Applies to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Certutil.exe is a command-line program that is installed as part of Active Directory Certificate Services (AD CS). You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. This article was created to show examples of certutil commands. Sections in this article include:

View CA Configuration

If you want to view the configuration settings for the CA, which includes the type of information that is set by the CAPolicy.inf or afterward installation by running post configuration scripts, you can issue the following commands:

certutil -dump

certutil -getreg

certutil -getreg CA

Publish expired certificates in the CRL

If you want to maintain a revoked certificate in the CRL beyond the certificate’s expiration date, you can enable the publication of expired certificates to the CRL by running the following command at a command-line prompt and then restarting Certificate Services.

certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CR

Dump certificate templates and settings from the CA

certutil -v -template

Variations of that command

certutil -v -template > templatelist.txt

certutil -v -template clientauth > clientauthsettings.txt

Copy a CRL to a file

If you want to copy a certificate revocation list and name it corprootca.crl to removable media (like a floppy drive of a:), then you can run the following command:

certutil -getcrl a:\corprootca.crl

View Certificate Templates

If you want to dump a list of certificate templates and their settings to a text file (MyTemplates.txt), you can run the following command:

    certutil -v -template > MyTemplates.txt

View AIA container

To view the contents of the AIA container in Active Directory Domain Services (AD DS) for a domain named, run the following command:

certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?


View Intermediate CA certificate store

To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore CA

View NTAuth Container

To view the content of the NTAuth container in AD DS for a domain named, you would type the following command on a single line and press ENTER:

certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"

View Trusted Root CAs

To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore Root

Purge policy cache

When you are working with Certificate Enrollment Policy Web Services servers, there is a cache located on the local computer of cached policies. You may want to clear when the resulting certificate policies are not what you expect. You can clear this certificate policy cache by running the following command:

certutil -f -policyserver * -policycache delete

Check the certificate revocation chain

certutil -verify -urlfetch <certificatename>

certutil -URL <certificatename>

For more information on these commands, see the end of the Step by Step Guide – Two Tier PKI Hierarchy Deployment

Certutil Q & A

This could become a Frequently Asked Questions (FAQ) about Certutil at some point. For now, we will just keep it here:

When do you use ‘certutil –addstore’ versus ‘certutil –importcert?

  • Use Certutil -addstore to add a .cer file to anystore. Adds a raw certificate to a certificate store. A .cer file does not contain the private key, .pfx file usually contains the private key.
  • Use Certutil –importpfx to import a .pfx, usually to personal store (My store). Certutil –importcert is meant to import a cert into a CA’s database. This is useful when using the CA to archive certs and keys that were not issued by the CA, or to be able to manage CRLs for a cert lost from the CA’s database for some reason.
  • Certutil -repairstore can be used to associate a certificate with the matching private key. This could be useful if someone deleted a certificate from the store and lost the CERT_KEY_PROV_INFO_PROP_ID that points at the private key.
  • Certreq -accept installs an issued certificate when there is an pending certificate request in the Request store)
    • The command should be used if there is a pending request as it will pick up the CERT_KEY_PROV_INFO_PROP_ID property, friendly name, and other properties from the pending (also known as dummy) certificate. Then, it attaches to the new certificate and removes the pending (dummy) certificate.
    • The sequence of this flow follows this command order:
      • Certreq -new (creates a new request and dummy certificate)
      • Certreq -submit (or using some manual submission method via a Web page)
      • Certreq -retrieve (if there is a pending request that is later issued)
      • Certreq -accept (installs the certificate)

Additional references for CertUtil Examples

Certificate Revocation and Status Checking  – A link to the whitepaper in the TechNet Library; the appendices (Appendixes) have many examples

Basic CRL checking with certutil  – A link to an entry in the PKI blog

Additional details about certificate status codes

CERT_TRUST_STATUS Structure  – provides certificate status code meanings