Doesn't import the root certificate.

-importPFX

导入证书和私钥。 有关详细信息，请参阅 -store 本文中的参数。

certutil [options] -importPFX [CertificateStoreName] PFXFile [Modifiers]

Where:

• CertificateStoreName is the name of the certificate store.
• PFXFile is the PFX file to be imported.
• Modifiers are the comma-separated list, which can include one or more of the following:
  • AT_KEYEXCHANGE - Changes the keyspec to key exchange.
  • AT_SIGNATURE - Changes the keyspec to signature.
  • ExportEncrypted - Exports the private key associated with the certificate with password encryption.
  • FriendlyName= - Specifies a friendly name for the imported certificate.
  • KeyDescription= - Specifies a description for the private key associated with the imported certificate.
  • KeyFriendlyName= - Specifies a friendly name for the private key associated with the imported certificate.
  • NoCert - Doesn't import the certificate.
  • NoChain - Doesn't import the certificate chain.
  • NoExport - Makes the private key non-exportable.
  • NoProtect - Doesn't password protect keys by using a password.
  • NoRoot - Doesn't import the root certificate.
  • Pkcs8 - Uses PKCS8 format for the private key in the PFX file.
  • Protect - Protects keys by using a password.
  • ProtectHigh - Specifies that a high-security password must be associated with the private key.
  • VSM - Stores the private key associated with the imported certificate in the Virtual Smart Card (VSC) container.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-p Password] [-csp Provider]

Remarks

• 默认为个人计算机存储。

-dynamicfilelist

显示动态文件列表。

certutil [options] -dynamicfilelist

Options:

[-config Machine\CAName]

-databaselocations

显示数据库位置。

certutil [options] -databaselocations

Options:

[-config Machine\CAName]

-hashfile

通过文件生成并显示加密哈希。

certutil [options] -hashfile InFile [HashAlgorithm]

-store

转储证书存储。

certutil [options] -store [CertificateStoreName [CertId [OutputFile]]]

Where:

• CertificateStoreName is the certificate store name. For example:

  • My, CA (default), Root,
  • ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)
  • ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)
  • ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)
  • ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)
  • ldap: (AD computer object certificates)
  • -user ldap: (AD user object certificates)

• CertId is the certificate or CRL match token. 此 ID 可以是：

  • Serial number
  • SHA-1 certificate
  • CRL、CTL 或公钥哈希
  • 数字证书索引（0、1 等）
  • 数值 CRL 索引 （.0、.1 等）
  • 数字 CTL 索引 （..0, ..1 等）
  • Public key
  • 签名或扩展 ObjectId
  • 证书使用者公用名
  • E-mail address
  • UPN 或 DNS 名称
  • 密钥容器名称或 CSP 名称
  • 模板名称或 ObjectId
  • EKU 或应用程序策略 ObjectId
  • CRL 颁发者公用名。

其中许多标识符可能会导致多个匹配。

• OutputFile is the file used to save the matching certificates.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-split] [-dc DCName]

• 此选项 -user 访问用户存储而不是计算机存储。
• 该 -enterprise 选项访问计算机企业存储。
• 该 -service 选项访问计算机服务存储。
• 该 -grouppolicy 选项访问计算机组策略存储。

For example:

• -enterprise NTAuth
• -enterprise Root 37
• -user My 26e0aaaf000000000004
• CA .11

-enumstore

枚举证书存储。

certutil [options] -enumstore [\\MachineName]

Where:

• MachineName is the remote machine name.

Options:

[-enterprise] [-user] [-grouppolicy]

-addstore

将证书添加到存储区。 有关详细信息，请参阅 -store 本文中的参数。

certutil [options] -addstore CertificateStoreName InFile

Where:

• CertificateStoreName is the certificate store name.
• InFile is the certificate or CRL file you want to add to the store.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-dc DCName]

-delstore

从存储中删除证书。 有关详细信息，请参阅 -store 本文中的参数。

certutil [options] -delstore CertificateStoreName certID

Where:

• CertificateStoreName is the certificate store name.
• CertId is the certificate or CRL match token.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-dc DCName]

-verifystore

验证存储中的证书。 有关详细信息，请参阅 -store 本文中的参数。

certutil [options] -verifystore CertificateStoreName [CertId]

Where:

• CertificateStoreName is the certificate store name.
• CertId is the certificate or CRL match token.

Options:

[-Enterprise] [-user] [-GroupPolicy] [-Silent] [-split] [-dc DCName] [-t Timeout]

-repairstore

修复密钥关联或更新证书属性或密钥安全描述符。 有关详细信息，请参阅 -store 本文中的参数。

certutil [options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]

Where:

• CertificateStoreName is the certificate store name.

• CertIdList is the comma-separated list of certificate or CRL match tokens. 有关详细信息，请参阅 -store 本文中的 CertId 说明。

• PropertyInfFile is the INF file containing external properties, including:

  [Properties]
      19 = Empty ; Add archived property, OR:
      19 =       ; Remove archived property
  
      11 = {text}Friendly Name ; Add friendly name property
  
      127 = {hex} ; Add custom hexadecimal property
          _continue_ = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
          _continue_ = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
  
      2 = {text} ; Add Key Provider Information property
        _continue_ = Container=Container Name&
        _continue_ = Provider=Microsoft Strong Cryptographic Provider&
        _continue_ = ProviderType=1&
        _continue_ = Flags=0&
        _continue_ = KeySpec=2
  
      9 = {text} ; Add Enhanced Key Usage property
        _continue_ = 1.3.6.1.5.5.7.3.2,
        _continue_ = 1.3.6.1.5.5.7.3.1,
  

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-Silent] [-split] [-csp Provider]

-viewstore

转储证书存储。 有关详细信息，请参阅 -store 本文中的参数。

certutil [options] -viewstore [CertificateStoreName [CertId [OutputFile]]]

Where:

• CertificateStoreName is the certificate store name. For example:

  • My, CA (default), Root,
  • ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)
  • ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)
  • ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)
  • ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)
  • ldap: (AD computer object certificates)
  • -user ldap: (AD user object certificates)

• CertId is the certificate or CRL match token. 这可以是：

  • Serial number
  • SHA-1 certificate
  • CRL、CTL 或公钥哈希
  • 数字证书索引（0、1 等）
  • 数值 CRL 索引 （.0、.1 等）
  • 数字 CTL 索引 （..0, ..1 等）
  • Public key
  • 签名或扩展 ObjectId
  • 证书使用者公用名
  • E-mail address
  • UPN 或 DNS 名称
  • 密钥容器名称或 CSP 名称
  • 模板名称或 ObjectId
  • EKU 或应用程序策略 ObjectId
  • CRL 颁发者公用名。

其中许多可能会导致多个匹配。

• OutputFile is the file used to save the matching certificates.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-dc DCName]

• 此选项 -user 访问用户存储而不是计算机存储。
• 该 -enterprise 选项访问计算机企业存储。
• 该 -service 选项访问计算机服务存储。
• 该 -grouppolicy 选项访问计算机组策略存储。

For example:

• -enterprise NTAuth
• -enterprise Root 37
• -user My 26e0aaaf000000000004
• CA .11

-viewdelstore

从存储中删除证书。

certutil [options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]]

Where:

• CertificateStoreName is the certificate store name. For example:

  • My, CA (default), Root,
  • ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)
  • ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)
  • ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)
  • ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)
  • ldap: (AD computer object certificates)
  • -user ldap: (AD user object certificates)

• CertId is the certificate or CRL match token. 这可以是：

  • Serial number
  • SHA-1 certificate
  • CRL、CTL 或公钥哈希
  • 数字证书索引（0、1 等）
  • 数值 CRL 索引 （.0、.1 等）
  • 数字 CTL 索引 （..0, ..1 等）
  • Public key
  • 签名或扩展 ObjectId
  • 证书使用者公用名
  • E-mail address
  • UPN 或 DNS 名称
  • 密钥容器名称或 CSP 名称
  • 模板名称或 ObjectId
  • EKU 或应用程序策略 ObjectId
  • CRL 颁发者公用名。

其中许多可能会导致多个匹配。

• OutputFile is the file used to save the matching certificates.

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-dc DCName]

• 此选项 -user 访问用户存储而不是计算机存储。
• 该 -enterprise 选项访问计算机企业存储。
• 该 -service 选项访问计算机服务存储。
• 该 -grouppolicy 选项访问计算机组策略存储。

For example:

• -enterprise NTAuth
• -enterprise Root 37
• -user My 26e0aaaf000000000004
• CA .11

-UI

调用 certutil 接口。

certutil [options] -UI File [import]

-TPMInfo

显示受信任的平台模块信息。

certutil [options] -TPMInfo

Options:

[-f] [-Silent] [-split]

-attest

指定应证明证书请求文件。

certutil [options] -attest RequestFile

Options:

[-user] [-Silent] [-split]

-getcert

从选择 UI 中选择证书。

certutil [options] [ObjectId | ERA | KRA [CommonName]]

Options:

[-Silent] [-split]

-ds

显示目录服务（DS）可分辨名称（DN）。

certutil [options] -ds [CommonName]

Options:

[-f] [-user] [-split] [-dc DCName]

-dsDel

删除 DS DN。

certutil [options] -dsDel [CommonName]

Options:

[-user] [-split] [-dc DCName]

-dsPublish

将证书或证书吊销列表（CRL）发布到 Active Directory。

certutil [options] -dspublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
certutil [options] -dspublish CRLfile [DSCDPContainer [DSCDPCN]]

Where:

• CertFile is the name of the certificate file to publish.
• NTAuthCA publishes the certificate to the DS Enterprise store.
• RootCA publishes the certificate to the DS Trusted Root store.
• SubCA publishes the CA certificate to the DS CA object.
• CrossCA publishes the cross-certificate to the DS CA object.
• KRA publishes the certificate to the DS Key Recovery Agent object.
• User publishes the certificate to the User DS object.
• Machine publishes the certificate to the Machine DS object.
• CRLfile is the name of the CRL file to publish.
• DSCDPContainer is the DS CDP container CN, usually the CA machine name.
• DSCDPCN is the DS CDP object CN based on the sanitized CA short name and key index.

Options:

[-f] [-user] [-dc DCName]

• 用于 -f 创建新的 DS 对象。

-dsCert

显示 DS 证书。

certutil [options] -dsCert [FullDSDN] | [CertId [OutFile]]

Options:

[-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

-dsCRL

显示 DS CRL。

certutil [options] -dsCRL [FullDSDN] | [CRLIndex [OutFile]]

Options:

[-idispatch] [-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

-dsDeltaCRL

显示 DS 增量 CRL。

certutil [options] -dsDeltaCRL [FullDSDN] | [CRLIndex [OutFile]]

Options:

[-Enterprise] [-user] [-config Machine\CAName] [-dc DCName]

-dsTemplate

显示 DS 模板属性。

certutil [options] -dsTemplate [Template]

Options:

[Silent] [-dc DCName]

-dsAddTemplate

添加 DS 模板。

certutil [options] -dsAddTemplate TemplateInfFile

Options:

[-dc DCName]

-ADTemplate

显示 Active Directory 模板。

certutil [options] -ADTemplate [Template]

Options:

[-f] [-user] [-ut] [-mt] [-dc DCName]

-Template

显示证书注册策略模板。

Options:

certutil [options] -Template [Template]

Options:

[-f] [-user] [-Silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-TemplateCAs

显示证书模板的证书颁发机构（CA）。

certutil [options] -TemplateCAs Template

Options:

[-f] [-user] [-dc DCName]

-CATemplates

显示证书颁发机构的模板。

certutil [options] -CATemplates [Template]

Options:

[-f] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]

-SetCATemplates

设置证书颁发机构可以颁发的证书模板。

certutil [options] -SetCATemplates [+ | -] TemplateList

Where:

• 该 + 符号将证书模板添加到 CA 的可用模板列表中。
• 该 - 签名从 CA 的可用模板列表中删除证书模板。

-SetCASites

管理站点名称，包括设置、验证和删除证书颁发机构站点名称。

certutil [options] -SetCASites [set] [SiteName]
certutil [options] -SetCASites verify [SiteName]
certutil [options] -SetCASites delete

Where:

• SiteName is allowed only when targeting a single Certificate Authority.

Options:

[-f] [-config Machine\CAName] [-dc DCName]

Remarks

• 该 -config 选项面向单个证书颁发机构（默认值为所有 CA）。
• The -f option can be used to override validation errors for the specified SiteName or to delete all CA site names.

-enrollmentServerURL

显示、添加或删除与 CA 关联的注册服务器 URL。

certutil [options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]]
certutil [options] -enrollmentserverURL URL delete

Where:

• AuthenticationType specifies one of the following client authentication methods while adding a URL:
  • Kerberos - Use Kerberos SSL credentials.
  • UserName - Use a named account for SSL credentials.
  • ClientCertificate - Use X.509 Certificate SSL credentials.
  • Anonymous - Use anonymous SSL credentials.
• delete deletes the specified URL associated with the CA.
• Priority defaults to 1 if not specified when adding a URL.
• Modifiers is a comma-separated list, which includes one or more of the following:
  • AllowRenewalsOnly only renewal requests can be submitted to this CA via this URL.
  • AllowKeyBasedRenewal allows use of a certificate that has no associated account in the AD. This applies only with ClientCertificate and AllowRenewalsOnly mode.

Options:

[-config Machine\CAName] [-dc DCName]

-ADCA

显示 Active Directory 证书颁发机构。

certutil [options] -ADCA [CAName]

Options:

[-f] [-split] [-dc DCName]

-CA

显示注册策略证书颁发机构。

certutil [options] -CA [CAName | TemplateName]

Options:

[-f] [-user] [-Silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-Policy

显示注册策略。

certutil [options] -Policy

Options:

[-f] [-user] [-Silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-PolicyCache

显示或删除注册策略缓存条目。

certutil [options] -PolicyCache [delete]

Where:

• delete deletes the policy server cache entries.
• -f deletes all cache entries

Options:

[-f] [-user] [-policyserver URLorID]

-CredStore

显示、添加或删除凭据存储项。

certutil [options] -CredStore [URL]
certutil [options] -CredStore URL add
certutil [options] -CredStore URL delete

Where:

• URL is the target URL. 还可以用于 * 匹配所有条目或 https://machine* 匹配 URL 前缀。
• add adds a credential store entry. 使用此选项还需要使用 SSL 凭据。
• delete deletes credential store entries.
• -f overwrites a single entry or deletes multiple entries.

Options:

[-f] [-user] [-Silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

-InstallDefaultTemplates

安装默认证书模板。

certutil [options] -InstallDefaultTemplates

Options:

[-dc DCName]

-URL

验证证书或 CRL URL。

certutil [options] -URL InFile | URL

Options:

[-f] [-split]

-URLCache

显示或删除 URL 缓存条目。

certutil [options] -URLcache [URL | CRL | * [delete]]

Where:

• URL is the cached URL.
• CRL runs on all cached CRL URLs only.
• * 对所有缓存的 URL 执行作。
• delete deletes relevant URLs from the current user's local cache.
• -f forces fetching a specific URL and updating the cache.

Options:

[-f] [-split]

-pulse

脉冲自动注册事件或 NGC 任务。

certutil [options] -pulse [TaskName [SRKThumbprint]]

Where:

• TaskName is the task to trigger.
  • Pregen is the NGC Key pregen task.
  • AIKEnroll is the NGC AIK certificate enrollment task. （默认为自动注册事件）。
• SRKThumbprint is the thumbprint of the Storage Root Key
• Modifiers:
  • Pregen
  • PregenDelay
  • AIKEnroll
  • CryptoPolicy
  • NgcPregenKey
  • DIMSRoam

Options:

[-user]

-MachineInfo

显示有关 Active Directory 计算机对象的信息。

certutil [options] -MachineInfo DomainName\MachineName$

-DCInfo

显示有关域控制器的信息。 默认值显示未验证的 DC 证书。

certutil [options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]

• Modifiers:

  • Verify
  • DeleteBad
  • DeleteAll

Options:

[-f] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

-EntInfo

显示有关企业证书颁发机构的信息。

certutil [options] -EntInfo DomainName\MachineName$

Options:

[-f] [-user]

-TCAInfo

显示有关证书颁发机构的信息。

certutil [options] -TCAInfo [DomainDN | -]

Options:

[-f] [-Enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

-SCInfo

显示有关智能卡的信息。

certutil [options] -scinfo [ReaderName [CRYPT_DELETEKEYSET]]

Where:

• CRYPT_DELETEKEYSET deletes all keys on the smart card.

Options:

[-Silent] [-split] [-urlfetch] [-t Timeout]

-SCRoots

管理智能卡根证书。

certutil [options] -SCRoots update [+][InputRootFile] [ReaderName]
certutil [options] -SCRoots save @OutputRootFile [ReaderName]
certutil [options] -SCRoots view [InputRootFile | ReaderName]
certutil [options] -SCRoots delete [ReaderName]

Options:

[-f] [-split] [-p Password]

-key

列出密钥容器中存储的密钥。

certutil [options] -key [KeyContainerName | -]

Where:

• KeyContainerName is the key container name for the key to verify. 此选项默认为计算机密钥。 若要切换到用户密钥，请使用 -user。
• 使用 - 符号是指使用默认密钥容器。

Options:

[-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation]

-delkey

删除命名的密钥容器。

certutil [options] -delkey KeyContainerName

Options:

[-user] [-Silent] [-split] [-csp Provider] [-Location AlternateStorageLocation]

-DeleteHelloContainer

删除 Windows Hello 容器，删除设备上存储的所有关联凭据，包括任何 WebAuthn 和 FIDO 凭据。

用户使用此选项完成后需要注销。

certutil [options] -DeleteHelloContainer

-verifykeys

验证公钥或私钥集。

certutil [options] -verifykeys [KeyContainerName CACertFile]

Where:

• KeyContainerName is the key container name for the key to verify. 此选项默认为计算机密钥。 若要切换到用户密钥，请使用 -user。
• CACertFile signs or encrypts certificate files.

Options:

[-f] [-user] [-Silent] [-config Machine\CAName]

Remarks

• 如果未指定任何参数，则会根据其私钥验证每个签名 CA 证书。
• 此作只能针对本地 CA 或本地密钥执行。

-verify

验证证书、证书吊销列表（CRL）或证书链。

certutil [options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]] [Modifiers]
certutil [options] -verify CertFile [CACertFile [CrossedCACertFile]]
certutil [options] -verify CRLFile CACertFile [IssuedCertFile]
certutil [options] -verify CRLFile CACertFile [DeltaCRLFile]

Where:

• CertFile is the name of the certificate to verify.
• ApplicationPolicyList is the optional comma-separated list of required Application Policy ObjectIds.
• IssuancePolicyList is the optional comma-separated list of required Issuance Policy ObjectIds.
• CACertFile is the optional issuing CA certificate to verify against.
• CrossedCACertFile is the optional certificate cross-certified by CertFile.
• CRLFile is the CRL file used to verify the CACertFile.
• IssuedCertFile is the optional issued certificate covered by the CRLfile.
• DeltaCRLFile is the optional delta CRL file.
• Modifiers:
  • 强 - 强签名验证
  • MSRoot - 必须链接到Microsoft根
  • MSTestRoot - 必须链接到Microsoft测试根
  • AppRoot - 必须链接到Microsoft应用程序根
  • EV - 强制实施扩展验证策略

Options:

[-f] [-Enterprise] [-user] [-Silent] [-split] [-urlfetch] [-t Timeout] [-sslpolicy ServerName]

Remarks

• Using ApplicationPolicyList restricts chain building to only chains valid for the specified Application Policies.
• Using IssuancePolicyList restricts chain building to only chains valid for the specified Issuance Policies.
• Using CACertFile verifies the fields in the file against CertFile or CRLfile.
• If CACertFile isn't specified, the full chain is built and verified against CertFile.
• If CACertFile and CrossedCACertFile are both specified, the fields in both files are verified against CertFile.
• Using IssuedCertFile verifies the fields in the file against CRLfile.
• Using DeltaCRLFile verifies the fields in the file against CertFile.

-verifyCTL

验证 AuthRoot 或不允许的证书 CTL。

certutil [options] -verifyCTL CTLobject [CertDir] [CertFile]

Where:

• CTLObject identifies the CTL to verify, including:

  • AuthRootWU reads the AuthRoot CAB and matching certificates from the URL cache. 用于 -f 改为从 Windows 更新下载。
  • DisallowedWU reads the Disallowed Certificates CAB and disallowed certificate store file from the URL cache. 用于 -f 改为从 Windows 更新下载。
    • PinRulesWU reads the PinRules CAB from the URL cache. 用于 -f 改为从 Windows 更新下载。
  • AuthRoot reads the registry-cached AuthRoot CTL. Use with -f and an untrusted CertFile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.
  • Disallowed reads the registry-cached Disallowed Certificates CTL. Use with -f and an untrusted CertFile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.
    • PinRules reads the registry cached PinRules CTL. Using -f has the same behavior as with PinRulesWU.
  • CTLFileName specifies the file or http path to the CTL or CAB file.

• CertDir specifies the folder containing certificates matching the CTL entries. Defaults to the same folder or website as the CTLobject. 使用 http 文件夹路径需要在末尾使用路径分隔符。 If you don't specify AuthRoot or Disallowed, multiple locations are searched for matching certificates, including local certificate stores, crypt32.dll resources and the local URL cache. 用于 -f 根据需要从 Windows 更新下载。

• CertFile specifies the certificate(s) to verify. 证书与 CTL 条目匹配，显示结果。 此选项禁止大多数默认输出。

Options:

[-f] [-user] [-split]

-syncWithWU

将证书与 Windows 更新同步。

certutil [options] -syncWithWU DestinationDir

Where:

• DestinationDir is the specified directory.
• f forces an overwrite.
• Unicode writes redirected output in Unicode.
• gmt displays times as GMT.
• seconds displays times with seconds and milliseconds.
• v is a verbose operation.
• PIN is the Smart Card PIN.
• WELL_KNOWN_SID_TYPE is a numeric SID:
  • 22 - 本地系统
  • 23 - 本地服务
  • 24 - 网络服务

Remarks

使用以下自动更新机制下载以下文件：

• authrootstl.cab contains the CTLs of non-Microsoft root certificates.
• disallowedcertstl.cab contains the CTLs of untrusted certificates.
• disallowedcert.sst contains the serialized certificate store, including the untrusted certificates.
• thumbprint.crt contains the non-Microsoft root certificates.

例如，certutil -syncWithWU \\server1\PKI\CTLs。

• 如果使用不存在的本地路径或文件夹作为目标文件夹，则会看到错误： The system can't find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

• 如果使用不存在或不可用的网络位置作为目标文件夹，则会看到错误： The network name can't be found. 0x80070043 (WIN32: 67 ERROR_BAD_NET_NAME)

• 如果服务器无法通过 TCP 端口 80 连接到Microsoft自动更新服务器，则会收到以下错误： A connection with the server couldn't be established 0x80072efd (INet: 12029 ERROR_INTERNET_CANNOT_CONNECT)

• 如果服务器无法使用 DNS 名称 ctldl.windowsupdate.com访问Microsoft自动更新服务器，则会收到以下错误： The server name or address couldn't be resolved 0x80072ee7 (INet: 12007 ERROR_INTERNET_NAME_NOT_RESOLVED).

• 如果不使用该 -f 开关，并且目录中已存在任何 CTL 文件，则会收到文件存在错误： certutil: -syncWithWU command FAILED: 0x800700b7 (WIN32/HTTP: 183 ERROR_ALREADY_EXISTS) Certutil: Can't create a file when that file already exists.

• 如果受信任的根证书发生了更改，则会看到： Warning! Encountered the following no longer trusted roots: <folder path>\<thumbprint>.crt. Use "-f" option to force the delete of the above ".crt" files. Was "authrootstl.cab" updated? If yes, consider deferring the delete until all clients have been updated.

Options:

[-f] [-Unicode] [-gmt] [-seconds] [-v] [-privatekey] [-pin PIN] [-sid WELL_KNOWN_SID_TYPE]

-generateSSTFromWU

生成与 Windows 更新同步的存储文件。

certutil [options] -generateSSTFromWU SSTFile

Where:

• SSTFile is the .sst file to be generated that contains the Third Party Roots downloaded from Windows Update.

Options:

[-f] [-split]

-generatePinRulesCTL

生成包含固定规则列表的证书信任列表 （CTL） 文件。

certutil [options] -generatePinRulesCTL XMLFile CTLFile [SSTFile [QueryFilesPrefix]]

Where:

• XMLFile is the input XML file to be parsed.
• CTLFile is the output CTL file to be generated.
• SSTFile is the optional .sst file to be created that contains all of the certificates used for pinning.
• QueryFilesPrefix are optional Domains.csv and Keys.csv files to be created for database query.
  • The QueryFilesPrefix string is prepended to each created file.
  • The Domains.csv file contains rule name, domain rows.
  • The Keys.csv file contains rule name, key SHA256 thumbprint rows.

Options:

[-f]

-downloadOcsp

下载 OCSP 响应并写入目录。

certutil [options] -downloadOcsp CertificateDir OcspDir [ThreadCount] [Modifiers]

Where:

• CertificateDir is the directory of a certificate, store and PFX files.
• OcspDir is the directory to write OCSP responses.
• ThreadCount is the optional maximum number of threads for concurrent downloading. Default is 10.
• Modifiers are comma separated list of one or more of the following:
  • DownloadOnce - Downloads once and exits.
  • ReadOcsp - Reads from OcspDir instead of writing.

-generateHpkpHeader

使用指定文件或目录中的证书生成 HPKP 标头。

certutil [options] -generateHpkpHeader CertFileOrDir MaxAge [ReportUri] [Modifiers]

Where:

• CertFileOrDir is the file or directory of certificates, which is the source of pin-sha256.
• MaxAge is the max-age value in seconds.
• ReportUri is the optional report-uri.
• Modifiers are comma separated list of one or more of the following:
  • includeSubDomains - Appends the includeSubDomains.

-flushCache

刷新所选进程中的指定缓存，例如 lsass.exe。

certutil [options] -flushCache ProcessId CacheMask [Modifiers]

Where:

• ProcessId is the numeric ID of a process to flush. Set to 0 to flush all processes where flush is enabled.

• CacheMask is the bit mask of caches to be flushed either numeric or the following bits:

  • 0: ShowOnly
  • 0x01: CERT_WNF_FLUSH_CACHE_REVOCATION
  • 0x02: CERT_WNF_FLUSH_CACHE_OFFLINE_URL
  • 0x04: CERT_WNF_FLUSH_CACHE_MACHINE_CHAIN_ENGINE
  • 0x08: CERT_WNF_FLUSH_CACHE_USER_CHAIN_ENGINES
  • 0x10: CERT_WNF_FLUSH_CACHE_SERIAL_CHAIN_CERTS
  • 0x20: CERT_WNF_FLUSH_CACHE_SSL_TIME_CERTS
  • 0x40: CERT_WNF_FLUSH_CACHE_OCSP_STAPLING

• Modifiers are comma separated list of one or more of the following:

  • Show - Shows the caches being flushed. 必须显式终止 Certutil。

-addEccCurve

添加 ECC 曲线。

certutil [options] -addEccCurve [CurveClass:]CurveName CurveParameters [CurveOID] [CurveType]

Where:

• CurveClass is the ECC Curve Class type:

  • WEIERSTRASS (Default)
  • MONTGOMERY
  • TWISTED_EDWARDS

• CurveName is the ECC Curve name.

• CurveParameters are one of the following:

  • 包含 ASN 编码参数的证书文件名。
  • 包含 ASN 编码参数的文件。

• CurveOID is the ECC Curve OID and is one of the following:

  • 包含 ASN 编码的 OID 的证书文件名。
  • 显式 ECC 曲线 OID。

• CurveType is the Schannel ECC NamedCurve point (numeric).

Options:

[-f]

-deleteEccCurve

删除 ECC 曲线。

certutil [options] -deleteEccCurve CurveName | CurveOID

Where:

• CurveName is the ECC Curve name.
• CurveOID is the ECC Curve OID.

Options:

[-f]

-displayEccCurve

显示 ECC 曲线。

certutil [options] -displayEccCurve [CurveName | CurveOID]

Where:

• CurveName is the ECC Curve name.
• CurveOID is the ECC Curve OID.

Options:

[-f]

-csplist

列出此计算机上安装的用于加密作的加密服务提供商（CSP）。

certutil [options] -csplist [Algorithm]

Options:

[-user] [-Silent] [-csp Provider]

-csptest

测试此计算机上安装的 CSP。

certutil [options] -csptest [Algorithm]

Options:

[-user] [-Silent] [-csp Provider]

-CNGConfig

在此计算机上显示 CNG 加密配置。

certutil [options] -CNGConfig

Options:

[-Silent]

-sign

重新对证书吊销列表（CRL）或证书进行签名。

certutil [options] -sign InFileList | SerialNumber | CRL OutFileList [StartDate [+ | -dd:hh] + | -dd:hh] [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile]
certutil [options] -sign InFileList | SerialNumber | CRL OutFileList [#HashAlgorithm] [+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm]
certutil [options] -sign InFileList OutFileList [Subject:CN=...] [Issuer:hex data]

Where:

• InFileList is the comma-separated list of certificate or CRL files to modify and re-sign.

• SerialNumber is the serial number of the certificate to create. 有效期和其他选项不存在。

• CRL creates an empty CRL. 有效期和其他选项不存在。

• OutFileList is the comma-separated list of modified certificate or CRL output files. 文件数必须与文件列表匹配。

• StartDate+dd:hh is the new validity period for the certificate or CRL files, including:

  • 可选日期加
  • 可选天数和小时有效期（如果使用多个字段），请使用 （+） 或 （-） 分隔符。 用于 now[+dd:hh] 从当前时间开始。 用于 now-dd:hh+dd:hh 从当前时间和固定有效期的固定偏移量开始。 用于 never 没有到期日期（仅适用于 CRL）。

• SerialNumberList is the comma-separated serial number list of the files to add or remove.

• ObjectIdList is the comma-separated extension ObjectId list of the files to remove.

• @ExtensionFile is the INF file that contains the extensions to update or remove. For example:

  [Extensions]
      2.5.29.31 = ; Remove CRL Distribution Points extension
      2.5.29.15 = {hex} ; Update Key Usage extension
      _continue_=03 02 01 86
  

• HashAlgorithm is the name of the hash algorithm. 这必须是符号前面的文本 # 。

• AlternateSignatureAlgorithm is the alternate signature algorithm specifier.

Options:

[-nullsign] [-f] [-user] [-Silent] [-Cert CertId] [-csp Provider]

Remarks

• 使用减号 （-） 可删除序列号和扩展。
• 使用加号 （+） 将序列号添加到 CRL。
• You can use a list to remove both serial numbers and ObjectIds from a CRL at the same time.
• Using the minus sign before AlternateSignatureAlgorithm allows you to use the legacy signature format.
• 使用加号，可以使用备用签名格式。
• If you don't specify AlternateSignatureAlgorithm, the signature format in the certificate or CRL is used.

-vroot

创建或删除 Web 虚拟根和文件共享。

certutil [options] -vroot [delete]

-vocsproot

为 OCSP Web 代理创建或删除 Web 虚拟根。

certutil [options] -vocsproot [delete]

-addEnrollmentServer

根据需要为指定的证书颁发机构添加注册服务器应用程序和应用程序池。 此命令不会安装二进制文件或包。

certutil [options] -addEnrollmentServer Kerberos | UserName | ClientCertificate [AllowRenewalsOnly] [AllowKeyBasedRenewal]

Where:

• addEnrollmentServer requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:

  • Kerberos uses Kerberos SSL credentials.
  • UserName uses named account for SSL credentials.
  • ClientCertificate uses X.509 Certificate SSL credentials.

• Modifiers:

  • AllowRenewalsOnly allows only renewal request submissions to the Certificate Authority through the URL.
  • AllowKeyBasedRenewal allows use of a certificate with no associated account in Active Directory. This applies when used with ClientCertificate and AllowRenewalsOnly mode.

Options:

[-config Machine\CAName]

-deleteEnrollmentServer

如有必要，删除指定的证书颁发机构的注册服务器应用程序和应用程序池。 此命令不会安装二进制文件或包。

certutil [options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate

Where:

• deleteEnrollmentServer requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:
  • Kerberos uses Kerberos SSL credentials.
  • UserName uses named account for SSL credentials.
  • ClientCertificate uses X.509 Certificate SSL credentials.

Options:

[-config Machine\CAName]

-addPolicyServer

如有必要，请添加策略服务器应用程序和应用程序池。 此命令不会安装二进制文件或包。

certutil [options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Where:

• addPolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:
  • Kerberos uses Kerberos SSL credentials.
  • UserName uses named account for SSL credentials.
  • ClientCertificate uses X.509 Certificate SSL credentials.
• KeyBasedRenewal allows use of policies returned to the client containing keybasedrenewal templates. This option applies only for UserName and ClientCertificate authentication.

-deletePolicyServer

如有必要，请删除策略服务器应用程序和应用程序池。 此命令不会删除二进制文件或包。

certutil [options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

Where:

• deletePolicyServer requires you to use an authentication method for the client connection to the Certificate Policy Server, including:
  • Kerberos uses Kerberos SSL credentials.
  • UserName uses named account for SSL credentials.
  • ClientCertificate uses X.509 Certificate SSL credentials.
• KeyBasedRenewal allows use of a KeyBasedRenewal policy server.

-Class

显示 COM 注册表信息。

certutil [options] -Class [ClassId | ProgId | DllName | *]

Options:

[-f]

-7f

检查证书是否0x7f长度编码。

certutil [options] -7f CertFile

-oid

显示对象标识符或设置显示名称。

certutil [options] -oid ObjectId [DisplayName | delete [LanguageId [type]]]
certutil [options] -oid GroupId
certutil [options] -oid AlgId | AlgorithmName [GroupId]

Where:

• ObjectId is the ID to be displayed or to add to the display name.
• GroupId is the GroupID number (decimal) that ObjectIds enumerate.
• AlgId is the hexadecimal ID that objectID looks up.
• AlgorithmName is the algorithm name that objectID looks up.
• DisplayName displays the name to store in DS.
• Delete deletes the display name.
• LanguageId is the language ID value (defaults to current: 1033).
• Type is the type of DS object to create, including:
  • 1 - 模板（默认值）
  • 2 - 颁发策略
  • 3 - 应用程序策略
• -f 创建 DS 对象。

Options:

[-f]

-error

显示与错误代码关联的消息文本。

certutil [options] -error ErrorCode

-getsmtpinfo

获取简单邮件传输协议 （SMTP） 信息。

certutil [options] -getsmtpinfo

-setsmtpinfo

设置 SMTP 信息。

certutil [options] -setsmtpinfo LogonName

Options:

[-config Machine\CAName] [-p Password]

-getreg

显示注册表值。

certutil [options] -getreg [{ca | restore | policy | exit | template | enroll | chain | PolicyServers}\[ProgId\]] [RegistryValueName]

Where:

• ca uses a Certificate Authority's registry key.
• restore uses Certificate Authority's restore registry key.
• policy uses the policy module's registry key.
• exit uses the first exit module's registry key.
• template uses the template registry key (use -user for user templates).
• enroll uses the enrollment registry key (use -user for user context).
• chain uses the chain configuration registry key.
• PolicyServers uses the Policy Servers registry key.
• ProgId uses the policy or exit module's ProgID (registry subkey name).
• RegistryValueName uses the registry value name (use Name* to prefix match).
• value uses the new numeric, string, or date registry value or filename. 如果数值以 + 或新 -值开头，则会在现有注册表值中设置或清除新值中指定的位。

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

Remarks

• 如果字符串值以 + 或 / -; 开头，并且现有值是一个 REG_MULTI_SZ 值，则字符串将添加到现有注册表值或从现有注册表值中删除。 若要强制创建 REG_MULTI_SZ 值，请 \n 添加到字符串值的末尾。
• 如果值以 \@开头，则值的其余部分是包含二进制值的十六进制文本表示形式的文件的名称。
• 如果未引用有效的文件，则会将其分析为 [Date][+|-][dd:hh] 可选日期加上或减去可选天数和小时数。
• 如果同时指定了两者，请使用加号 （+） 或减号 （-） 分隔符。 用于 now+dd:hh 相对于当前时间的日期。
• 用作 i64 后缀来创建REG_QWORD值。
• 用于 chain\chaincacheresyncfiletime @now 有效刷新缓存的 CRL。
• Registry aliases:
  • Config
  • CA
  • 策略 - PolicyModules
  • 退出 - ExitModules
  • 还原 - RestoreInProgress
  • 模板 - Software\Microsoft\Cryptography\CertificateTemplateCache
  • 注册 - Software\Microsoft\Cryptography\AutoEnrollment （Software\Policies\Microsoft\Cryptography\AutoEnrollment）
  • MSCEP - 软件\Microsoft\Cryptography\MSCEP
  • 链 - Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  • PolicyServers - Software\Microsoft\Cryptography\PolicyServers （Software\Policies\Microsoft\Cryptography\PolicyServers）
  • Crypt32 - System\CurrentControlSet\Services\crypt32
  • NGC - 系统\CurrentControlSet\Control\Cryptography\Ngc
  • 自动更新 - Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
  • 护照 - Software\Policies\Microsoft\PassportForWork
  • MDM - 软件\Microsoft\Policies\PassportForWork

-setreg

设置注册表值。

certutil [options] -setreg [{ca | restore | policy | exit | template | enroll | chain | PolicyServers}\[ProgId\]] RegistryValueName Value

Where:

• ca uses a Certificate Authority's registry key.
• restore uses Certificate Authority's restore registry key.
• policy uses the policy module's registry key.
• exit uses the first exit module's registry key.
• template uses the template registry key (use -user for user templates).
• enroll uses the enrollment registry key (use -user for user context).
• chain uses the chain configuration registry key.
• PolicyServers uses the Policy Servers registry key.
• ProgId uses the policy or exit module's ProgID (registry subkey name).
• RegistryValueName uses the registry value name (use Name* to prefix match).
• Value uses the new numeric, string, or date registry value or filename. 如果数值以 + 或新 -值开头，则会在现有注册表值中设置或清除新值中指定的位。

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

Remarks

• 如果字符串值以 + 或 / -; 开头，并且现有值是一个 REG_MULTI_SZ 值，则字符串将添加到现有注册表值或从现有注册表值中删除。 若要强制创建 REG_MULTI_SZ 值，请 \n 添加到字符串值的末尾。
• 如果值以 \@开头，则值的其余部分是包含二进制值的十六进制文本表示形式的文件的名称。
• 如果未引用有效的文件，则会将其分析为 [Date][+|-][dd:hh] 可选日期加上或减去可选天数和小时数。
• 如果同时指定了两者，请使用加号 （+） 或减号 （-） 分隔符。 用于 now+dd:hh 相对于当前时间的日期。
• 用作 i64 后缀来创建REG_QWORD值。
• 用于 chain\chaincacheresyncfiletime @now 有效刷新缓存的 CRL。

-delreg

删除注册表值。

certutil [options] -delreg [{ca | restore | policy | exit | template | enroll |chain | PolicyServers}\[ProgId\]][RegistryValueName]

Where:

• ca uses a Certificate Authority's registry key.
• restore uses Certificate Authority's restore registry key.
• policy uses the policy module's registry key.
• exit uses the first exit module's registry key.
• template uses the template registry key (use -user for user templates).
• enroll uses the enrollment registry key (use -user for user context).
• chain uses the chain configuration registry key.
• PolicyServers uses the Policy Servers registry key.
• ProgId uses the policy or exit module's ProgID (registry subkey name).
• RegistryValueName uses the registry value name (use Name* to prefix match).
• Value uses the new numeric, string or date registry value or filename. 如果数值以 + 或新 -值开头，则会在现有注册表值中设置或清除新值中指定的位。

Options:

[-f] [-Enterprise] [-user] [-GroupPolicy] [-config Machine\CAName]

Remarks

• 如果字符串值以 + 或 / -; 开头，并且现有值是一个 REG_MULTI_SZ 值，则字符串将添加到现有注册表值或从现有注册表值中删除。 若要强制创建 REG_MULTI_SZ 值，请 \n 添加到字符串值的末尾。
• 如果值以 \@开头，则值的其余部分是包含二进制值的十六进制文本表示形式的文件的名称。
• 如果未引用有效的文件，则会将其分析为 [Date][+|-][dd:hh] 可选日期加上或减去可选天数和小时数。
• 如果同时指定了两者，请使用加号 （+） 或减号 （-） 分隔符。 用于 now+dd:hh 相对于当前时间的日期。
• 用作 i64 后缀来创建REG_QWORD值。
• 用于 chain\chaincacheresyncfiletime @now 有效刷新缓存的 CRL。
• Registry aliases:
  • Config
  • CA
  • 策略 - PolicyModules
  • 退出 - ExitModules
  • 还原 - RestoreInProgress
  • 模板 - Software\Microsoft\Cryptography\CertificateTemplateCache
  • 注册 - Software\Microsoft\Cryptography\AutoEnrollment （Software\Policies\Microsoft\Cryptography\AutoEnrollment）
  • MSCEP - 软件\Microsoft\Cryptography\MSCEP
  • 链 - Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  • PolicyServers - Software\Microsoft\Cryptography\PolicyServers （Software\Policies\Microsoft\Cryptography\PolicyServers）
  • Crypt32 - System\CurrentControlSet\Services\crypt32
  • NGC - 系统\CurrentControlSet\Control\Cryptography\Ngc
  • 自动更新 - Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
  • 护照 - Software\Policies\Microsoft\PassportForWork
  • MDM - 软件\Microsoft\Policies\PassportForWork

-importKMS

将用户密钥和证书导入服务器数据库中进行密钥存档。

certutil [options] -importKMS UserKeyAndCertFile [CertId]

Where:

• UserKeyAndCertFile is a data file with user private keys and certificates that are to be archived. 此文件可以是：
  • Exchange 密钥管理服务器 （KMS） 导出文件。
  • PFX 文件。
• CertId is a KMS export file decryption certificate match token. 有关详细信息，请参阅 -store 本文中的参数。
• -f 导入证书颁发机构未颁发的证书。

Options:

[-f] [-Silent] [-split] [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]]

-ImportCert

将证书文件导入数据库。

certutil [options] -ImportCert Certfile [ExistingRow]

Where:

• ExistingRow imports the certificate in place of a pending request for the same key.
• -f 导入证书颁发机构未颁发的证书。

Options:

[-f] [-config Machine\CAName]

Remarks

证书颁发机构可能还需要配置为通过运行 certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN支持外国证书。

-GetKey

检索存档的私钥恢复 Blob、生成恢复脚本或恢复存档的密钥。

certutil [options] -GetKey SearchToken [RecoveryBlobOutFile]
certutil [options] -GetKey SearchToken script OutputScriptFile
certutil [options] -GetKey SearchToken retrieve | recover OutputFileBaseName

Where:

• script generates a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if the output file isn't specified).
• retrieve retrieves one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified). 使用此选项截断任何扩展，并为每个密钥恢复 Blob 追加特定于证书的 .rec 字符串和扩展。 每个文件都包含证书链和关联的私钥，仍然加密为一个或多个密钥恢复代理证书。
• recover retrieves and recovers private keys in one step (requires Key Recovery Agent certificates and private keys). 使用此选项截断任何扩展并追加 .p12 扩展。 每个文件都包含恢复的证书链和关联的私钥，存储为 PFX 文件。
• SearchToken selects the keys and certificates to be recovered, including:
  • 证书公用名
  • 证书序列号
  • 证书 SHA-1 哈希（指纹）
  • 证书 KeyId SHA-1 哈希（使用者密钥标识符）
  • 请求者名称（域\用户）
  • UPN (user@domain)
• RecoveryBlobOutFile outputs a file with a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.
• OutputScriptFile outputs a file with a batch script to retrieve and recover private keys.
• OutputFileBaseName outputs a file base name.

Options:

[-f] [-UnicodeText] [-Silent] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]

Remarks

• For retrieve, any extension is truncated and a certificate-specific string and the .rec extensions are appended for each key recovery blob. 每个文件都包含证书链和关联的私钥，仍然加密为一个或多个密钥恢复代理证书。
• For recover, any extension is truncated and the .p12 extension is appended. 包含已恢复的证书链和关联的私钥，存储为 PFX 文件。

-RecoverKey

恢复存档的私钥。

certutil [options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]]

Options:

[-f] [-user] [-Silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout]

-mergePFX

合并 PFX 文件。

certutil [options] -MergePFX PFXInFileList PFXOutFile [Modifiers]

Where:

• PFXInFileList is a comma-separated list of PFX input files.
• PFXOutFile is the name of the PFX output file.
• Modifiers are comma separated lists of one or more of the following:
  • ExtendedProperties includes any extended properties.
  • NoEncryptCert specifies to not encrypt the certificates.
  • EncryptCert specifies to encrypt the certificates.

Options:

[-f] [-user] [-split] [-p password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]

Remarks

• 命令行中指定的密码必须是逗号分隔的密码列表。
• 如果指定了多个密码，则最后一个密码用于输出文件。 如果只提供一个密码，或者最后一个密码是 *，系统会提示用户输入输出文件密码。

-add-chain

添加证书链。

certutil [options] -add-chain LogId certificate OutFile

Options:

[-f]

-add-pre-chain

添加预证书链。

certutil [options] -add-pre-chain LogId pre-certificate OutFile

Options:

[-f]

-get-sth

获取带符号的树头。

certutil [options] -get-sth [LogId]

Options:

[-f]

-get-sth-consistency

获取已签名的树头更改。

certutil [options] -get-sth-consistency LogId TreeSize1 TreeSize2

Options:

[-f]

-get-proof-by-hash

从时间戳服务器获取哈希证明。

certutil [options] -get-proof-by-hash LogId Hash [TreeSize]

Options:

[-f]

-get-entries

从事件日志中检索条目。

certutil [options] -get-entries LogId FirstIndex LastIndex

Options:

[-f]

-get-roots

从证书存储中检索根证书。

certutil [options] -get-roots LogId

Options:

[-f]

-get-entry-and-proof

检索事件日志条目及其加密证明。

certutil [options] -get-entry-and-proof LogId Index [TreeSize]

Options:

[-f]

-VerifyCT

根据证书透明度日志验证证书。

certutil [options] -VerifyCT Certificate SCT [precert]

Options:

[-f]

-?

显示参数列表。

certutil -?
certutil <name_of_parameter> -?
certutil -? -v

Where:

• -? 显示参数列表
• -<name_of_parameter> -？ 显示指定参数的帮助内容。
• -? -v 显示参数和选项的详细列表。

选项

本部分根据命令定义能够指定的所有选项。 每个参数都包含有关哪些选项有效使用的信息。

哈希算法：MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512。

Related links

有关如何使用此命令的更多示例，请参阅以下文章：

• Active Directory 证书服务 （AD CS）
• 用于管理证书的 Certutil 任务
• 在 Windows 中配置受信任的根和不允许的证书