secreci.com

Certutil.exe - Undocumented Switches

Published: Wed, 30 Oct 2013 22:02:25 GMT

Certutil is a really useful tool for administering various parts of a Microsoft CA, but not all the switches are documented – they don’t even show up when you do a ‘certutil -v -?’ to show the full help.

So far, I have found the following verbs and options – the verbs have documentation if you specify them on the command line e.g. ‘certutil -setsmtpinfo -v -?’ I have only included the ‘hidden’ verbs and options below – you can find the standard options by checking the certutil help.

If you have any other verbs and options I’ve missed, please let me know in the comments and I’ll add them to this page. If you have any clever ways of using certutil, please let me know – I’m always looking for better ways of doing things!

Note: Microsoft may have hidden these options for a reason – use them with care, and at your own risk! Microsoft probably won’t provide support if you hit problems!

Verbs:

setsmtpinfo
Usage:
CertUtil [Options] -setsmtpinfo LogonName
Set SMTP info
[-config Machine\CAName] [-p Password]

getsmtpinfo
Usage:
CertUtil [Options] -getsmtpinfo
Get SMTP info
[-config Machine\CAName]

7f
Usage:
CertUtil [Options] -7f CertFile
Check certificate for 0x7f length encodings

Class
Usage:
CertUtil [Options] -Class [ClassId | ProgId | DllName | *]
Display COM registry information
[-f]

CNGConfig
Usage:
CertUtil [Options] -CNGConfig
Display CNG Configuration
[-silent]

csptest
Usage:
CertUtil [Options] -csptest [Algorithm]
Test CSPs installed on this machine
[-user] [-silent] [-csp Provider]

csplist
Usage:
CertUtil [Options] -csplist [Algorithm]
List CSPs installed on this machine
[-user] [-silent] [-csp Provider]

delkey
Usage:
CertUtil [Options] -delkey KeyContainerName
Delete named key container
[-user] [-silent] [-csp Provider]

key
Usage:
CertUtil [Options] -key [KeyContainerName | -]
List key containers
[-user] [-silent] [-csp Provider]

SCDump
Usage:
CertUtil [Options] -SCDump [ReaderName]
Dump smart card file information
[-f] [-silent] [-split] [-p Password]

URL
Usage:
CertUtil [Options] -URL InFile | URL
Verify Certificate or CRL URLs
[-f] [-split]

SetCASites
Usage:
CertUtil [Options] -SetCASites [SiteName]
Set Site Names for CAs
[-f] [-silent] [-config Machine\CAName] [-dc DCName]

SetCATemplates
Usage:
CertUtil [Options] -SetCATemplates [+ | -]TemplateList
Set templates for CA

dsAddTemplate
Usage:
CertUtil [Options] -dsAddTemplate TemplateInfFile
Add DS Templates
[-dc DCName]

dsTemplate
Usage:
CertUtil [Options] -dsTemplate [Template]
Display DS Template Attributes
[-silent] [-dc DCName]

dsDeltaCRL
Usage:
CertUtil [Options] -dsDeltaCRL [FullDSDN] | [CRLIndex [OutFile]]
Display DS Delta CRLs
[-enterprise] [-user] [-config Machine\CAName] [-dc DCName]

dsCRL
Usage:
CertUtil [Options] -dsCRL [FullDSDN] | [CRLIndex [OutFile]]
Display DS CRLs
[-enterprise] [-user] [-config Machine\CAName] [-dc DCName]

dsCert
Usage:
CertUtil [Options] -dsCert [FullDSDN] | [CertId [OutFile]]
Display DS Certificates
[-enterprise] [-user] [-config Machine\CAName] [-dc DCName]

dsDel
Usage:
CertUtil [Options] -dsDel CN
Delete DS DNs
[-split] [-dc DCName]

ds
Usage:
CertUtil [Options] -ds [CN]
Display DS DNs
[-f] [-split] [-dc DCName]

getcert
Usage:
CertUtil [Options] -getcert [ObjectId | ERA | KRA [CommonName]]
Select a certificate from a selection UI
[-silent] [-split]

enumstore
Usage:
CertUtil [Options] -enumstore [\MachineName]
Enumerate certificate stores
MachineName — remote machine name.
[-enterprise] [-user] [-GroupPolicy]

exportPFX
Usage:
CertUtil [Options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]
Export certificate and private key
CertificateStoreName — Certificate store name. See -store.
CertId — Certificate or CRL match token. See -store.
PFXFile — exported PFX data output file
Modifiers — Comma separated list of one or more of the following:
NoChain — Do not export the certificate chain
NoRoot — Do not export the root certificate
Defaults to personal machine store.
[-f] [-enterprise] [-user] [-GroupPolicy] [-split] [-p Password] [-t Timeout]

CAPropInfo
Usage:
CertUtil [Options] -CAPropInfo
Display CA Property Type Information
[-config Machine\CAName]

getconfig3
Usage:
CertUtil [Options] -getconfig3
Get configuration via ICertConfig

getconfig2
Usage:
CertUtil [Options] -getconfig2
Get default configuration string via ICertGetConfig

Options:

(I can’t find any info about what these do – some experimentation will be required!)
-admin
-reverse
-oldpfx
-protect
-v1
-unicode
-nocrlf
-nocr
-idispatch

Originally published on my blog at www.planetmediocrity.com

Home Icon of a house with a precipitous roof Home