If you want to view the configuration settings for the CA, which includes the type of information that is set by the CAPolicy.inf or afterward installation by running post configuration scripts, you can issue the following commands:
certutil -dump certutil -getreg certutil -getreg CA
If you want to maintain a revoked certificate in the CRL beyond the certificate’s expiration date, you can enable the publication of expired certificates to the CRL by running the following command at a command-line prompt and then restarting Certificate Services.
certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CR
certutil -v -template
Variations of that command
certutil -v -template > templatelist.txt certutil -v -template clientauth > clientauthsettings.txt
certutil -v -template > templatelist.txt
certutil -v -template clientauth > clientauthsettings.txt
If you want to copy a certificate revocation list and name it corprootca.crl to removable media (like a floppy drive of a:), then you can run the following command:
certutil -getcrl a:\corprootca.crl
If you want to dump a list of certificate templates and their settings to a text file (MyTemplates.txt), you can run the following command: certutil -v -template > MyTemplates.txt
To view the contents of the AIA container in Active Directory Domain Services (AD DS) for a domain named contoso.com, run the following command:
certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com? cACertificate?base?objectclass=certificationAuthority"
To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.
certutil -enterprise -viewstore CA
To view the content of the NTAuth container in AD DS for a domain named Corp.contoso.com, you would type the following command on a single line and press ENTER:
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.
certutil -enterprise -viewstore Root
When you are working with Certificate Enrollment Policy Web Services servers, there is a cache located on the local computer of cached policies. You may want to clear when the resulting certificate policies are not what you expect. You can clear this certificate policy cache by running the following command:
certutil -f -policyserver * -policycache delete
certutil -verify -urlfetch <certificatename> certutil -URL <certificatename>
For more information on these commands, see the end of the Step by Step Guide - Two Tier PKI Hierarchy Deployment
This could become a Frequently Asked Questions (FAQ) about Certutil at some point. For now, we will just keep it here:
Certificate Revocation and Status Checking - A link to the whitepaper in the TechNet Library; the appendices (Appendixes) have many examples Basic CRL checking with certutil - A link to an entry in the PKI blog
Kurt L Hudson MSFT edited Revision 15. Comment: Added command variations as requested in the comments section
Kurt L Hudson MSFT edited Revision 14. Comment: Added an example about viewing certificate templates
Kurt L Hudson MSFT edited Revision 13. Comment: Updated based on feedback from Senior developer
Kurt L Hudson MSFT edited Revision 12. Comment: Added a Q & A section
Kurt L Hudson MSFT edited Revision 11. Comment: Added a new example
Kurt L Hudson edited Revision 9. Comment: Updated with a new good reference
Kurt L Hudson edited Revision 8. Comment: added more examples
Kurt L Hudson edited Revision 6. Comment: added anchor link
Kurt L Hudson edited Revision 5. Comment: Added command to clear policycache
Kurt L Hudson edited Revision 4. Comment: updated with certutil -getcert
Kurt L Hudson edited Original. Comment: Added more examples
Kurt L Hudson edited Revision 1. Comment: added an additional reference
Kurt L Hudson edited Revision 2. Comment: Added an example and did some reformatting
Kurt L Hudson edited Revision 3. Comment: Updated further to show additional commands
how exactly you use "CertUtil -deleteEnrollmentServer" as I want to delete a invalid address
-----------------------
Kurt Hudson's response
First, run certutil -deleteEnrollmentServer -? (notice that you have three authentication options) Kerberos | UserName | ClientCertificate
certutil -deleteEnrollmentServer Kerberos
is one example. That should remove the CEP URL, if you are using Kerberos authentication. If using a different authentication method, then select the one that is appropriate.
Is there any way to find out the details of certificate template ? for.eg. I wan to find Key Usage or Extended Key usage of given template name.
Thanks !
------------------------------
Kurt Hudson's response:
I have added that example to the article along with another about dumping all the certificates to a text file. You must have the certificate template name that you want to dump. For example, if you wanted the settings for a certificate template with a name of CEPEncryption sent to a .txt file, then you would run:
certutil > -v -template CEPEncryption > CEPEncryptionSettings.txt
notepad CEPEncryptionSettings.txt
Notepad would display the settings you want. If you just want the output on the screen, remove the > CEPEncryptionSettings.txt part of the command and it will output to the screen.