Certutil and Certreq

  • Article

I have consolidated and updated two command line utilities recently:

Certreq

Certutil

I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to give me feedback on these consolidated documents. Thanks!

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Two new favorites for me Kurt :) Are you on twitter?  Just want to give you credit when I tweet this out. Thanks Mike

  • Anonymous
    January 01, 2003
    Speaking of certutil -exportpfx, I don't see that one on the certutil page. It is in help, though, and works as advertised. Be sure to use the NoChain modifier if all you want is the certificate + private key. By default you will get the entire chain.

  • Anonymous
    January 01, 2003
    But for sure you can provide a more detailed description for certutil switches.

  • Anonymous
    January 01, 2003
    I don't think you need more examples, because it makes too hard to find something special. Moreover, I think it is necessary to split some sections to different articles.

  • Anonymous
    January 01, 2003
    Dear Kurt, Thank you very much for answering and sending me these useful links. I'll probably be sending you more feedback to improve the documents as I further work on this.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I think you made outstanding job!

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Dear Kurt, Recently I have been a frequent visitor to these pages. I currently manage an MS Certificate Server and I'm looking into ways to make the process of issuing certificates automated (rather than using the web interface) via tools like certreq and certutil. If you curate these two pages I'd like to point some omissions that IMHO make these tools difficult to understand and use.

  1. There is no description of the process that one should follow to manually issue certificates: i.e. certreq -new (using the .inf file), -submit, -retrieve
  2. In the certreq page, after describing certreq -submit there are examples mentioned that are never shown
  3. In the certreq page, when describing the .inf files there is only mention of "some of the possible sections" that can be added to an .inf file, e.g. the section [RequestAttributes] which is used to set the most useful CertificateTemplate parameter is shown in the examples but never really explained. Is there any reference document for ALL .inf sections available anywhere? These are just some of the many shortcoming that these pages have in my opinion. So, may I kindly ask you if there is any additional (and complete) documentation on these tools available. In any case, thank you very much for all your efforts, Georgios

  • Anonymous
    January 01, 2003
    Thank you, Vadims and Mike. I do participate in a team Twitter acct /addocteam. I am sure there's plenty of room for improvement on those articles, so I am glad to make improvements. One of the things I think would be helpful is to start linking out or even embedding more examples. Anyways, this is a start and more updates are already planned for this week.

  • Anonymous
    May 06, 2013
    This is gold! ...and is making my life much easier. Thanks very much Kurt.

  • Anonymous
    May 24, 2013
    Kurt, Thank you for taking the time to read my comments and even taking them to the developer. I  finally begin to see a more clear picture. For now, I'll take any further practical questions to the Security Forum but I would also like to help improve the documentation. I'll try to provide some more comments as I work more with the tools. Regards, Georgios

  • Anonymous
    February 12, 2015
    Hello, I dont know whether this thread is active but I have a pecular situation where I am trying to migrate the key from different HSMs too. after migrating the Keys my new CA isnt able to find the key. Active Directory Certificate Services setup failed with the following error: Key does not exist 0x80009000d(-2146893811).

  • Anonymous
    June 04, 2015
    Hi all, Is there a way to override the Subject in a CSR when submitting it to a CA? I basically want to add an email address to the Subject if it doesn't already have it.
    For example, in the CSR the Subject is "CN=contoso.com". I want to change it to "E=webadmins@contoso.com,CN=contoso.com".

    We're trying to make sure every cert has an email with it so that we can use it to notify the owner before a cert expires.

    Thanks in advance.

  • Anonymous
    July 05, 2015
    Hi Guys,
    Sorry to bump into this thread with a different question...
    But would you know a way to use certutil to extract certs (starting) on a given date?
    Sample: I would like to extract all certs issued starting Jan 1, 2015.

    The command I issue below doesn't seem to work:
    certutil -view -restrict "NotBefore>=1/1/2015" -out "RequestID,NotBefore,NotAfter,CertificateTemplate" > file.txt

    Thanks in advance,
    Romell

  • Anonymous
    December 03, 2016
    I've been looking for a complete list of certutil commands as I'm back to work role where I need a full reference. Right now my watermark is if the list includes "-SetCAtemplates". That command saved my bacon last night at about 8PM when one of my issuing CA's failed to pick up a new template. This is clearly a wonderful reference and I'll certainly be using it, but it does appear to be missing some stuff. You have my sincere appreciation for the effort of putting together what's already here. I'm sure it will be invaluable.

  • Anonymous
    December 06, 2016
    how do I get a list of certificates that have not been revoked (I don't want the revoked ones in the list) using the certuil command?