C windows syswow64 stnetflt nss certutil exe

WINDOWS

When it comes to managing digital certificates in Windows, certutil.exe stands out as a powerful command-line tool included in the Windows operating system. This utility plays a critical role in system administrators’ and security personnel’s toolkit, enabling management, validation, and troubleshooting of certificates and their associated files. In this article, we’ll explore the functionality, usage, and structure of certutil.exe, including its location on your system, command syntax, and practical applications.

Understanding certutil.exe

What is certutil.exe?

certutil.exe is a part of the Windows Certificate Services and it provides a variety of functionalities related to digital certificates. It is primarily used to manage Public Key Infrastructure (PKI) environments, allowing users to create, manage, and retrieve certificates along with other related tasks.

Location of certutil.exe

In a typical installation, certutil.exe is a binary Portable Executable (PE) file located in the system directory at:

%windir%\system32\certutil.exe

On 64-bit versions of Windows, you can find it in:

C:\Windows\System32\certutil.exe

It is important to note that on 32-bit versions, the executable can be found in:

C:\Windows\SysWOW64\certutil.exe

Core Functionalities of certutil.exe

certutil.exe comes with a wide array of features that allow for various certificate management tasks. Below are some of the key functionalities:

1. Certificate Retrieval and Validation

• Retrieve Certificates: Fetch certificates from a specified certificate store.

• Validate Certificates: Check the validity of a given certificate chain and provide error details if any issues exist.

2. Certificate Management

• Add/Remove Certificates: You can add or delete certificates from certificate stores.

• Export/Import Certificates: Transfer certificates in different formats (e.g., PFX, CER).

3. Certificate Authority (CA) Operations

• CA Management: Administer Certificate Authorities, view their status, and manage their configurations.

• Revocation List Management: Publish or check Certificate Revocation Lists (CRLs).

4. Base64 Encoding/Decoding

• Convert Certificates: Utilize certutil to encode or decode certificate files, which is useful for transmitting certificates over media that might not handle binary data well.

Command Syntax

The basic command format for using certutil.exe is:

certutil [-set| -get] [parameters]

Commonly Used Commands

Here’s a brief overview of some essential commands characteristic of certutil.exe:

• List Certificates:

• Export Certificate:

  certutil -exportpfx MyCertificate.pfx -p "your_password" -user
  

• Display Certificate Details:

  certutil -dump your_certificate.cer
  

• Check Certificate Chain:

  certutil -verify your_certificate.cer
  

Examples:

Example 1: Listing Certificates

To list all certificates in the Personal store:

Example 2: Exporting a Certificate

To export a certificate identified by its serial number into a PFX file:

certutil -exportpfx -p "your_password" "SerialNumber" output.pfx

Troubleshooting with certutil.exe

When working with certificates, you may encounter errors or issues that require troubleshooting. Here’s how certutil.exe can assist:

Common Errors and Their Solutions

• Invalid Certificate Error: Running certutil -verify may show an “Invalid” status. In this case, ensure that:

  • The certificate is expired.

  • The certificate chain is incomplete.

• Revoked Certificates: If a certificate is reported as revoked, use:

  certutil -urlfetch -verify your_certificate.cer
  

  This command checks against CRLs to determine the certificate’s status.

Conclusion

certutil.exe is an indispensable tool for Windows administrators and cybersecurity professionals who need to manage and validate certificates effectively. Understanding how to navigate its functions not only aids in maintaining digital security but also provides a robust solution for troubleshooting certificate-related issues.

Key Takeaways:

• Location: Found under %windir%\system32\certutil.exe.

• Functionality: Includes retrieval, management, and validation of digital certificates.

• Command Syntax: Offers a flexible command syntax for various operations.

• Troubleshooting: Provides significant assistance in diagnosing certificate issues.

By incorporating certutil.exe into your repertoire, you can better manage digital certificates, ensuring robust infrastructure security and compliance within your organization.

Suggested Articles

This repository was archived by the owner on Apr 29, 2021. It is now read-only.

Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003 family.

You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

For more information about how to use Certutil.exe to perform specific tasks, see the following topics:
•Certutil tasks for encoding and decoding certificates
http://technet.microsoft.com/en-us/library/cc772656(v=ws.10).aspx

•Certutil tasks for configuring a Certification Authority (CA)
http://technet.microsoft.com/en-us/library/cc772627(v=ws.10).aspx

•Certutil tasks for managing a Certification Authority (CA)
http://technet.microsoft.com/en-us/library/cc772751(v=ws.10).aspx

•Certutil tasks for managing certificates
http://technet.microsoft.com/en-us/library/cc772898(v=ws.10).aspx

•Certutil tasks for managing CRLs
http://technet.microsoft.com/en-us/library/cc772629(v=ws.10).aspx

•Certutil tasks for key archival and recovery
http://technet.microsoft.com/en-us/library/cc738780(v=ws.10).aspx

•Certutil tasks for backing up and restoring certificates
http://technet.microsoft.com/en-us/library/cc755341(v=ws.10).aspx

•Certutil tasks for troubleshooting certificates
http://technet.microsoft.com/en-us/library/cc772619(v=ws.10).aspx

To display the certificates in the Local Machine certificate store

Syntax

certutil-store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc DCName] CertificateStoreName [CertID [OutFile]]]

CertificateStoreName Specifies one of the following store names:

ca Specifies certificates in the Intermediate Certification Authorities store.
my Specifies certificates issued to the current user.
root Specifies certificates in the Trusted Root Certification Authorities store.

spc Specifies software publisher certificates.
UserCreatedStore Specifies the name of a user-created certificate store.

Eg.
C:\windows\system32>certutil -store
CA
================ Certificate 0 ================
Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
Issuer: CN=Root Agency
NotBefore: 29-05-1996 03:32
NotAfter: 01-01-2040 05:29
Subject: CN=Root Agency
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
No key provider information
Cannot find the certificate and private key for decryption.

================ Certificate 1 ================
Serial Number: 46fcebbab4d02f0f926098233f93078f
Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
S
NotBefore: 17-04-1997 05:30
NotAfter: 25-10-2016 05:29
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
=VeriSign International Server CA – Class 3, OU=VeriSign, Inc., O=VeriSign Trust
Network
Non-root Certificate
Template:
Cert Hash(sha1): d5 59 a5 86 66 9b 08 f4 6a 30 a1 33 f8 a9 ed 3d 03 8e 2e a8
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 2 ================
Serial Number: 198b11d13f9a8ffe69a0
Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
1997 Microsoft Corp.
NotBefore: 01-10-1997 12:30
NotAfter: 31-12-2002 12:30
Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
97 Microsoft Corp.
Non-root Certificate
Template:
Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
No key provider information
Cannot find the certificate and private key for decryption.
================ CRL 0 ================
Issuer:
OU=VeriSign Commercial Software Publishers CA
O=VeriSign, Inc.
L=Internet
CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab
CertUtil: -store command completed successfully.

usages
>certutil -?

Verbs:
-dump             — Dump configuration information or files
-asn              — Parse ASN.1 file

-decodehex        — Decode hexadecimal-encoded file
-decode           — Decode Base64-encoded file
-encode           — Encode file to Base64

-deny             — Deny pending request
-resubmit         — Resubmit pending request
-setattributes    — Set attributes for pending request
-setextension     — Set extension for pending request
-revoke           — Revoke Certificate
-isvalid          — Display current certificate disposition

-getconfig        — Get default configuration string
-ping             — Ping Active Directory Certificate Services Request interf
ace
-pingadmin        — Ping Active Directory Certificate Services Admin interfac
e
-CAInfo           — Display CA Information
-ca.cert          — Retrieve the CA’s certificate
-ca.chain         — Retrieve the CA’s certificate chain
-GetCRL           — Get CRL
-CRL              — Publish new CRLs [or delta CRLs only]
-shutdown         — Shutdown Active Directory Certificate Services

-installCert      — Install Certification Authority certificate
-renewCert        — Renew Certification Authority certificate

-schema           — Dump Certificate Schema
-view             — Dump Certificate View
-db               — Dump Raw Database
-deleterow        — Delete server database row

-backup           — Backup Active Directory Certificate Services
-backupDB         — Backup Active Directory Certificate Services database
-backupKey        — Backup Active Directory Certificate Services certificate
and private key
-restore          — Restore Active Directory Certificate Services
-restoreDB        — Restore Active Directory Certificate Services database
-restoreKey       — Restore Active Directory Certificate Services certificate
and private key
-importPFX        — Import certificate and private key
-dynamicfilelist  — Display dynamic file List
-databaselocations — Display database locations
-hashfile         — Generate and display cryptographic hash over a file

-store            — Dump certificate store
-addstore         — Add certificate to store
-delstore         — Delete certificate from store
-verifystore      — Verify certificate in store
-repairstore      — Repair key association or update certificate properties o
r key security descriptor
-viewstore        — Dump certificate store
-viewdelstore     — Delete certificate from store

-dsPublish        — Publish certificate or CRL to Active Directory

-ADTemplate       — Display AD templates
-Template         — Display Enrollment Policy templates
-TemplateCAs      — Display CAs for template
-CATemplates      — Display templates for CA
-enrollmentServerURL — Display, add or delete enrollment server URLs associat
ed with a CA
-ADCA             — Display AD CAs
-CA               — Display Enrollment Policy CAs
-Policy           — Display Enrollment Policy
-PolicyCache      — Display or delete Enrollment Policy Cache entries
-CredStore        — Display, add or delete Credential Store entries
-InstallDefaultTemplates — Install default certificate templates
-URLCache         — Display or delete URL cache entries
-pulse            — Pulse autoenrollment events
-MachineInfo      — Display Active Directory machine object information
-DCInfo           — Display domain controller information
-EntInfo          — Display enterprise information
-TCAInfo          — Display CA information
-SCInfo           — Display smart card information

-SCRoots          — Manage smart card root certificates

-verifykeys       — Verify public/private key set
-verify           — Verify certificate, CRL or chain
-sign             — Re-sign CRL or certificate

-vroot            — Create/delete web virtual roots and file shares
-vocsproot        — Create/delete web virtual roots for OCSP web proxy
-addEnrollmentServer — Add an Enrollment Server application
-deleteEnrollmentServer — Delete an Enrollment Server application
-oid              — Display ObjectId or set display name
-error            — Display error code message text
-getreg           — Display registry value
-setreg           — Set registry value
-delreg           — Delete registry value

-ImportKMS        — Import user keys and certificates into server database fo
r key archival
-ImportCert       — Import a certificate file into the database
-GetKey           — Retrieve archived private key recovery blob
-RecoverKey       — Recover archived private key
-MergePFX         — Merge PFX files
-ConvertEPF       — Convert PFX files to EPF file
-?                — Display this usage message
CertUtil -?              — Display a verb list (command list)
CertUtil -dump -?        — Display help text for the “dump” verb
CertUtil -v -?           — Display all help text for all verbs

Refferences
http://technet.microsoft.com/en-in/library/cc732443.aspx
http://ss64.com/nt/certutil.html
http://technet.microsoft.com/en-us/library/cc772898(v=ws.10).aspx