certutilcertutil

Certutil.exe 是命令行程序,作为证书服务的一部分进行安装。Certutil.exe is a command-line program, installed as part of Certificate Services. 你可以使用 certutil.exe 来转储和显示证书颁发机构(CA)配置信息、配置证书服务、备份和还原 CA 组件以及验证证书、密钥对和证书链。You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

如果 certutil 在没有其他参数的证书颁发机构上运行,则它将显示当前的证书颁发机构配置。If certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. 如果在非证书颁发机构上运行 certutil,则该命令默认为运行 certutil [-dump] 命令。If certutil is run on a non-certification authority, the command defaults to running the certutil [-dump] command.

重要

更早版本的 certutil 可能不提供本文档中所述的所有选项。Earlier versions of certutil may not provide all of the options that are described in this document. 可以通过运行或查看 certutil 的特定版本提供的所有选项 certutil -? certutil <parameter> -?You can see all the options that a specific version of certutil provides by running certutil -? or certutil <parameter> -?.

参数Parameters

-dump-dump

转储配置信息或文件。Dump configuration information or files.

certutil [options] [-dump]
certutil [options] [-dump] file
[-f] [-silent] [-split] [-p password] [-t timeout]

-asn-asn

分析一个 asn.1 文件。Parse the ASN.1 file.

certutil [options] -asn file [type]

[type]:数值 CRYPT_STRING_ * 解码类型[type]: numeric CRYPT_STRING_* decoding type

-decodehex-decodehex

对十六进制编码的文件进行解码。Decode a hexadecimal-encoded file.

certutil [options] -decodehex infile outfile [type]

[type]: numeric CRYPT_STRING_ * 编码类型[type]: numeric CRYPT_STRING_* encoding type

[-f]

-解码-decode

对 Base64 编码的文件进行解码。Decode a Base64-encoded file.

certutil [options] -decode infile outfile
[-f]

-编码-encode

将文件编码为 Base64。Encode a file to Base64.

certutil [options] -encode infile outfile
[-f] [-unicodetext]

-deny-deny

拒绝挂起的请求。Deny a pending request.

certutil [options] -deny requestID
[-config Machine\CAName]

-重新提交-resubmit

重新提交挂起的请求。Resubmit a pending request.

certutil [options] -resubmit requestId
[-config Machine\CAName]

-setattributes-setattributes

设置挂起证书请求的属性。Set attributes for a pending certificate request.

certutil [options] -setattributes RequestID attributestring

其中:Where:

  • requestID是挂起请求的数值请求 ID。requestID is the numeric Request ID for the pending request.

  • attributestring是请求属性的名称和值对。attributestring is the request attribute name and value pairs.

[-config Machine\CAName]

备注Remarks

  • 名称和值必须用冒号分隔,而多个名称、值对必须以换行符分隔。Names and values must be colon separated, while multiple name, value pairs must be newline separated. 例如: CertificateTemplate:User\nEMail:User@Domain.com \n 序列转换为换行符的位置。For example: CertificateTemplate:User\nEMail:User@Domain.com where the \n sequence is converted to a newline separator.

-setextension-setextension

设置挂起证书请求的扩展。Set an extension for a pending certificate request.

certutil [options] -setextension requestID extensionname flags {long | date | string | \@infile}

其中:Where:

  • requestID是挂起请求的数值请求 ID。requestID is the numeric Request ID for the pending request.

  • extensionname是扩展的 ObjectId 字符串。extensionname is the ObjectId string for the extension.

  • flags设置扩展的优先级。flags sets the priority of the extension. 0建议将 1 扩展设置为 "严重", 2 禁用扩展,并 3 同时执行这两个扩展。0 is recommended, while 1 sets the extension to critical, 2 disables the extension, and 3 does both.

[-config Machine\CAName]

备注Remarks

  • 如果最后一个参数是数值,则将其视为一个长整型值If the last parameter is numeric, it's taken as a Long.

  • 如果最后一个参数可以分析为日期,则该参数将被视为一个日期If the last parameter can be parsed as a date, it's taken as a Date.

  • 如果最后一个参数以开头 \@ ,则会将该标记的其余部分当作带有二进制数据的文件名或 ascii 文本十六进制转储。If the last parameter starts with \@, the rest of the token is taken as the filename with binary data or an ascii-text hex dump.

  • 如果最后一个参数是其他参数,则将其视为字符串。If the last parameter is anything else, it's taken as a String.

-revoke-revoke

吊销证书。Revoke a certificate.

certutil [options] -revoke serialnumber [reason]

其中:Where:

  • serialnumber是要吊销的证书序列号的逗号分隔列表。serialnumber is a comma-separated list of certificate serial numbers to revoke.

  • 原因是吊销原因的数字或符号表示形式,其中包括:reason is the numeric or symbolic representation of the revocation reason, including:

    • 0。 CRL_REASON_UNSPECIFIED未指定(默认值)0. CRL_REASON_UNSPECIFIED - Unspecified (default)

    • 1. CRL_REASON_KEY_COMPROMISE密钥泄露1. CRL_REASON_KEY_COMPROMISE - Key compromise

    • 2. CRL_REASON_CA_COMPROMISE证书颁发机构泄露2. CRL_REASON_CA_COMPROMISE - Certificate Authority compromise

    • 3. CRL_REASON_AFFILIATION_CHANGED从属关系已更改3. CRL_REASON_AFFILIATION_CHANGED - Affiliation changed

    • 4. CRL_REASON_SUPERSEDED取代4. CRL_REASON_SUPERSEDED - Superseded

    • 5. 操作的 CRL_REASON_CESSATION_OF_OPERATION 哈5. CRL_REASON_CESSATION_OF_OPERATION - Cessation of operation

    • 6. CRL_REASON_CERTIFICATE_HOLD证书保留6. CRL_REASON_CERTIFICATE_HOLD - Certificate hold

    • 8. CRL_REASON_REMOVE_FROM_CRL -从 CRL 中删除8. CRL_REASON_REMOVE_FROM_CRL - Remove From CRL

    • 1. 解除吊销-解除吊销1. Unrevoke - Unrevoke

[-config Machine\CAName]

-isvalid-isvalid

显示当前证书的处置。Display the disposition of the current certificate.

certutil [options] -isvalid serialnumber | certhash
[-config Machine\CAName]

-getconfig-getconfig

获取默认配置字符串。Get the default configuration string.

certutil [options] -getconfig
[-config Machine\CAName]

-ping-ping

尝试联系 Active Directory 的证书服务请求接口。Attempt to contact the Active Directory Certificate Services Request interface.

certutil [options] -ping [maxsecondstowait | camachinelist]

其中:Where:

  • camachinelist是以逗号分隔的 CA 计算机名称的列表。camachinelist is a comma-separated list of CA machine names. 对于单台计算机,使用终止逗号。For a single machine, use a terminating comma. 此选项还显示每个 CA 计算机的站点成本。This option also displays the site cost for each CA machine.
[-config Machine\CAName]

-cainfo-cainfo

显示有关证书颁发机构的信息。Display information about the certification authority.

certutil [options] -cainfo [infoname [index | errorcode]]

其中:Where:

  • infoname根据以下 infoname 参数语法,指示要显示的 CA 属性:infoname indicates the CA property to display, based on the following infoname argument syntax:

    • 文件文件版本file - File version

    • 产品-产品版本product - Product version

    • exitcount -退出模块计数exitcount - Exit module count

    • **退出 [index] **-退出模块说明exit [index] - Exit module description

    • 策略-策略模块说明policy - Policy module description

    • 名称-CA 名称name - CA name

    • sanitizedname -净化的 CA 名称sanitizedname - Sanitized CA name

    • dsname -净化 CA 短名称(DS 名称)dsname - Sanitized CA short name (DS name)

    • 共享文件夹-共享文件夹sharedfolder - Shared folder

    • error1错误消息文本error1 ErrorCode - Error message text

    • error2错误消息文本和错误代码error2 ErrorCode - Error message text and error code

    • 类型-CA 类型type - CA type

    • 信息-CA 信息info - CA info

    • -父 CAparent - Parent CA

    • certcount -CA 证书计数certcount - CA cert count

    • xchgcount -CA exchange 证书计数xchgcount - CA exchange cert count

    • kracount -KRA 证书计数kracount - KRA cert count

    • kraused -KRA cert 使用计数kraused - KRA cert used count

    • propidmax -最大 CA PropIdpropidmax - Maximum CA PropId

    • **certstate [index] **-CA 证书certstate [index] - CA cert

    • **certversion [index] **-CA 证书版本certversion [index] - CA cert version

    • **certstatuscode [index] **-CA 证书验证状态certstatuscode [index] - CA cert verify status

    • **crlstate [index] **-CRLcrlstate [index] - CRL

    • **krastate [index] **-KRA 证书krastate [index] - KRA cert

    • **crossstate + [index] **-转发交叉证书crossstate+ [index] - Forward cross cert

    • **crossstate- [index] **-后向交叉证书crossstate- [index] - Backward cross cert

    • **证书 [index] **-CA 证书cert [index] - CA cert

    • **certchain [index] **-CA 证书链certchain [index] - CA cert chain

    • **certcrlchain [index] **-带有 Crl 的 CA 证书链certcrlchain [index] - CA cert chain with CRLs

    • **xchg [index] **-CA exchange 证书xchg [index] - CA exchange cert

    • **xchgchain [index] **-CA exchange 证书链xchgchain [index] - CA exchange cert chain

    • **xchgcrlchain [index] **-带有 Crl 的 CA exchange 证书链xchgcrlchain [index] - CA exchange cert chain with CRLs

    • **kra [index] **-KRA 证书kra [index] - KRA cert

    • **交叉 + [index] **-转发交叉证书cross+ [index] - Forward cross cert

    • **跨 [index] **-后向交叉证书cross- [index] - Backward cross cert

    • **CRL [index] **-基本 CRLCRL [index] - Base CRL

    • **deltacrl [index] **-增量 CRLdeltacrl [index] - Delta CRL

    • **crlstatus [index] **-CRL 发布状态crlstatus [index] - CRL Publish Status

    • **deltacrlstatus [index] **-增量 CRL 发布状态deltacrlstatus [index] - Delta CRL Publish Status

    • dns -dns 名称dns - DNS Name

    • 角色-角色分隔role - Role Separation

    • 广告-高级服务器ads - Advanced Server

    • 模板-模板templates - Templates

    • **csp [index] **-OCSP Urlcsp [index] - OCSP URLs

    • **aia [index] **-AIA Urlaia [index] - AIA URLs

    • **cdp [index] **-CDP Urlcdp [index] - CDP URLs

    • localename -CA 区域设置名称localename - CA locale name

    • subjecttemplateoids -使用者模板 oidsubjecttemplateoids - Subject Template OIDs

    • * -显示所有属性* - Displays all properties

  • index是从零开始的可选属性索引。index is the optional zero-based property index.

  • 错误代码是数字错误代码。errorcode is the numeric error code.

[-f] [-split] [-config Machine\CAName]

-ca. cert-ca.cert

检索证书颁发机构的证书。Retrieve the certificate for the certification authority.

certutil [options] -ca.cert outcacertfile [index]

其中:Where:

  • outcacertfile是输出文件。outcacertfile is the output file.

  • index是 CA 证书续订索引(默认为最新)。index is the CA certificate renewal index (defaults to most recent).

[-f] [-split] [-config Machine\CAName]

-ca。-ca.chain

检索证书颁发机构的证书链。Retrieve the certificate chain for the certification authority.

certutil [options] -ca.chain outcacertchainfile [index]

其中:Where:

  • outcacertchainfile是输出文件。outcacertchainfile is the output file.

  • index是 CA 证书续订索引(默认为最新)。index is the CA certificate renewal index (defaults to most recent).

[-f] [-split] [-config Machine\CAName]

-getcrl-getcrl

获取证书吊销列表(CRL)。Gets a certificate revocation list (CRL).

certutil [options]-getcrl outfile [index] [delta]certutil [options] -getcrl outfile [index] [delta]

其中:Where:

  • index是 crl 索引或密钥索引(默认为适用于最新密钥的 crl)。index is the CRL index or key index (defaults to CRL for most recent key).

  • 增量是增量 crl (默认为基本 crl)。delta is the delta CRL (default is base CRL).

[-f] [-split] [-config Machine\CAName]

-crl-crl

发布新的证书吊销列表(Crl)或增量 Crl。Publish new certificate revocation lists (CRLs) or delta CRLs.

certutil [options] -crl [dd:hh | republish] [delta]

其中:Where:

  • dd: hh是新的 CRL 有效期(以天和小时为单位)。dd:hh is the new CRL validity period in days and hours.

  • 重新发布重新发布最新的 crl。republish republishes the most recent CRLs.

  • 增量只发布增量 crl (默认为基 crl 和增量 crl)。delta publishes the delta CRLs only (default is base and delta CRLs).

[-split] [-config Machine\CAName]

-shutdown-shutdown

关闭 Active Directory 证书服务。Shuts down the Active Directory Certificate Services.

certutil [options] -shutdown
[-config Machine\CAName]

-installcert-installcert

安装证书颁发机构证书。Installs a certification authority certificate.

certutil [options] -installcert [cacertfile]
[-f] [-silent] [-config Machine\CAName]

-renewcert-renewcert

续订证书颁发机构证书。Renews a certification authority certificate.

certutil [options] -renewcert [reusekeys] [Machine\ParentCAName]
  • 使用 -f 忽略未完成的续订请求,并生成新的请求。Use -f to ignore an outstanding renewal request, and to generate a new request.
[-f] [-silent] [-config Machine\CAName]

-架构-schema

转储证书的架构。Dumps the schema for the certificate.

certutil [options] -schema [ext | attrib | cRL]

其中:Where:

  • 该命令默认为请求和证书表。The command defaults to the Request and Certificate table.

  • ext是扩展表。ext is the extension table.

  • attribute是属性表。attribute is the attribute table.

  • crl是 crl 表。crl is the CRL table.

[-split] [-config Machine\CAName]

-view-view

转储证书视图。Dumps the certificate view.

certutil [options] -view [queue | log | logfail | revoked | ext | attrib | crl] [csv]

其中:Where:

  • 队列转储特定请求队列。queue dumps a specific request queue.

  • 日志转储已颁发或已吊销的证书,以及任何失败的请求。log dumps the issued or revoked certificates, plus any failed requests.

  • logfail转储失败的请求。logfail dumps the failed requests.

  • 吊销转储吊销的证书。revoked dumps the revoked certificates.

  • ext会转储扩展表。ext dumps the extension table.

  • 属性转储属性表。attribute dumps the attribute table.

  • crl将转储 crl 表。crl dumps the CRL table.

  • csv使用逗号分隔值提供输出。csv provides the output using comma-separated values.

[-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

备注Remarks

  • 若要显示所有条目的StatusCode列,请键入-out StatusCodeTo display the StatusCode column for all entries, type -out StatusCode

  • 若要显示最后一个条目的所有列,请键入:-restrict RequestId==$To display all columns for the last entry, type: -restrict RequestId==$

  • 若要显示三个请求的RequestID处置,请键入:-restrict requestID>37,requestID<40 -out requestID,dispositionTo display the RequestID and Disposition for three requests, type: -restrict requestID>37,requestID<40 -out requestID,disposition

  • 若要显示所有基本 Crl 的行 Id行 idCRL 号,请键入:-restrict crlminbase=0 -out crlrowID,crlnumber crlTo display Row IDsRow IDs and CRL numbers for all Base CRLs, type: -restrict crlminbase=0 -out crlrowID,crlnumber crl

  • 若要显示,请键入:-v -restrict crlminbase=0,crlnumber=3 -out crlrawcrl crlTo display , type: -v -restrict crlminbase=0,crlnumber=3 -out crlrawcrl crl

  • 若要显示整个 CRL 表,请键入:CRLTo display the entire CRL table, type: CRL

  • 用于 Date[+|-dd:hh] 日期限制。Use Date[+|-dd:hh] for date restrictions.

  • 用于 now+dd:hh 相对于当前时间的日期。Use now+dd:hh for a date relative to the current time.

-db-db

转储原始数据库。Dumps the raw database.

certutil [options] -db
[-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

-deleterow-deleterow

从服务器数据库中删除行。Deletes a row from the server database.

certutil [options] -deleterow rowID | date [request | cert | ext | attrib | crl]

其中:Where:

  • 请求会根据提交日期删除失败和挂起的请求。request deletes the failed and pending requests, based on submission date.

  • cert会根据过期日期删除过期和吊销的证书。cert deletes the expired and revoked certificates, based on expiration date.

  • ext删除扩展表。ext deletes the extension table.

  • 属性删除属性表。attribute deletes the attribute table.

  • crl删除 crl 表。crl deletes the CRL table.

[-f] [-config Machine\CAName]

示例Examples

  • 若要删除在2001年1月22日提交的失败和挂起的请求,请键入:1/22/2001 requestTo delete failed and pending requests submitted by January 22, 2001, type: 1/22/2001 request

  • 若要删除所有已在2001年1月22日过期的证书,请键入:1/22/2001 certTo delete all certificates that expired by January 22, 2001, type: 1/22/2001 cert

  • 若要删除 RequestID 37 的证书行、属性和扩展,请键入:37To delete the certificate row, attributes, and extensions for RequestID 37, type: 37

  • 若要删除由2001年1月22日过期的 Crl,请键入:1/22/2001 crlTo delete CRLs that expired by January 22, 2001, type: 1/22/2001 crl

-backup-backup

备份 Active Directory 证书服务。Backs up the Active Directory Certificate Services.

certutil [options] -backup backupdirectory [incremental] [keeplog]

其中:Where:

  • backupdirectory是用于存储备份数据的目录。backupdirectory is the directory to store the backed up data.

  • 增量只执行增量备份(默认为完整备份)。incremental performs an incremental backup only (default is full backup).

  • keeplog保留数据库日志文件(默认为截断日志文件)。keeplog preserves the database log files (default is to truncate log files).

[-f] [-config Machine\CAName] [-p Password]

-backupdb-backupdb

备份 Active Directory 证书服务数据库。Backs up the Active Directory Certificate Services database.

certutil [options] -backupdb backupdirectory [incremental] [keeplog]

其中:Where:

  • backupdirectory是用于存储备份数据库文件的目录。backupdirectory is the directory to store the backed up database files.

  • 增量只执行增量备份(默认为完整备份)。incremental performs an incremental backup only (default is full backup).

  • keeplog保留数据库日志文件(默认为截断日志文件)。keeplog preserves the database log files (default is to truncate log files).

[-f] [-config Machine\CAName]

-backupkey-backupkey

备份 Active Directory 证书服务证书和私钥。Backs up the Active Directory Certificate Services certificate and private key.

certutil [options] -backupkey backupdirectory

其中:Where:

  • backupdirectory是用于存储备份的 PFX 文件的目录。backupdirectory is the directory to store the backed up PFX file.
[-f] [-config Machine\CAName] [-p password] [-t timeout]

-restore-restore

还原 Active Directory 证书服务。Restores the Active Directory Certificate Services.

certutil [options] -restore backupdirectory

其中:Where:

  • backupdirectory是包含要还原的数据的目录。backupdirectory is the directory containing the data to be restored.
[-f] [-config Machine\CAName] [-p password]

-restoredb-restoredb

还原 Active Directory 证书服务数据库。Restores the Active Directory Certificate Services database.

certutil [options] -restoredb backupdirectory

其中:Where:

  • backupdirectory是包含要还原的数据库文件的目录。backupdirectory is the directory containing the database files to be restored.
[-f] [-config Machine\CAName]

-restorekey-restorekey

还原 Active Directory 证书服务证书和私钥。Restores the Active Directory Certificate Services certificate and private key.

certutil [options] -restorekey backupdirectory | pfxfile

其中:Where:

  • backupdirectory是包含要还原的 PFX 文件的目录。backupdirectory is the directory containing PFX file to be restored.
[-f] [-config Machine\CAName] [-p password]

-importpfx-importpfx

导入证书和私钥。Import the certificate and private key. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

certutil [options] -importpfx [certificatestorename] pfxfile [modifiers]

其中:Where:

  • certificatestorename是证书存储的名称。certificatestorename is the name of the certificate store.

  • 修饰符是逗号分隔的列表,其中可以包含以下一项或多项:modifiers are the comma-separated list, which can include one or more of the following:

    1. AT_SIGNATURE -将 keyspec 更改为签名AT_SIGNATURE - Changes the keyspec to signature

    2. AT_KEYEXCHANGE -将 keyspec 更改为密钥交换AT_KEYEXCHANGE - Changes the keyspec to key exchange

    3. NoExport -使私钥不可导出NoExport - Makes the private key non-exportable

    4. NoCert -不导入证书NoCert - Doesn't import the certificate

    5. NoChain -不导入证书链NoChain - Doesn't import the certificate chain

    6. NoRoot -不导入根证书NoRoot - Doesn't import the root certificate

    7. 保护-通过使用密码保护密钥Protect - Protects keys by using a password

    8. NoProtect -不使用密码保护密钥NoProtect - Doesn't password protect keys by using a password

[-f] [-user] [-p password] [-csp provider]

备注Remarks

  • 默认为 "个人计算机存储"。Defaults to personal machine store.

-dynamicfilelist-dynamicfilelist

显示动态文件列表。Displays a dynamic file list.

certutil [options] -dynamicfilelist
[-config Machine\CAName]

-databaselocations-databaselocations

显示数据库位置。Displays database locations.

certutil [options] -databaselocations
[-config Machine\CAName]

-hashfile-hashfile

生成并显示文件的加密哈希。Generates and displays a cryptographic hash over a file.

certutil [options] -hashfile infile [hashalgorithm]

-存储-store

转储证书存储区。Dumps the certificate store.

certutil [options] -store [certificatestorename [certID [outputfile]]]

其中:Where:

  • certificatestorename是证书存储区名称。certificatestorename is the certificate store name. 例如:For example:

    • My, CA (default), Root,

    • ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)

    • ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)

    • ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)

    • ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)

    • ldap: (AD computer object certificates)

    • -user ldap: (AD user object certificates)

  • 证书 id是证书或 CRL 匹配令牌。certID is the certificate or CRL match token. 这可以是序列号、SHA-1 证书、CRL、CTL 或公钥哈希、数字证书索引(0、1等等)、数字 CRL 索引(.0、.1 等等)、数字 CTL 索引(.)0、.。1等)、公钥、签名或扩展 ObjectId、证书使用者公用名、电子邮件地址、UPN 或 DNS 名称、密钥容器名称或 CSP 名称、模板名称或 ObjectId、EKU 或应用程序策略 ObjectId 或 CRL 颁发者公用名。This can be a serial number, a SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. 其中许多项可能会导致多个匹配项。Many of these may result in multiple matches.

  • outputfile是用于保存匹配证书的文件。outputfile is the file used to save the matching certificates.

[-f] [-user] [-enterprise] [-service] [-grouppolicy] [-silent] [-split] [-dc DCName]

选项Options

  • -user选项访问用户存储而不是计算机存储。The -user option accesses a user store instead of a machine store.

  • -enterprise选项访问计算机企业应用商店。The -enterprise option accesses a machine enterprise store.

  • -service选项访问计算机服务存储。The -service option accesses a machine service store.

  • -grouppolicy选项访问计算机组策略存储。The -grouppolicy option accesses a machine group policy store.

例如:For example:

  • -enterprise NTAuth

  • -enterprise Root 37

  • -user My 26e0aaaf000000000004

  • CA .11

-addstore-addstore

向存储区添加证书。Adds a certificate to the store. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

certutil [options] -addstore certificatestorename infile

其中:Where:

  • certificatestorename是证书存储区名称。certificatestorename is the certificate store name.

  • infile是要添加到存储中的证书或 CRL 文件。infile is the certificate or CRL file you want to add to store.

[-f] [-user] [-enterprise] [-grouppolicy] [-dc DCName]

-delstore-delstore

从存储区中删除证书。Deletes a certificate from the store. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

certutil [options] -delstore certificatestorename certID

其中:Where:

  • certificatestorename是证书存储区名称。certificatestorename is the certificate store name.

  • 证书 id是证书或 CRL 匹配令牌。certID is the certificate or CRL match token.

[-enterprise] [-user] [-grouppolicy] [-dc DCName]

-verifystore-verifystore

验证存储区中的证书。Verifies a certificate in the store. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

certutil [options] -verifystore certificatestorename [certID]

其中:Where:

  • certificatestorename是证书存储区名称。certificatestorename is the certificate store name.

  • 证书 id是证书或 CRL 匹配令牌。certID is the certificate or CRL match token.

[-enterprise] [-user] [-grouppolicy] [-silent] [-split] [-dc DCName] [-t timeout]

-repairstore-repairstore

修复密钥关联或更新证书属性或密钥安全描述符。Repairs a key association or update certificate properties or the key security descriptor. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

certutil [options] -repairstore certificatestorename certIDlist [propertyinffile | SDDLsecuritydescriptor]

其中:Where:

  • certificatestorename是证书存储区名称。certificatestorename is the certificate store name.

  • certIDlist是以逗号分隔的证书或 CRL 匹配令牌列表。certIDlist is the comma-separated list of certificate or CRL match tokens. 有关详细信息,请参阅 -store certID 本文中的说明。For more info, see the -store certID description in this article.

  • propertyinffile是包含外部属性的 INF 文件,其中包括:propertyinffile is the INF file containing external properties, including:

    [Properties]
        19 = Empty ; Add archived property, OR:
        19 =       ; Remove archived property
    
        11 = {text}Friendly Name ; Add friendly name property
    
        127 = {hex} ; Add custom hexadecimal property
            _continue_ = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
            _continue_ = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
    
        2 = {text} ; Add Key Provider Information property
          _continue_ = Container=Container Name&
          _continue_ = Provider=Microsoft Strong Cryptographic Provider&
          _continue_ = ProviderType=1&
          _continue_ = Flags=0&
          _continue_ = KeySpec=2
    
        9 = {text} ; Add Enhanced Key Usage property
          _continue_ = 1.3.6.1.5.5.7.3.2,
          _continue_ = 1.3.6.1.5.5.7.3.1,
    
[-f] [-enterprise] [-user] [-grouppolicy] [-silent] [-split] [-csp provider]

-viewstore-viewstore

转储证书存储区。Dumps the certificates store. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

certutil [options] -viewstore [certificatestorename [certID [outputfile]]]

其中:Where:

  • certificatestorename是证书存储区名称。certificatestorename is the certificate store name.

  • 证书 id是证书或 CRL 匹配令牌。certID is the certificate or CRL match token.

  • outputfile是用于保存匹配证书的文件。outputfile is the file used to save the matching certificates.

[-f] [-user] [-enterprise] [-service] [-grouppolicy] [-dc DCName]

选项Options

  • -user选项访问用户存储而不是计算机存储。The -user option accesses a user store instead of a machine store.

  • -enterprise选项访问计算机企业应用商店。The -enterprise option accesses a machine enterprise store.

  • -service选项访问计算机服务存储。The -service option accesses a machine service store.

  • -grouppolicy选项访问计算机组策略存储。The -grouppolicy option accesses a machine group policy store.

例如:For example:

  • -enterprise NTAuth

  • -enterprise Root 37

  • -user My 26e0aaaf000000000004

  • CA .11

-viewdelstore-viewdelstore

从存储区中删除证书。Deletes a certificate from the store.

certutil [options] -viewdelstore [certificatestorename [certID [outputfile]]]

其中:Where:

  • certificatestorename是证书存储区名称。certificatestorename is the certificate store name.

  • 证书 id是证书或 CRL 匹配令牌。certID is the certificate or CRL match token.

  • outputfile是用于保存匹配证书的文件。outputfile is the file used to save the matching certificates.

[-f] [-user] [-enterprise] [-service] [-grouppolicy] [-dc DCName]

选项Options

  • -user选项访问用户存储而不是计算机存储。The -user option accesses a user store instead of a machine store.

  • -enterprise选项访问计算机企业应用商店。The -enterprise option accesses a machine enterprise store.

  • -service选项访问计算机服务存储。The -service option accesses a machine service store.

  • -grouppolicy选项访问计算机组策略存储。The -grouppolicy option accesses a machine group policy store.

例如:For example:

  • -enterprise NTAuth

  • -enterprise Root 37

  • -user My 26e0aaaf000000000004

  • CA .11

-dspublish-dspublish

将证书或证书吊销列表(CRL)发布到 Active Directory。Publishes a certificate or certificate revocation list (CRL) to Active Directory.

certutil [options] -dspublish certfile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
certutil [options] -dspublish CRLfile [DSCDPContainer [DSCDPCN]]

其中:Where:

  • certfile是要发布的证书文件的名称。certfile is the name of the certificate file to publish.

  • NTAuthCA会将证书发布到 DS 企业应用商店。NTAuthCA publishes the certificate to the DS Enterprise store.

  • Rootca.cer会将证书发布到 DS 受信任的根存储。RootCA publishes the certificate to the DS Trusted Root store.

  • SubCA将 CA 证书发布到 DS CA 对象。SubCA publishes the CA certificate to the DS CA object.

  • CrossCA会将交叉证书发布到 DS CA 对象。CrossCA publishes the cross-certificate to the DS CA object.

  • KRA将证书发布到 DS 密钥恢复代理对象。KRA publishes the certificate to the DS Key Recovery Agent object.

  • 用户将证书发布到用户 DS 对象。User publishes the certificate to the User DS object.

  • 计算机会将证书发布到计算机 DS 对象。Machine publishes the certificate to the Machine DS object.

  • CRLfile是要发布的 CRL 文件的名称。CRLfile is the name of the CRL file to publish.

  • DSCDPContainer是 DS CDP 容器 CN,通常是 CA 计算机的名称。DSCDPContainer is the DS CDP container CN, usually the CA machine name.

  • DSCDPCN是 DS CDP 对象 CN,通常基于净化的 CA 短名称和密钥索引。DSCDPCN is the DS CDP object CN, usually based on the sanitized CA short name and key index.

  • 使用 -f 创建新的 DS 对象。Use -f to create a new DS object.

[-f] [-user] [-dc DCName]

-adtemplate-adtemplate

显示 Active Directory 模板。Displays Active Directory templates.

certutil [options] -adtemplate [template]
[-f] [-user] [-ut] [-mt] [-dc DCName]

-template-template

显示证书模板。Displays the certificate templates.

certutil [options] -template [template]
[-f] [-user] [-silent] [-policyserver URLorID] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-templatecas-templatecas

显示证书模板的证书颁发机构(Ca)。Displays the certification authorities (CAs) for a certificate template.

certutil [options] -templatecas template
[-f] [-user] [-dc DCName]

-catemplates.txt-catemplates

显示证书颁发机构的模板。Displays templates for the Certificate Authority.

certutil [options] -catemplates [template]
[-f] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]

-setcasites-setcasites

管理站点名称,包括设置、验证和删除证书颁发机构站点名称Manages site names, including setting, verifying, and deleting Certificate Authority site names

certutil [options] -setcasites [set] [sitename]
certutil [options] -setcasites verify [sitename]
certutil [options] -setcasites delete

其中:Where:

  • 仅当以单个证书颁发机构为目标时才允许sitenamesitename is allowed only when targeting a single Certificate Authority.
[-f] [-config Machine\CAName] [-dc DCName]

备注Remarks

  • -config选项以单个证书颁发机构为目标(默认值为所有 ca)。The -config option targets a single Certificate Authority (Default is all CAs).

  • -f选项可用于重写指定sitename的验证错误或删除所有 CA sitenames 引用。The -f option can be used to override validation errors for the specified sitename or to delete all CA sitenames.

备注

有关为 Active Directory 域服务(AD DS)站点感知配置 Ca 的详细信息,请参阅AD DS 网站感知 AD CS 和 PKI 客户端For more information about configuring CAs for Active Directory Domain Services (AD DS) site awareness, see AD DS Site Awareness for AD CS and PKI clients.

-enrollmentserverURL-enrollmentserverURL

显示、添加或删除与 CA 关联的注册服务器 Url。Displays, adds, or deletes enrollment server URLs associated with a CA.

certutil [options] -enrollmentServerURL [URL authenticationtype [priority] [modifiers]]
certutil [options] -enrollmentserverURL URL delete

其中:Where:

  • authenticationtype指定以下客户端身份验证方法之一,同时添加 URL:authenticationtype specifies one of the following client authentication methods, while adding a URL:

    1. kerberos -使用 kerberos SSL 凭据。kerberos - Use Kerberos SSL credentials.

    2. 用户名-使用命名帐户作为 SSL 凭据。username - Use a named account for SSL credentials.

    3. clientcertificate:-使用 X.509 证书 SSL 凭据。clientcertificate: - Use X.509 Certificate SSL credentials.

    4. 匿名-使用匿名 SSL 凭据。anonymous - Use anonymous SSL credentials.

  • 删除删除与 CA 关联的指定 URL。delete deletes the specified URL associated with the CA.

  • priority 1 如果添加 URL 时未指定,则优先级默认值为。priority defaults to 1 if not specified when adding a URL.

  • 修饰符是逗号分隔的列表,其中包括以下一项或多项:modifiers is a comma-separated list, which includes one or more of the following:

  1. allowrenewalsonly -只能通过此 URL 将续订请求提交到此 CA。allowrenewalsonly - Only renewal requests can be submitted to this CA via this URL.

  2. allowkeybasedrenewal -允许使用在 AD 中没有关联帐户的证书。allowkeybasedrenewal - Allows use of a certificate that has no associated account in the AD. 这仅适用于 clientcertificate 和 allowrenewalsonly 模式This applies only with clientcertificate and allowrenewalsonly Mode

[-config Machine\CAName] [-dc DCName]

-adca-adca

显示 Active Directory 证书颁发机构。Displays Active Directory Certificate Authorities.

certutil [options] -adca [CAName]
[-f] [-split] [-dc DCName]

-ca-ca

显示注册策略证书颁发机构。Displays enrollment policy Certificate Authorities.

certutil [options] -CA [CAName | templatename]
[-f] [-user] [-silent] [-split] [-policyserver URLorID] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-policy-policy

显示注册策略。Displays the enrollment policy.

[-f] [-user] [-silent] [-split] [-policyserver URLorID] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-policycache-policycache

显示或删除注册策略缓存条目。Displays or deletes enrollment policy cache entries.

certutil [options] -policycache [delete]

其中:Where:

  • 删除删除策略服务器缓存条目。delete deletes the policy server cache entries.

  • -f删除所有缓存项-f deletes all cache entries

[-f] [-user] [-policyserver URLorID]

-credstore-credstore

显示、添加或删除凭据存储项。Displays, adds, or deletes Credential Store entries.

certutil [options] -credstore [URL]
certutil [options] -credstore URL add
certutil [options] -credstore URL delete

其中:Where:

  • Url是目标 url。URL is the target URL. 你还可以使用 * 匹配所有条目或 https://machine* 匹配 URL 前缀。You can also use * to match all entries or https://machine* to match a URL prefix.

  • 添加"添加凭据存储项"。add adds a credential store entry. 使用此选项还需要使用 SSL 凭据。Using this option also requires the use of SSL credentials.

  • 删除删除凭据存储条目。delete deletes credential store entries.

  • -f将覆盖单个项或删除多个项。-f overwrites a single entry or deletes multiple entries.

[-f] [-user] [-silent] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-installdefaulttemplates-installdefaulttemplates

安装默认证书模板。Installs default certificate templates.

certutil [options] -installdefaulttemplates
[-dc DCName]

-URLcache-URLcache

显示或删除 URL 缓存条目。Displays or deletes URL cache entries.

certutil [options] -URLcache [URL | CRL | * [delete]]

其中:Where:

  • Url是缓存的 url。URL is the cached URL.

  • Crl仅在所有缓存的 CRL url 上运行。CRL runs on all cached CRL URLs only.

  • * 对所有缓存的 url 进行操作。* operates on all cached URLs.

  • 删除从当前用户的本地缓存中删除相关的 url。delete deletes relevant URLs from the current user's local cache.

  • -f强制提取特定 URL 并更新缓存。-f forces fetching a specific URL and updating the cache.

[-f] [-split]

-脉冲-pulse

脉冲自动注册事件。Pulses auto enrollment events.

certutil [options] -pulse
[-user]

-machineinfo-machineinfo

显示 Active Directory 计算机对象的相关信息。Displays information about the Active Directory machine object.

certutil [options] -machineinfo domainname\machinename$

-DCInfo-DCInfo

显示有关域控制器的信息。Displays information about the domain controller. 默认显示 DC 证书,无需验证。The default displays DC certificates without verification.

certutil [options] -DCInfo [domain] [verify | deletebad | deleteall]
[-f] [-user] [-urlfetch] [-dc DCName] [-t timeout]

提示

指定 Active Directory 域服务(AD DS)域 [域] 并指定在 Windows Server 2012 中添加域控制器(-dc)的功能。The ability to specify an Active Directory Domain Services (AD DS) domain [Domain] and to specify a domain controller (-dc) was added in Windows Server 2012. 若要成功运行此命令,你必须使用属于Domain adminsEnterprise admins成员的帐户。To successfully run the command, you must use an account that is a member of Domain Admins or Enterprise Admins. 此命令的行为修改如下:The behavior modifications of this command are as follows:

  1. 1. 如果未指定域并且未指定特定的域控制器,则此选项将返回要从默认域控制器处理的域控制器的列表。1. If a domain is not specified and a specific domain controller is not specified, this option returns a list of domain controllers to process from the default domain controller.
  2. 2. 如果未指定域,但指定了域控制器,则会生成指定域控制器上的证书报表。2. If a domain is not specified, but a domain controller is specified, a report of the certificates on the specified domain controller is generated.
  3. 3. 如果指定了域,但未指定域控制器,则会在列表中的每个域控制器的证书上生成域控制器的列表。3. If a domain is specified, but a domain controller is not specified, a list of domain controllers is generated along with reports on the certificates for each domain controller in the list.
  4. 4. 如果指定了域和域控制器,则会从目标域控制器生成域控制器的列表。4. If the domain and domain controller are specified, a list of domain controllers is generated from the targeted domain controller. 还会生成列表中每个域控制器的证书报表。A report of the certificates for each domain controller in the list is also generated.

例如,假设有一个名为 CPANDL 的域,其中包含名为 CPANDL-DC1 的域控制器。For example, assume there is a domain named CPANDL with a domain controller named CPANDL-DC1. 可以运行以下命令,从 CPANDL-DC1 检索域控制器及其证书的列表:certutil -dc cpandl-dc1 -DCInfo cpandlYou can run the following command to a retrieve a list of domain controllers and their certificates that from CPANDL-DC1: certutil -dc cpandl-dc1 -DCInfo cpandl

-entinfo-entinfo

显示有关企业证书颁发机构的信息。Displays information about an enterprise Certificate Authority.

certutil [options] -entinfo domainname\machinename$
[-f] [-user]

-tcainfo-tcainfo

显示有关证书颁发机构的信息。Displays information about the Certificate Authority.

certutil [options] -tcainfo [domainDN | -]
[-f] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t timeout]

-scinfo-scinfo

显示有关智能卡的信息。Displays information about the smart card.

certutil [options] -scinfo [readername [CRYPT_DELETEKEYSET]]

其中:Where:

  • CRYPT_DELETEKEYSET删除智能卡上的所有密钥。CRYPT_DELETEKEYSET deletes all keys on the smart card.
[-silent] [-split] [-urlfetch] [-t timeout]

-scroots-scroots

管理智能卡根证书。Manages smart card root certificates.

certutil [options] -scroots update [+][inputrootfile] [readername]
certutil [options] -scroots save \@in\\outputrootfile [readername]
certutil [options] -scroots view [inputrootfile | readername]
certutil [options] -scroots delete [readername]
[-f] [-split] [-p Password]

-verifykeys-verifykeys

验证公钥或私钥集。Verifies a public or private key set.

certutil [options] -verifykeys [keycontainername cacertfile]

其中:Where:

  • cspparameters.keycontainername是要验证的密钥的密钥容器名称。keycontainername is the key container name for the key to verify. 此选项默认为 "计算机密钥"。This option defaults to machine keys. 若要切换到用户密钥,请使用 -userTo switch to user keys, use -user.

  • cacertfile签名或加密证书文件。cacertfile signs or encrypts certificate files.

[-f] [-user] [-silent] [-config Machine\CAName]

备注Remarks

  • 如果未指定任何参数,则将根据其私钥验证每个签名 CA 证书。If no arguments are specified, each signing CA certificate is verified against its private key.

  • 只能对本地 CA 或本地密钥执行此操作。This operation can only be performed against a local CA or local keys.

-验证-verify

验证证书、证书吊销列表(CRL)或证书链。Verifies a certificate, certificate revocation list (CRL), or certificate chain.

certutil [options] -verify certfile [applicationpolicylist | - [issuancepolicylist]]
certutil [options] -verify certfile [cacertfile [crossedcacertfile]]
certutil [options] -verify CRLfile cacertfile [issuedcertfile]
certutil [options] -verify CRLfile cacertfile [deltaCRLfile]

其中:Where:

  • certfile是要验证的证书的名称。certfile is the name of the certificate to verify.

  • applicationpolicylist是可选的以逗号分隔的所需应用程序策略 ObjectIds 列表。applicationpolicylist is the optional comma-separated list of required Application Policy ObjectIds.

  • issuancepolicylist是可选的以逗号分隔的所需颁发策略 ObjectIds 列表。issuancepolicylist is the optional comma-separated list of required Issuance Policy ObjectIds.

  • cacertfile是要根据其进行验证的可选发证 CA 证书。cacertfile is the optional issuing CA certificate to verify against.

  • crossedcacertfile是由certfile交叉认证的可选证书。crossedcacertfile is the optional certificate cross-certified by certfile.

  • CRLfile是用于验证cacertfile的 CRL 文件。CRLfile is the CRL file used to verify the cacertfile.

  • issuedcertfile是 CRLfile 涵盖的可选颁发证书。issuedcertfile is the optional issued certificate covered by the CRLfile.

  • deltaCRLfile是可选的增量 CRL 文件。deltaCRLfile is the optional delta CRL file.

[-f] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t timeout]

备注Remarks

  • 使用applicationpolicylist会将生成限制为仅对指定的应用程序策略使用有效的链。Using applicationpolicylist restricts chain building to only chains valid for the specified Application Policies.

  • 使用issuancepolicylist会将生成限制为仅限指定的颁发策略的证书链。Using issuancepolicylist restricts chain building to only chains valid for the specified Issuance Policies.

  • 使用cacertfile将根据certfileCRLfile验证文件中的字段。Using cacertfile verifies the fields in the file against certfile or CRLfile.

  • 使用issuedcertfile将根据CRLfile验证文件中的字段。Using issuedcertfile verifies the fields in the file against CRLfile.

  • 使用 deltaCRLfile 将根据certfile验证文件中的字段。Using deltaCRLfile verifies the fields in the file against certfile.

  • 如果未指定cacertfile ,则将针对certfile生成并验证整个链。If cacertfile isn't specified, the full chain is built and verified against certfile.

  • 如果同时指定了cacertfilecrossedcacertfile ,则会对照certfile来验证这两个文件中的字段。If cacertfile and crossedcacertfile are both specified, the fields in both files are verified against certfile.

-verifyCTL-verifyCTL

验证 AuthRoot 或不允许的证书 CTL。Verifies the AuthRoot or Disallowed Certificates CTL.

certutil [options] -verifyCTL CTLobject [certdir] [certfile]

其中:Where:

  • CTLobject标识要验证的 CTL,其中包括:CTLobject identifies the CTL to verify, including:

    • AuthRootWU -从 URL 缓存读取 AuthRoot CAB 和匹配的证书。AuthRootWU - Reads the AuthRoot CAB and matching certificates from the URL cache. 使用 -f 从 Windows 更新下载。Use -f to download from Windows Update instead.

    • DisallowedWU -从 URL 缓存读取不允许的证书 CAB 和不允许的证书存储文件。DisallowedWU - Reads the Disallowed Certificates CAB and disallowed certificate store file from the URL cache. 使用 -f 从 Windows 更新下载。Use -f to download from Windows Update instead.

    • AuthRoot -读取注册表缓存的 AuthRoot CTL。AuthRoot - Reads the registry-cached AuthRoot CTL. 使用 with -f 和不受信任的certfile来强制注册表缓存的 AuthRoot 和不允许的证书 ctl 更新。Use with -f and an untrusted certfile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.

    • 允许-读取注册表缓存的不允许证书 CTL。Disallowed - Reads the registry-cached Disallowed Certificates CTL. 使用 with -f 和不受信任的certfile来强制注册表缓存的 AuthRoot 和不允许的证书 ctl 更新。Use with -f and an untrusted certfile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.

  • CTLfilename指定 CTL 或 CAB 文件的文件或 http 路径。CTLfilename specifies the file or http path to the CTL or CAB file.

  • certdir指定包含与 CTL 条目匹配的证书的文件夹。certdir specifies the folder containing certificates matching the CTL entries. 默认为与CTLobject相同的文件夹或网站。Defaults to the same folder or website as the CTLobject. 使用 http 文件夹路径时需要路径分隔符。Using an http folder path requires a path separator at the end. 如果未指定 " AuthRoot " 或 "不允许",则将在多个位置搜索匹配的证书,包括本地证书存储、crypt32.dll 资源和本地 URL 缓存。If you don't specify AuthRoot or Disallowed, multiple locations will be searched for matching certificates, including local certificate stores, crypt32.dll resources and the local URL cache. -f根据需要使用从 Windows 更新下载。Use -f to download from Windows Update, as needed.

  • certfile指定要验证的证书。certfile specifies the certificate(s) to verify. 证书与 CTL 条目匹配,并显示结果。Certificates are matched against CTL entries, displaying the results. 此选项将取消大多数默认输出。This option suppresses most of the default output.

[-f] [-user] [-split]

-sign-sign

对证书吊销列表(CRL)或证书进行重新签名。Re-signs a certificate revocation list (CRL) or certificate.

certutil [options] -sign infilelist | serialnumber | CRL outfilelist [startdate+dd:hh] [+serialnumberlist | -serialnumberlist | -objectIDlist | \@extensionfile]
certutil [options] -sign infilelist | serialnumber | CRL outfilelist [#hashalgorithm] [+alternatesignaturealgorithm | -alternatesignaturealgorithm]

其中:Where:

  • infilelist是要修改和重新签名的证书或 CRL 文件的逗号分隔列表。infilelist is the comma-separated list of certificate or CRL files to modify and re-sign.

  • serialnumber是要创建的证书的序列号。serialnumber is the serial number of the certificate to create. 有效期和其他选项不能出现。The validity period and other options can't be present.

  • Crl创建空 CRL。CRL creates an empty CRL. 有效期和其他选项不能出现。The validity period and other options can't be present.

  • outfilelist是以逗号分隔的已修改证书或 CRL 输出文件的列表。outfilelist is the comma-separated list of modified certificate or CRL output files. 文件数量必须与 infilelist 匹配。The number of files must match infilelist.

  • 开始时间 + dd: hh是证书或 CRL 文件的新有效期,其中包括:startdate+dd:hh is the new validity period for the certificate or CRL files, including:

    • 可选日期加optional date plus

    • 可选日期和小时有效期optional days and hours validity period

    如果两者都指定,则必须使用加号(+)分隔符。If both are specified, you must use a plus sign (+) separator. 使用从 now[+dd:hh] 当前时间开始。Use now[+dd:hh] to start at the current time. 使用 never 无截止日期(仅限 crl)。Use never to have no expiration date (for CRLs only).

  • serialnumberlist是要添加或删除的文件的逗号分隔序列号列表。serialnumberlist is the comma-separated serial number list of the files to add or remove.

  • objectIDlist是要删除的文件的逗号分隔扩展 ObjectId 列表。objectIDlist is the comma-separated extension ObjectId list of the files to remove.

  • ** @ extensionfile**是包含要更新或删除的扩展的 INF 文件。@extensionfile is the INF file that contains the extensions to update or remove. 例如:For example:

    [Extensions]
        2.5.29.31 = ; Remove CRL Distribution Points extension
        2.5.29.15 = {hex} ; Update Key Usage extension
        _continue_=03 02 01 86
    
  • hashalgorithm是哈希算法的名称。hashalgorithm is the name of the hash algorithm. 这必须是前面带有符号的文本 #This must only be the text preceded by the # sign.

  • 内容: alternatesignaturealgorithm是备用签名算法说明符。alternatesignaturealgorithm is the alternate signature algorithm specifier.

[-nullsign] [-f] [-silent] [-cert certID]

备注Remarks

  • 使用减号(-)将删除序列号和扩展。Using the minus sign (-) removes serial numbers and extensions.

  • 使用加号(+)可向 CRL 添加序列号。Using the plus sign (+) adds serial numbers to a CRL.

  • 可以使用列表同时从 CRL 中删除序列号和 ObjectIDs。You can use a list to remove both serial numbers and ObjectIDs from a CRL at the same time.

  • 使用内容: alternatesignaturealgorithm之前的减号允许使用旧的签名格式。Using the minus sign before alternatesignaturealgorithm allows you to use the legacy signature format. 使用加号可以使用其他签名格式。Using the plus sign allows you to use the alternate signature format. 如果未指定内容: alternatesignaturealgorithm,则使用证书或 CRL 中的签名格式。If you don't specify alternatesignaturealgorithm, the signature format in the certificate or CRL is used.

-vroot-vroot

创建或删除 web 虚拟根和文件共享。Creates or deletes web virtual roots and file shares.

certutil [options] -vroot [delete]

-vocsproot-vocsproot

创建或删除 OCSP web 代理的 web 虚拟根。Creates or deletes web virtual roots for an OCSP web proxy.

certutil [options] -vocsproot [delete]

-addenrollmentserver-addenrollmentserver

为指定的证书颁发机构添加注册服务器应用程序和应用程序池(如有必要)。Add an Enrollment Server application and application pool if necessary, for the specified Certificate Authority. 此命令不安装二进制文件或包。This command does not install binaries or packages.

certutil [options] -addenrollmentserver kerberos | username | clientcertificate [allowrenewalsonly] [allowkeybasedrenewal]

其中:Where:

  • addenrollmentserver要求使用身份验证方法进行与证书注册服务器的客户端连接,其中包括:addenrollmentserver requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:

    • kerberos使用 kerberos SSL 凭据。kerberos uses Kerberos SSL credentials.

    • username使用命名帐户作为 SSL 凭据。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 证书 SSL 凭据。clientcertificate uses X.509 Certificate SSL credentials.

  • allowrenewalsonly仅允许通过 URL 向证书颁发机构提交续订请求。allowrenewalsonly allows only renewal request submissions to the Certificate Authority through the URL.

  • allowkeybasedrenewal允许在 Active Directory 中使用没有关联帐户的证书。allowkeybasedrenewal allows use of a certificate with no associated account in Active Directory. 这适用于与clientcertificateallowrenewalsonly模式结合使用的情况。This applies when used with clientcertificate and allowrenewalsonly mode.

[-config Machine\CAName]

-deleteenrollmentserver-deleteenrollmentserver

为指定的证书颁发机构删除注册服务器应用程序和应用程序池(如有必要)。Deletes an Enrollment Server application and application pool if necessary, for the specified Certificate Authority. 此命令不安装二进制文件或包。This command does not install binaries or packages.

certutil [options] -deleteenrollmentserver kerberos | username | clientcertificate

其中:Where:

  • deleteenrollmentserver要求使用身份验证方法进行与证书注册服务器的客户端连接,其中包括:deleteenrollmentserver requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:

    • kerberos使用 kerberos SSL 凭据。kerberos uses Kerberos SSL credentials.

    • username使用命名帐户作为 SSL 凭据。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 证书 SSL 凭据。clientcertificate uses X.509 Certificate SSL credentials.

[-config Machine\CAName]

-addpolicyserver-addpolicyserver

如有必要,请添加策略服务器应用程序和应用程序池。Add a Policy Server application and application pool, if necessary. 此命令不安装二进制文件或包。This command does not install binaries or packages.

certutil [options] -addpolicyserver kerberos | username | clientcertificate [keybasedrenewal]

其中:Where:

  • addpolicyserver要求使用身份验证方法进行与证书策略服务器的客户端连接,其中包括:addpolicyserver requires you to use an authentication method for the client connection to the Certificate Policy Server, including:

    • kerberos使用 kerberos SSL 凭据。kerberos uses Kerberos SSL credentials.

    • username使用命名帐户作为 SSL 凭据。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 证书 SSL 凭据。clientcertificate uses X.509 Certificate SSL credentials.

  • keybasedrenewal允许使用返回到包含 keybasedrenewal 模板的客户端的策略。keybasedrenewal allows use of policies returned to the client containing keybasedrenewal templates. 此选项仅适用于usernameclientcertificate authentication。This option applies only for username and clientcertificate authentication.

-deletepolicyserver-deletepolicyserver

如有必要,删除策略服务器应用程序和应用程序池。Deletes a Policy Server application and application pool, if necessary. 此命令不删除二进制文件或包。This command does not remove binaries or packages.

certutil [options]-deletePolicyServer kerberos |用户名 |clientcertificate [keybasedrenewal]certutil [options] -deletePolicyServer kerberos | username | clientcertificate [keybasedrenewal]

其中:Where:

  • deletepolicyserver要求使用身份验证方法进行与证书策略服务器的客户端连接,其中包括:deletepolicyserver requires you to use an authentication method for the client connection to the Certificate Policy Server, including:

    • kerberos使用 kerberos SSL 凭据。kerberos uses Kerberos SSL credentials.

    • username使用命名帐户作为 SSL 凭据。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 证书 SSL 凭据。clientcertificate uses X.509 Certificate SSL credentials.

  • keybasedrenewal允许使用 keybasedrenewal 策略服务器。keybasedrenewal allows use of a KeyBasedRenewal policy server.

-oid-oid

显示对象标识符或设置显示名称。Displays the object identifier or set a display name.

certutil [options] -oid objectID [displayname | delete [languageID [type]]]
certutil [options] -oid groupID
certutil [options] -oid agID | algorithmname [groupID]

其中:Where:

  • objectID显示或添加显示名称。objectID displays or to adds the display name.

  • groupid是 objectIDs 枚举的 groupid 编号(十进制)。groupID is the groupID number (decimal) that objectIDs enumerate.

  • algID是 objectID 查找的十六进制 ID。algID is the hexadecimal ID that objectID looks up.

  • algorithmname是 objectID 查找的算法名称。algorithmname is the algorithm name that objectID looks up.

  • displayname显示要存储在 DS 中的名称。displayname displays the name to store in DS.

  • 删除删除显示名称。delete deletes the display name.

  • LanguageId是语言 ID 值(默认为当前值:1033)。LanguageId is the language ID value (defaults to current: 1033).

  • Type是要创建的 DS 对象的类型,包括:Type is the type of DS object to create, including:

    • 1-Template (默认值)1 - Template (default)

    • 2-颁发策略2 - Issuance Policy

    • 3-应用程序策略3 - Application Policy

  • -f创建 DS 对象。-f creates a DS object.

-错误-error

显示与错误代码关联的消息文本。Displays the message text associated with an error code.

certutil [options] -error errorcode

-getreg-getreg

显示注册表值。Displays a registry value.

certutil [options] -getreg [{ca | restore | policy | exit | template | enroll |chain | policyservers}\[progID\]][registryvaluename]

其中:Where:

  • ca使用证书颁发机构的注册表项。ca uses a Certificate Authority's registry key.

  • restore使用证书颁发机构的还原注册表项。restore uses Certificate Authority's restore registry key.

  • 策略使用策略模块的注册表项。policy uses the policy module's registry key.

  • exit使用第一个退出模块的注册表项。exit uses the first exit module's registry key.

  • 模板使用模板注册表项( -user 用于用户模板)。template uses the template registry key (use -user for user templates).

  • 注册使用注册注册表项( -user 用于用户上下文)。enroll uses the enrollment registry key (use -user for user context).

  • 使用链配置注册表项。chain uses the chain configuration registry key.

  • policyservers使用策略服务器注册表项。policyservers uses the Policy Servers registry key.

  • progID使用策略或退出模块的 progID (注册表子项名称)。progID uses the policy or exit module's ProgID (registry subkey name).

  • registryvaluename使用注册表值名称(用于 Name* 前缀匹配)。registryvaluename uses the registry value name (use Name* to prefix match).

  • 使用新的数字、字符串或日期注册表值或文件名。value uses the new numeric, string or date registry value or filename. 如果数字值以或开头 + ,则在 - 现有注册表值中设置或清除在新值中指定的位。If a numeric value starts with + or -, the bits specified in the new value are set or cleared in the existing registry value.

[-f] [-user] [-grouppolicy] [-config Machine\CAName]

备注Remarks

  • 如果字符串值以或开头 + - ,并且现有值为 REG_MULTI_SZ 值,则会将该字符串添加到现有注册表值或从中删除。If a string value starts with + or -, and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要强制创建 REG_MULTI_SZ 值,请将添加 \n 到字符串值的末尾。To force creation of a REG_MULTI_SZ value, add \n to the end of the string value.

  • 如果值以开头 \@ ,则值的剩余部分是包含二进制值的十六进制文本表示形式的文件的名称。If the value starts with \@, the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未引用有效的文件,则将其分析为 [Date][+|-][dd:hh] -可选的日期加上或减去可选的日期和小时。If it doesn't refer to a valid file, it's instead parsed as [Date][+|-][dd:hh] - an optional date plus or minus optional days and hours. 如果同时指定两者,则使用加号(+)或减号(-)分隔符。If both are specified, use a plus sign (+) or minus sign (-) separator. 用于 now+dd:hh 相对于当前时间的日期。Use now+dd:hh for a date relative to the current time.

  • 使用 chain\chaincacheresyncfiletime \@now 有效刷新缓存的 crl。Use chain\chaincacheresyncfiletime \@now to effectively flush cached CRLs.

-setreg-setreg

设置注册表值。Sets a registry value.

certutil [options] -setreg [{ca | restore | policy | exit | template | enroll |chain | policyservers}\[progID\]]registryvaluename value

其中:Where:

  • ca使用证书颁发机构的注册表项。ca uses a Certificate Authority's registry key.

  • restore使用证书颁发机构的还原注册表项。restore uses Certificate Authority's restore registry key.

  • 策略使用策略模块的注册表项。policy uses the policy module's registry key.

  • exit使用第一个退出模块的注册表项。exit uses the first exit module's registry key.

  • 模板使用模板注册表项( -user 用于用户模板)。template uses the template registry key (use -user for user templates).

  • 注册使用注册注册表项( -user 用于用户上下文)。enroll uses the enrollment registry key (use -user for user context).

  • 使用链配置注册表项。chain uses the chain configuration registry key.

  • policyservers使用策略服务器注册表项。policyservers uses the Policy Servers registry key.

  • progID使用策略或退出模块的 progID (注册表子项名称)。progID uses the policy or exit module's ProgID (registry subkey name).

  • registryvaluename使用注册表值名称(用于 Name* 前缀匹配)。registryvaluename uses the registry value name (use Name* to prefix match).

  • 使用新的数字、字符串或日期注册表值或文件名。value uses the new numeric, string or date registry value or filename. 如果数字值以或开头 + ,则在 - 现有注册表值中设置或清除在新值中指定的位。If a numeric value starts with + or -, the bits specified in the new value are set or cleared in the existing registry value.

[-f] [-user] [-grouppolicy] [-config Machine\CAName]

备注Remarks

  • 如果字符串值以或开头 + - ,并且现有值为 REG_MULTI_SZ 值,则会将该字符串添加到现有注册表值或从中删除。If a string value starts with + or -, and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要强制创建 REG_MULTI_SZ 值,请将添加 \n 到字符串值的末尾。To force creation of a REG_MULTI_SZ value, add \n to the end of the string value.

  • 如果值以开头 \@ ,则值的剩余部分是包含二进制值的十六进制文本表示形式的文件的名称。If the value starts with \@, the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未引用有效的文件,则将其分析为 [Date][+|-][dd:hh] -可选的日期加上或减去可选的日期和小时。If it doesn't refer to a valid file, it's instead parsed as [Date][+|-][dd:hh] - an optional date plus or minus optional days and hours. 如果同时指定两者,则使用加号(+)或减号(-)分隔符。If both are specified, use a plus sign (+) or minus sign (-) separator. 用于 now+dd:hh 相对于当前时间的日期。Use now+dd:hh for a date relative to the current time.

  • 使用 chain\chaincacheresyncfiletime \@now 有效刷新缓存的 crl。Use chain\chaincacheresyncfiletime \@now to effectively flush cached CRLs.

-delreg-delreg

删除注册表值。Deletes a registry value.

certutil [options] -delreg [{ca | restore | policy | exit | template | enroll |chain | policyservers}\[progID\]][registryvaluename]

其中:Where:

  • ca使用证书颁发机构的注册表项。ca uses a Certificate Authority's registry key.

  • restore使用证书颁发机构的还原注册表项。restore uses Certificate Authority's restore registry key.

  • 策略使用策略模块的注册表项。policy uses the policy module's registry key.

  • exit使用第一个退出模块的注册表项。exit uses the first exit module's registry key.

  • 模板使用模板注册表项( -user 用于用户模板)。template uses the template registry key (use -user for user templates).

  • 注册使用注册注册表项( -user 用于用户上下文)。enroll uses the enrollment registry key (use -user for user context).

  • 使用链配置注册表项。chain uses the chain configuration registry key.

  • policyservers使用策略服务器注册表项。policyservers uses the Policy Servers registry key.

  • progID使用策略或退出模块的 progID (注册表子项名称)。progID uses the policy or exit module's ProgID (registry subkey name).

  • registryvaluename使用注册表值名称(用于 Name* 前缀匹配)。registryvaluename uses the registry value name (use Name* to prefix match).

  • 使用新的数字、字符串或日期注册表值或文件名。value uses the new numeric, string or date registry value or filename. 如果数字值以或开头 + ,则在 - 现有注册表值中设置或清除在新值中指定的位。If a numeric value starts with + or -, the bits specified in the new value are set or cleared in the existing registry value.

[-f] [-user] [-grouppolicy] [-config Machine\CAName]

备注Remarks

  • 如果字符串值以或开头 + - ,并且现有值为 REG_MULTI_SZ 值,则会将该字符串添加到现有注册表值或从中删除。If a string value starts with + or -, and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要强制创建 REG_MULTI_SZ 值,请将添加 \n 到字符串值的末尾。To force creation of a REG_MULTI_SZ value, add \n to the end of the string value.

  • 如果值以开头 \@ ,则值的剩余部分是包含二进制值的十六进制文本表示形式的文件的名称。If the value starts with \@, the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未引用有效的文件,则将其分析为 [Date][+|-][dd:hh] -可选的日期加上或减去可选的日期和小时。If it doesn't refer to a valid file, it's instead parsed as [Date][+|-][dd:hh] - an optional date plus or minus optional days and hours. 如果同时指定两者,则使用加号(+)或减号(-)分隔符。If both are specified, use a plus sign (+) or minus sign (-) separator. 用于 now+dd:hh 相对于当前时间的日期。Use now+dd:hh for a date relative to the current time.

  • 使用 chain\chaincacheresyncfiletime \@now 有效刷新缓存的 crl。Use chain\chaincacheresyncfiletime \@now to effectively flush cached CRLs.

-importKMS-importKMS

将用户密钥和证书导入到服务器数据库以进行密钥存档。Imports user keys and certificates into the server database for key archival.

certutil [options] -importKMS userkeyandcertfile [certID]

其中:Where:

  • userkeyandcertfile是一个数据文件,其中包含要存档的用户私钥和证书。userkeyandcertfile is a data file with user private keys and certificates that are to be archived. 此文件可以是:This file can be:

    • Exchange 密钥管理服务器(KMS)导出文件。An Exchange Key Management Server (KMS) export file.

    • PFX 文件。A PFX file.

  • 证书 id 是 KMS 导出文件解密证书匹配令牌。certID is a KMS export file decryption certificate match token. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

  • -f导入证书颁发机构未颁发的证书。-f imports certificates not issued by the Certificate Authority.

[-f] [-silent] [-split] [-config Machine\CAName] [-p password] [-symkeyalg symmetrickeyalgorithm[,keylength]]

-importcert-importcert

将证书文件导入到数据库中。Imports a certificate file into the database.

certutil [options] -importcert certfile [existingrow]

其中:Where:

  • existingrow导入证书,以代替对同一密钥的挂起的请求。existingrow imports the certificate in place of a pending request for the same key.

  • -f导入证书颁发机构未颁发的证书。-f imports certificates not issued by the Certificate Authority.

[-f] [-config Machine\CAName]

备注Remarks

证书颁发机构可能还需要配置为支持外部证书。The Certificate Authority may also need to be configured to support foreign certificates. 为此,请键入 import - certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGNTo do this, type import - certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN.

-getkey-getkey

检索存档的私钥恢复 blob、生成恢复脚本或恢复已存档的密钥。Retrieves an archived private key recovery blob, generates a recovery script, or recovers archived keys.

certutil [options] -getkey searchtoken [recoverybloboutfile]
certutil [options] -getkey searchtoken script outputscriptfile
certutil [options] -getkey searchtoken retrieve | recover outputfilebasename

其中:Where:

  • 脚本生成用于检索和恢复密钥的脚本(如果找到多个匹配的恢复候选项,则为默认行为; 如果未指定输出文件,则为默认行为)。script generates a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if the output file is not specified).

  • 检索检索一个或多个密钥恢复 blob (如果仅找到一个匹配的恢复候选项,则检索默认行为; 如果指定了输出文件)。retrieve retrieves one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified). 使用此选项会截断任何扩展,并为每个密钥恢复 blob 追加特定于证书的字符串和 rec 扩展名。Using this option truncates any extension and appends the certificate-specific string and the .rec extension for each key recovery blob. 每个文件都包含一个证书链和一个关联的私钥,仍加密为一个或多个密钥恢复代理证书。Each file contains a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.

  • recover在一步中检索和恢复私钥(需要密钥恢复代理证书和私钥)。recover retrieves and recovers private keys in one step (requires Key Recovery Agent certificates and private keys). 使用此选项会截断任何扩展,并追加 p12 扩展名。Using this option truncates any extension and appends the .p12 extension. 每个文件都包含已恢复的证书链和关联的私钥,作为 PFX 文件存储。Each file contains the recovered certificate chains and associated private keys, stored as a PFX file.

  • searchtoken选择要恢复的密钥和证书,包括:searchtoken selects the keys and certificates to be recovered, including:

      1. 证书公用名Certificate Common Name
      1. 证书序列号Certificate Serial Number
      1. 证书 SHA-1 哈希(指纹)Certificate SHA-1 hash (thumbprint)
      1. 证书 KeyId SHA-1 哈希(使用者密钥标识符)Certificate KeyId SHA-1 hash (Subject Key Identifier)
      1. 申请人姓名(域 \ 用户)Requester Name (domain\user)
      1. UPN (用户 @ 域)UPN (user@domain)
  • recoverybloboutfile输出带有证书链和私钥的文件,仍加密为一个或多个密钥恢复代理证书。recoverybloboutfile outputs a file with a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.

  • outputscriptfile输出带有批处理脚本的文件以检索和恢复私钥。outputscriptfile outputs a file with a batch script to retrieve and recover private keys.

  • outputfilebasename输出文件基名称。outputfilebasename outputs a file base name.

[-f] [-unicodetext] [-silent] [-config Machine\CAName] [-p password] [-protectto SAMnameandSIDlist] [-csp provider]

-recoverkey-recoverkey

恢复存档的私钥。Recover an archived private key.

certutil [options] -recoverkey recoveryblobinfile [PFXoutfile [recipientindex]]
[-f] [-user] [-silent] [-split] [-p password] [-protectto SAMnameandSIDlist] [-csp provider] [-t timeout]

-mergePFX-mergePFX

合并 PFX 文件。Merges PFX files.

certutil [options] -mergePFX PFXinfilelist PFXoutfile [extendedproperties]

其中:Where:

  • PFXinfilelist是以逗号分隔的 PFX 输入文件列表。PFXinfilelist is a comma-separated list of PFX input files.

  • PFXoutfile是 PFX 输出文件的名称。PFXoutfile is the name of the PFX output file.

  • extendedproperties包含任何扩展属性。extendedproperties includes any extended properties.

[-f] [-user] [-split] [-p password] [-protectto SAMnameAndSIDlist] [-csp provider]

备注Remarks

  • 在命令行中指定的密码必须是以逗号分隔的密码列表。The password specified on the command line must be a comma-separated password list.

  • 如果指定了多个密码,则将最后一个密码用于输出文件。If more than one password is specified, the last password is used for the output file. 如果只提供了一个密码或最后一个密码为 * ,则系统将提示用户输入输出文件密码。If only one password is provided or if the last password is *, the user will be prompted for the output file password.

-convertEPF-convertEPF

将 PFX 文件转换为 EPF 文件。Converts a PFX file into an EPF file.

certutil [options] -convertEPF PFXinfilelist PFXoutfile [cast | cast-] [V3CAcertID][,salt]

其中:Where:

  • PFXinfilelist是以逗号分隔的 PFX 输入文件列表。PFXinfilelist is a comma-separated list of PFX input files.

  • PFXoutfile是 PFX 输出文件的名称。PFXoutfile is the name of the PFX output file.

  • EPF是 EPF 输出文件的名称。EPF is the name of the EPF output file.

  • cast使用强制转换64加密。cast uses CAST 64 encryption.

  • cast- 使用强制转换64加密(export)cast- uses CAST 64 encryption (export)

  • V3CAcertID是 V3 CA 证书匹配令牌。V3CAcertID is the V3 CA certificate match token. 有关详细信息,请参阅 -store 本文中的参数。For more info, see the -store parameter in this article.

  • salt是 EPF 的输出文件 salt 字符串。salt is the EPF output file salt string.

[-f] [-silent] [-split] [-dc DCName] [-p password] [-csp provider]

备注Remarks

  • 在命令行中指定的密码必须是以逗号分隔的密码列表。The password specified on the command line must be a comma-separated password list.

  • 如果指定了多个密码,则将最后一个密码用于输出文件。If more than one password is specified, the last password is used for the output file. 如果只提供了一个密码或最后一个密码为 * ,则系统将提示用户输入输出文件密码。If only one password is provided or if the last password is *, the user will be prompted for the output file password.

-?-?

显示参数列表。Displays the list of parameters.

certutil -?
certutil <name_of_parameter> -?
certutil -? -v

其中:Where:

  • -?-? 显示参数的完整列表displays the full list of parameters

  • -<name_of_parameter> -?-<name_of_parameter> -? 显示指定参数的帮助内容。displays help content for the specified parameter.

  • -?-v显示参数和选项的完整列表。-? -v displays a full list of parameters and options.

选项Options

本部分根据命令定义你能够指定的所有选项。This section defines all of the options you're able to specify, based on the command. 每个参数都包含有关有效选项的信息。Each parameter includes information about which options are valid for use.

选项Options 说明Description
-nullsign-nullsign 使用数据哈希作为签名。Use the hash of the data as a signature.
-f-f 强制覆盖。Force overwrite.
-enterprise-enterprise 使用本地计算机企业注册表证书存储区。Use the local machine enterprise registry certificate store.
-user-user 使用 "HKEY_CURRENT_USER 密钥" 或 "证书存储"。Use the HKEY_CURRENT_USER keys or certificate store.
-Microsoft-windows-grouppolicy-GroupPolicy 使用组策略证书存储区。Use the group policy certificate store.
-未-ut 显示用户模板。Display user templates.
-mt-mt 显示计算机模板。Display machine templates.
-Unicode-Unicode 以 Unicode 编写重定向的输出。Write redirected output in Unicode.
-UnicodeText-UnicodeText 用 Unicode 写入输出文件。Write output file in Unicode.
-gmt-gmt 使用 GMT 显示时间。Display times using GMT.
-秒-seconds 使用秒和毫秒显示时间。Display times using seconds and milliseconds.
-silent-silent 使用 silent 标志获取 dm-crypt 上下文。Use the silent flag to acquire crypt context.
-split-split 拆分嵌入的 node.js 元素,并保存到文件。Split embedded ASN.1 elements, and save to files.
-v-v 提供更详细的信息(详细)。Provide more detailed (verbose) information.
-privatekey.ppk-privatekey 显示密码和私钥数据。Display password and private key data.
-pin PIN-pin PIN 智能卡 PIN。Smart card PIN.
-urlfetch-urlfetch 检索并验证 AIA 证书和 CDP Crl。Retrieve and verify AIA Certs and CDP CRLs.
-config Machine\CAName-config Machine\CAName 证书颁发机构和计算机名字符串。Certificate Authority and computer name string.
-policyserver URLorID-policyserver URLorID 策略服务器 URL 或 ID。Policy Server URL or ID. 对于选择 U/I,请使用 -policyserverFor selection U/I, use -policyserver. 对于所有策略服务器,使用-policyserver *For all Policy Servers, use -policyserver *
-anonymous-anonymous 使用匿名 SSL 凭据。Use anonymous SSL credentials.
-kerberos-kerberos 使用 Kerberos SSL 凭据。Use Kerberos SSL credentials.
-clientcertificate clientcertID-clientcertificate clientcertID 使用 x.509 证书 SSL 凭据。Use X.509 Certificate SSL credentials. 对于选择 U/I,请使用 -clientcertificateFor selection U/I, use -clientcertificate.
-用户名用户名-username username 使用命名帐户作为 SSL 凭据。Use named account for SSL credentials. 对于选择 U/I,请使用 -usernameFor selection U/I, use -username.
-cert 证书 id-cert certID 签名证书。Signing certificate.
-dc DCName-dc DCName 以特定的域控制器为目标。Target a specific Domain Controller.
-限制 restrictionlist-restrict restrictionlist 以逗号分隔的限制列表。Comma-separated Restriction List. 每个限制都包含列名称、关系运算符和常量整数、字符串或日期。Each restriction consists of a column name, a relational operator and a constant integer, string or date. 一个列名前面可能有一个加号或减号,用来指示排序顺序。One column name may be preceded by a plus or minus sign to indicate the sort order. 例如,requestID = 47+requestername >= a, requestername-requestername > DOMAIN, Disposition = 21For example: requestID = 47, +requestername >= a, requestername, or -requestername > DOMAIN, Disposition = 21
-out columnlist-out columnlist 逗号分隔的列列表。Comma-separated column list.
-p 密码-p password PasswordPassword
-protectto SAMnameandSIDlist-protectto SAMnameandSIDlist 以逗号分隔的 SAM 名称/SID 列表。Comma-separated SAM name/SID list.
-csp 提供程序-csp provider 提供程序Provider
-t 超时-t timeout URL 提取超时(毫秒)。URL fetch timeout in milliseconds.
-symkeyalg symmetrickeyalgorithm [,keylength]-symkeyalg symmetrickeyalgorithm[,keylength] 具有可选密钥长度的对称密钥算法的名称。Name of the Symmetric Key Algorithm with optional key length. 例如:AES,1283DESFor example: AES,128 or 3DES

其他参考Additional References

有关如何使用此命令的更多示例,请参阅For some more examples about how to use this command, see