certutilcertutil

Certutil 是作为证书服务的一部分安装的命令行程序。Certutil.exe is a command-line program that is installed as part of Certificate Services. 可以使用 Certutil 转储并显示证书颁发机构(CA)配置信息、配置证书服务、备份和还原 CA 组件以及验证证书、密钥对和证书链。You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

如果在没有其他参数的情况下在证书颁发机构上运行 certutil,则会显示当前的证书颁发机构配置。When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. 在非证书颁发机构上运行 cerutil 时,该命令默认为运行 certutil -dump谓词。When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb.

警告

更早版本的 certutil 可能不提供本文档中所述的所有选项。Earlier versions of certutil may not provide all of the options that are described in this document. 可以通过运行语法表示法部分中显示的命令来查看特定版本的 certutil 提供的所有选项。You can see all the options that a specific version of certutil provides by running the commands shown in the Syntax notations section.

本文档的主要部分包括:The major sections in this document are:

谓词Verbs

下表描述了可与 certutil 命令一起使用的谓词。The following table describes the verbs that can be used with the certutil command.

谓词Verbs 描述Description
-dump-dump 转储配置信息或文件Dump configuration information or files
-asn-asn 分析 ASN 1 文件Parse ASN.1 file
-decodehex-decodehex 解码十六进制编码的文件Decode hexadecimal-encoded file
-解码-decode 对 Base64 编码的文件进行解码Decode a Base64-encoded file
-编码-encode 将文件编码为 Base64Encode a file to Base64
-deny-deny 拒绝挂起的证书申请Deny a pending certificate request
-重新提交-resubmit 重新提交挂起的证书申请Resubmit a pending certificate request
-setattributes-setattributes 设置挂起证书请求的属性Set attributes for a pending certificate request
-setextension-setextension 设置挂起证书请求的扩展Set an extension for a pending certificate request
-revoke-revoke 吊销证书Revoke a certificate
-isvalid-isvalid 显示当前证书的处置Display the disposition of the current certificate
-getconfig-getconfig 获取默认配置字符串Get the default configuration string
-ping-ping 尝试联系 Active Directory 证书服务请求接口Attempt to contact the Active Directory Certificate Services Request interface
-pingadmin-pingadmin 尝试联系 Active Directory 的证书服务管理界面Attempt to contact the Active Directory Certificate Services Admin interface
-CAInfo-CAInfo 显示有关证书颁发机构的信息Display information about the certification authority
-ca. cert-ca.cert 检索证书颁发机构的证书Retrieve the certificate for the certification authority
-ca。-ca.chain 检索证书颁发机构的证书链Retrieve the certificate chain for the certification authority
-GetCRL-GetCRL 获取证书吊销列表(CRL)Get a certificate revocation list (CRL)
-CRL-CRL 发布新证书吊销列表(Crl) [或仅限增量 Crl]Publish new certificate revocation lists (CRLs) [or only delta CRLs]
-shutdown-shutdown 关闭 Active Directory 证书服务Shutdown Active Directory Certificate Services
-installCert-installCert 安装证书颁发机构证书Install a certification authority certificate
-renewCert-renewCert 续订证书颁发机构证书Renew a certification authority certificate
-架构-schema 转储证书的架构Dump the schema for the certificate
-view-view 转储证书视图Dump the certificate view
-db-db 转储原始数据库Dump the raw database
-deleterow-deleterow 从服务器数据库中删除行Delete a row from the server database
-备份-backup 备份 Active Directory 证书服务Backup Active Directory Certificate Services
-backupDB-backupDB 备份 Active Directory 证书服务数据库Backup the Active Directory Certificate Services database
-backupKey-backupKey 备份 Active Directory 证书服务证书和私钥Backup the Active Directory Certificate Services certificate and private key
-restore-restore 还原 Active Directory 证书服务Restore Active Directory Certificate Services
-restoreDB-restoreDB 还原 Active Directory 证书服务数据库Restore the Active Directory Certificate Services database
-restoreKey-restoreKey 还原 Active Directory 证书服务证书和私钥Restore the Active Directory Certificate Services certificate and private key
-importPFX-importPFX 导入证书和私钥Import certificate and private key
-dynamicfilelist-dynamicfilelist 显示动态文件列表Display a dynamic file list
-databaselocations-databaselocations 显示数据库位置Display database locations
-hashfile-hashfile 生成和显示文件的加密哈希Generate and display a cryptographic hash over a file
-存储-store 转储证书存储Dump the certificate store
-addstore-addstore 将证书添加到应用商店Add a certificate to the store
-delstore-delstore 从应用商店中删除证书Delete a certificate from the store
-verifystore-verifystore 验证存储中的证书Verify a certificate in the store
-repairstore-repairstore 修复密钥关联或更新证书属性或密钥安全描述符Repair a key association or update certificate properties or the key security descriptor
-viewstore-viewstore 转储证书存储区Dump the certificates store
-viewdelstore-viewdelstore 从应用商店中删除证书Delete a certificate from the store
-dsPublish-dsPublish 将证书或证书吊销列表(CRL)发布到 Active DirectoryPublish a certificate or certificate revocation list (CRL) to Active Directory
-ADTemplate-ADTemplate 显示 AD 模板Display AD templates
-Template-Template 显示证书模板Display certificate templates
-TemplateCAs-TemplateCAs 显示证书模板的证书颁发机构(Ca)Display the certification authorities (CAs) for a certificate template
-Catemplates.txt-CATemplates 显示 CA 的模板Display templates for CA
-SetCASites-SetCASites 管理 Ca 的站点名称Manage Site Names for CAs
-enrollmentServerURL-enrollmentServerURL 显示、添加或删除与 CA 关联的注册服务器 UrlDisplay, add or delete enrollment server URLs associated with a CA
-ADCA-ADCA 显示 AD CaDisplay AD CAs
-CA-CA 显示注册策略 CaDisplay Enrollment Policy CAs
-Policy-Policy 显示注册策略Display Enrollment Policy
-PolicyCache-PolicyCache 显示或删除注册策略缓存条目Display or delete Enrollment Policy Cache entries
-CredStore-CredStore 显示、添加或删除凭据存储区项Display, add or delete Credential Store entries
-InstallDefaultTemplates-InstallDefaultTemplates 安装默认证书模板Install default certificate templates
-URLCache-URLCache 显示或删除 URL 缓存条目Display or delete URL cache entries
-脉冲-pulse 脉冲自动注册事件Pulse auto enrollment events
-MachineInfo-MachineInfo 显示有关 Active Directory 计算机对象的信息Display information about the Active Directory machine object
-DCInfo-DCInfo 显示有关域控制器的信息Display information about the domain controller
-EntInfo-EntInfo 显示有关企业 CA 的信息Display information about an enterprise CA
-TCAInfo-TCAInfo 显示有关 CA 的信息Display information about the CA
-SCInfo-SCInfo 显示有关智能卡的信息Display information about the smart card
-SCRoots-SCRoots 管理智能卡根证书Manage smart card root certificates
-verifykeys-verifykeys 验证公钥或私钥集Verify a public or private key set
-验证-verify 验证证书、证书吊销列表(CRL)或证书链Verify a certificate, certificate revocation list (CRL), or certificate chain
-verifyCTL-verifyCTL 验证 AuthRoot 或不允许的证书 CTLVerify AuthRoot or Disallowed Certificates CTL
-sign-sign 重新签署证书吊销列表(CRL)或证书Re-sign a certificate revocation list (CRL) or certificate
-vroot-vroot 创建或删除 web 虚拟根和文件共享Create or delete web virtual roots and file shares
-vocsproot-vocsproot 创建或删除 OCSP web 代理的 web 虚拟根Create or delete web virtual roots for an OCSP web proxy
-addEnrollmentServer-addEnrollmentServer 添加注册服务器应用程序Add an Enrollment Server application
-deleteEnrollmentServer-deleteEnrollmentServer 删除注册服务器应用程序Delete an Enrollment Server application
-addPolicyServer-addPolicyServer 添加策略服务器应用程序Add a Policy Server application
-deletePolicyServer-deletePolicyServer 删除策略服务器应用程序Delete a Policy Server application
-oid-oid 显示对象标识符或设置显示名称Display the object identifier or set a display name
-错误-error 显示与错误代码关联的消息文本Display the message text associated with an error code
-getreg-getreg 显示注册表值Display a registry value
-setreg-setreg 设置注册表值Set a registry value
-delreg-delreg 删除注册表值Delete a registry value
-ImportKMS-ImportKMS 将用户密钥和证书导入到服务器数据库以进行密钥存档Import user keys and certificates into the server database for key archival
-ImportCert-ImportCert 将证书文件导入到数据库中Import a certificate file into the database
-GetKey-GetKey 检索存档的私钥恢复 blobRetrieve an archived private key recovery blob
-RecoverKey-RecoverKey 恢复存档的私钥Recover an archived private key
-MergePFX-MergePFX 合并 PFX 文件Merge PFX files
-ConvertEPF-ConvertEPF 将 PFX 文件转换为 EPF 文件Convert a PFX file into an EPF file
-?-? 显示谓词的列表Displays the list of verbs
- <谓词 > -?-<verb> -? 显示指定谓词的帮助。Displays help for the verb specified.
-?-? -v-v 显示动词和的完整列表Displays a full list of verbs and

返回菜单Return to Menu

语法表示法Syntax notations

  • 有关基本的命令行语法,请运行 certutil -?For basic command line syntax, run certutil -?
  • 有关将 certutil 与特定谓词一起使用的语法,请运行certutil <verb > -?For the syntax on using certutil with a specific verb, run certutil <verb> -?
  • 若要将所有 certutil 语法发送到文本文件,请运行以下命令:To send all of the certutil syntax into a text file, run the following commands:
    • certutil -v -? > certutilhelp.txt
    • notepad certutilhelp.txt

下表描述了用于指示命令行语法的表示法。The following table describes the notation used to indicate command-line syntax.

图解Notation 描述Description
不带方括号或大括号的文本Text without brackets or braces 必须按如下所示键入项Items you must type as shown
尖括号内 <文本 ><Text inside angle brackets> 必须为其提供值的占位符Placeholder for which you must supply a value
[方括号内的文本][Text inside square brackets] 可选项Optional items
{大括号内的文本}{Text inside braces} 一组必需的项;选择一个Set of required items; choose one
竖线(Vertical bar ( ))
省略号(...)Ellipsis (…) 可以重复的项Items that can be repeated

返回菜单Return to Menu

-dump-dump

CertUtil [Options] [-dump]CertUtil [Options] [-dump]

CertUtil [Options] [-dump] 文件CertUtil [Options] [-dump] File

转储配置信息或文件Dump configuration information or files

[-f][-无声][-split][-p Password][-t Timeout][-f] [-silent] [-split] [-p Password] [-t Timeout]

返回菜单Return to Menu

-asn-asn

CertUtil [Options]-asn 文件 [type]CertUtil [Options] -asn File [type]

分析 ASN 1 文件Parse ASN.1 file

类型:数值 DM-CRYPT_STRING_* 解码类型type: numeric CRYPT_STRING_* decoding type

返回菜单Return to Menu

-decodehex-decodehex

CertUtil [Options]-decodehex InFile OutFile [type]CertUtil [Options] -decodehex InFile OutFile [type]

类型: numeric DM-CRYPT_STRING_* 编码类型type: numeric CRYPT_STRING_* encoding type

[-f][-f]

返回菜单Return to Menu

-解码-decode

CertUtil [Options]-解码 InFile OutFileCertUtil [Options] -decode InFile OutFile

解码 Base64 编码的文件Decode Base64-encoded file

[-f][-f]

返回菜单Return to Menu

-编码-encode

CertUtil [Options]-编码 InFile OutFileCertUtil [Options] -encode InFile OutFile

将文件编码为 Base64Encode file to Base64

[-f][-UnicodeText][-f] [-UnicodeText]

返回菜单Return to Menu

-deny-deny

CertUtil [Options]-deny RequestIdCertUtil [Options] -deny RequestId

拒绝挂起的请求Deny pending request

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-重新提交-resubmit

CertUtil [Options]-重新提交 RequestIdCertUtil [Options] -resubmit RequestId

重新提交挂起的请求Resubmit pending request

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-setattributes-setattributes

CertUtil [Options]-setattributes RequestId AttributeStringCertUtil [Options] -setattributes RequestId AttributeString

设置挂起请求的属性Set attributes for pending request

RequestId--挂起请求的数字请求 IdRequestId -- numeric Request Id of pending request

AttributeString-请求属性名称和值对AttributeString -- Request Attribute name and value pairs

  • 名称和值以冒号分隔。Names and values are colon separated.
  • 多个名称、值对由换行符分隔。Multiple name, value pairs are newline separated.
  • 示例: "CertificateTemplate:User\nEMail:User@Domain.com"Example: "CertificateTemplate:User\nEMail:User@Domain.com"
  • 每个 "\n" 序列都转换为换行符。Each "\n" sequence is converted to a newline separator.

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-setextension-setextension

CertUtil [Options]-setextension RequestId ExtensionName Flags {Long |日期 |String |@InFile}CertUtil [Options] -setextension RequestId ExtensionName Flags {Long | Date | String | @InFile}

设置挂起请求的扩展Set extension for pending request

RequestId-请求的请求 IdRequestId -- numeric Request Id of a pending request

ExtensionName--extension 的 ObjectId 字符串ExtensionName -- ObjectId string of the extension

标志--建议使用。Flags -- 0 is recommended. 1使扩展成为关键扩展,2禁用它,3同时执行这两项。1 makes the extension critical, 2 disables it, 3 does both.

如果最后一个参数是数值,则将其视为一个长整型值。If the last parameter is numeric, it is taken as a Long.

如果可以将其分析为日期,则将其作为日期获取。If it can be parsed as a date, it is taken as a Date.

如果以 "@" 开头,则令牌的其余部分是包含二进制数据或 ascii 文本十六进制转储的文件名。If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.

其他任何内容都作为字符串使用。Anything else is taken as a String.

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-revoke-revoke

CertUtil [Options]-revoke SerialNumber [Reason]CertUtil [Options] -revoke SerialNumber [Reason]

吊销证书Revoke Certificate

SerialNumber:要吊销的证书序列号的逗号分隔列表SerialNumber: Comma separated list of certificate serial numbers to revoke

原因:数值或符号吊销原因Reason: numeric or symbolic revocation reason

  • 0: CRL_REASON_UNSPECIFIED:未指定(默认值)0: CRL_REASON_UNSPECIFIED: Unspecified (default)
  • 1: CRL_REASON_KEY_COMPROMISE:密钥泄漏1: CRL_REASON_KEY_COMPROMISE: Key Compromise
  • 2: CRL_REASON_CA_COMPROMISE: CA 泄露2: CRL_REASON_CA_COMPROMISE: CA Compromise
  • 3: CRL_REASON_AFFILIATION_CHANGED:附属关系改变3: CRL_REASON_AFFILIATION_CHANGED: Affiliation Changed
  • 4: CRL_REASON_SUPERSEDED:已取代4: CRL_REASON_SUPERSEDED: Superseded
  • 5: CRL_REASON_CESSATION_OF_OPERATION:操作的哈5: CRL_REASON_CESSATION_OF_OPERATION: Cessation of Operation
  • 6: CRL_REASON_CERTIFICATE_HOLD:证书保留6: CRL_REASON_CERTIFICATE_HOLD: Certificate Hold
  • 8: CRL_REASON_REMOVE_FROM_CRL:从 CRL 中删除8: CRL_REASON_REMOVE_FROM_CRL: Remove From CRL
  • -1:解除吊销:解除吊销-1: Unrevoke: Unrevoke

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-isvalid-isvalid

CertUtil [Options]-isvalid SerialNumber |CertHashCertUtil [Options] -isvalid SerialNumber | CertHash

显示当前证书处置Display current certificate disposition

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-getconfig-getconfig

CertUtil [Options]-getconfigCertUtil [Options] -getconfig

获取默认配置字符串Get default configuration string

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-ping-ping

CertUtil [Options]-ping [MaxSecondsToWait |CAMachineList]CertUtil [Options] -ping [MaxSecondsToWait | CAMachineList]

Ping Active Directory 证书服务请求接口Ping Active Directory Certificate Services Request interface

CAMachineList--逗号分隔的 CA 计算机名称列表CAMachineList -- Comma-separated CA machine name list

  1. 对于单台计算机,使用终止逗号For a single machine, use a terminating comma
  2. 显示每个 CA 计算机的站点成本Displays the site cost for each CA machine

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-CAInfo-CAInfo

CertUtil [Options]-CAInfo [InfoName [Index |ErrorCode]]CertUtil [Options] -CAInfo [InfoName [Index | ErrorCode]]

显示 CA 信息Display CA Information

InfoName-表示要显示的 CA 属性(见下文)。InfoName -- indicates the CA property to display (see below). 为所有属性使用 "*"。Use "*" for all properties.

Index--可选的从零开始的属性索引Index -- optional zero-based property index

ErrorCode--数字错误代码ErrorCode -- numeric error code

[-f][-split][-config Machine\CAName][-f] [-split] [-config Machine\CAName]

InfoName 参数语法:InfoName argument syntax:

  • 文件:文件版本file: File version
  • 产品:产品版本product: Product version
  • exitcount:退出模块计数exitcount: Exit module count
  • exit [Index]:退出模块说明exit [Index]: Exit module description
  • 策略:策略模块说明policy: Policy module description
  • 名称: CA 名称name: CA name
  • sanitizedname:净化的 CA 名称sanitizedname: Sanitized CA name
  • dsname:净化的 CA 短名称(DS 名称)dsname: Sanitized CA short name (DS name)
  • 共享文件夹:共享文件夹sharedfolder: Shared folder
  • error1 ErrorCode:错误消息文本error1 ErrorCode: Error message text
  • error2 ErrorCode:错误消息文本和错误代码error2 ErrorCode: Error message text and error code
  • 类型: CA 类型type: CA type
  • 信息: CA 信息info: CA info
  • 父 CAparent: Parent CA
  • certcount: CA 证书计数certcount: CA cert count
  • xchgcount: CA exchange 证书计数xchgcount: CA exchange cert count
  • kracount: KRA 证书计数kracount: KRA cert count
  • kraused: KRA cert 使用计数kraused: KRA cert used count
  • propidmax:最大 CA PropIdpropidmax: Maximum CA PropId
  • certstate [Index]: CA 证书certstate [Index]: CA cert
  • certversion [Index]: CA 证书版本certversion [Index]: CA cert version
  • certstatuscode [Index]: CA cert 验证状态certstatuscode [Index]: CA cert verify status
  • crlstate [Index]: CRLcrlstate [Index]: CRL
  • krastate [Index]: KRA 证书krastate [Index]: KRA cert
  • crossstate + [Index]:正向交叉证书crossstate+ [Index]: Forward cross cert
  • crossstate-[Index]:后向交叉证书crossstate- [Index]: Backward cross cert
  • cert [Index]: CA 证书cert [Index]: CA cert
  • certchain [Index]: CA 证书链certchain [Index]: CA cert chain
  • certcrlchain [Index]:带有 Crl 的 CA 证书链certcrlchain [Index]: CA cert chain with CRLs
  • xchg [Index]: CA exchange 证书xchg [Index]: CA exchange cert
  • xchgchain [Index]: CA exchange 证书链xchgchain [Index]: CA exchange cert chain
  • xchgcrlchain [Index]:带有 Crl 的 CA 交换证书链xchgcrlchain [Index]: CA exchange cert chain with CRLs
  • kra [Index]: KRA 证书kra [Index]: KRA cert
  • 叉 + [Index]:正向交叉证书cross+ [Index]: Forward cross cert
  • 交叉 [索引]:后向交叉证书cross- [Index]: Backward cross cert
  • CRL [Index]:基本 CRLCRL [Index]: Base CRL
  • deltacrl [Index]:增量 CRLdeltacrl [Index]: Delta CRL
  • crlstatus [Index]: CRL 发布状态crlstatus [Index]: CRL Publish Status
  • deltacrlstatus [Index]:增量 CRL 发布状态deltacrlstatus [Index]: Delta CRL Publish Status
  • dns: DNS 名称dns: DNS Name
  • 角色:角色分隔role: Role Separation
  • 广告:高级服务器ads: Advanced Server
  • 模板:模板templates: Templates
  • csp [Index]: OCSP Urlcsp [Index]: OCSP URLs
  • aia [Index]: AIA Urlaia [Index]: AIA URLs
  • cdp [Index]: CDP Urlcdp [Index]: CDP URLs
  • localename: CA 区域设置名称localename: CA locale name
  • subjecttemplateoids:主题模板 Oidsubjecttemplateoids: Subject Template OIDs

返回菜单Return to Menu

-ca. cert-ca.cert

CertUtil [Options]-ca. cert OutCACertFile [Index]CertUtil [Options] -ca.cert OutCACertFile [Index]

检索 CA 的证书Retrieve the CA's certificate

OutCACertFile:输出文件OutCACertFile: output file

索引: CA 证书续订索引(默认为最新)Index: CA certificate renewal index (defaults to most recent)

[-f][-split][-config Machine\CAName][-f] [-split] [-config Machine\CAName]

返回菜单Return to Menu

-ca。-ca.chain

CertUtil [Options]-ca OutCACertChainFile [Index]CertUtil [Options] -ca.chain OutCACertChainFile [Index]

检索 CA 的证书链Retrieve the CA's certificate chain

OutCACertChainFile:输出文件OutCACertChainFile: output file

索引: CA 证书续订索引(默认为最新)Index: CA certificate renewal index (defaults to most recent)

[-f][-split][-config Machine\CAName][-f] [-split] [-config Machine\CAName]

返回菜单Return to Menu

-GetCRL-GetCRL

CertUtil [Options]-GetCRL OutFile [Index] [delta]CertUtil [Options] -GetCRL OutFile [Index] [delta]

获取 CRLGet CRL

Index: CRL 索引或密钥索引(对于最新密钥,默认为 CRL)Index: CRL index or key index (defaults to CRL for newest key)

delta:增量 CRL (默认为基本 CRL)delta: delta CRL (default is base CRL)

[-f][-split][-config Machine\CAName][-f] [-split] [-config Machine\CAName]

返回菜单Return to Menu

-CRL-CRL

CertUtil [Options]-CRL [dd: hh | 重新发布] [delta]CertUtil [Options] -CRL [dd:hh | republish] [delta]

发布新的 Crl [仅限增量 Crl]Publish new CRLs [or delta CRLs only]

dd: hh-新 CRL 有效期(以天和小时为单位)dd:hh -- new CRL validity period in days and hours

重新发布--重新发布最近的 Crlrepublish -- republish most recent CRLs

增量--仅增量 Crl (默认为基本和增量 Crl)delta -- delta CRLs only (default is base and delta CRLs)

[-split][-config Machine\CAName][-split] [-config Machine\CAName]

返回菜单Return to Menu

-shutdown-shutdown

CertUtil [Options]-shutdownCertUtil [Options] -shutdown

关闭 Active Directory 证书服务Shutdown Active Directory Certificate Services

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-installCert-installCert

CertUtil [Options]-installCert [CACertFile]CertUtil [Options] -installCert [CACertFile]

安装证书颁发机构证书Install Certification Authority certificate

[-f][-无声][-config Machine\CAName][-f] [-silent] [-config Machine\CAName]

返回菜单Return to Menu

-renewCert-renewCert

CertUtil [Options]-renewCert [ReuseKeys] [Machine\ParentCAName]CertUtil [Options] -renewCert [ReuseKeys] [Machine\ParentCAName]

续订证书颁发机构证书Renew Certification Authority certificate

使用-f 忽略未完成的续订请求,并生成新的请求。Use -f to ignore an outstanding renewal request, and generate a new request.

[-f][-无声][-config Machine\CAName][-f] [-silent] [-config Machine\CAName]

返回菜单Return to Menu

-架构-schema

CertUtil [Options]-schema [Ext |Attrib |CRLCertUtil [Options] -schema [Ext | Attrib | CRL]

转储证书架构Dump Certificate Schema

默认为请求和证书表Defaults to Request and Certificate table

Ext: Extension 表Ext: Extension table

Attrib:属性表Attrib: Attribute table

CRL: CRL 表CRL: CRL table

[-split][-config Machine\CAName][-split] [-config Machine\CAName]

返回菜单Return to Menu

-view-view

CertUtil [Options]-view [Queue |日志 |LogFail |已撤消 |Ext |Attrib |CRL] [csv]CertUtil [Options] -view [Queue | Log | LogFail | Revoked | Ext | Attrib | CRL] [csv]

转储证书视图Dump Certificate View

队列:请求队列Queue: Request queue

日志:已颁发或已吊销的证书,以及失败的请求Log: Issued or revoked certificates, plus failed requests

LogFail:失败的请求数LogFail: Failed requests

已吊销:吊销的证书Revoked: Revoked certificates

Ext: Extension 表Ext: Extension table

Attrib:属性表Attrib: Attribute table

CRL: CRL 表CRL: CRL table

csv:作为逗号分隔值输出csv: Output as Comma Separated Values

显示所有条目的 StatusCode 列:-out StatusCodeTo display the StatusCode column for all entries: -out StatusCode

显示最后一个条目的所有列:-restrict "RequestId = = $"To display all columns for the last entry: -restrict "RequestId==$"

显示三个请求的 RequestId 和处置:-restrict "RequestId > = 37,RequestId<40"-out "RequestId,处置"To display RequestId and Disposition for three requests: -restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition"

若要显示所有基本 Crl 的行 Id 和 CRL 号,请执行以下操作:-restrict "CRLMinBase = 0"-out "CRLRowId,CRLNumber" CRLTo display Row Ids and CRL Numbers for all Base CRLs: -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" CRL

显示基本 CRL 号3:-v-restrict "CRLMinBase = 0,CRLNumber = 3"-out "CRLRawCRL" CRLTo display Base CRL Number 3: -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" CRL

显示整个 CRL 表: CRLTo display the entire CRL table: CRL

使用 "Date [+ |-dd: hh]" 作为日期限制Use "Date[+|-dd:hh]" for date restrictions

使用 "now + dd: hh" 表示相对于当前时间的日期Use "now+dd:hh" for a date relative to the current time

[-无声][-split][-config Machine\CAName][-restrict RestrictionList][-out ColumnList][-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

返回菜单Return to Menu

-db-db

CertUtil [Options]-dbCertUtil [Options] -db

转储原始数据库Dump Raw Database

[-config Machine\CAName][-restrict RestrictionList][-out ColumnList][-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

返回菜单Return to Menu

-deleterow-deleterow

CertUtil [Options]-deleterow RowId |Date [Request |证书 |Ext |Attrib |CRLCertUtil [Options] -deleterow RowId | Date [Request | Cert | Ext | Attrib | CRL]

删除服务器数据库行Delete server database row

请求:失败和挂起的请求(提交日期)Request: Failed and pending requests (submission date)

证书:过期和吊销的证书(过期日期)Cert: Expired and revoked certificates (expiration date)

Ext: Extension 表Ext: Extension table

Attrib:属性表Attrib: Attribute table

CRL: CRL 表(到期日期)CRL: CRL table (expiration date)

删除由 1/22/2001 2001 年1月22日提交的失败和挂起的请求To delete failed and pending requests submitted by January 22, 2001: 1/22/2001 Request

删除2001年1月22日过期的所有证书:1/22/2001 证书To delete all certificates that expired by January 22, 2001: 1/22/2001 Cert

若要删除证书行,请查看 RequestId 37 的属性和扩展:37To delete the certificate row, attributes and extensions for RequestId 37: 37

删除由2001年1月22日过期的 Crl: 1/22/2001 CRLTo delete CRLs that expired by January 22, 2001: 1/22/2001 CRL

[-f][-config Machine\CAName][-f] [-config Machine\CAName]

返回菜单Return to Menu

-备份-backup

CertUtil [Options]-backup BackupDirectory [增量] [KeepLog]CertUtil [Options] -backup BackupDirectory [Incremental] [KeepLog]

备份 Active Directory 证书服务Backup Active Directory Certificate Services

BackupDirectory:用于存储备份数据的目录BackupDirectory: directory to store backed up data

增量:仅执行增量备份(默认为完整备份)Incremental: perform incremental backup only (default is full backup)

KeepLog:保留数据库日志文件(默认为截断日志文件)KeepLog: preserve database log files (default is to truncate log files)

[-f][-config Machine\CAName][-p Password][-f] [-config Machine\CAName] [-p Password]

返回菜单Return to Menu

-backupDB-backupDB

CertUtil [Options]-backupDB BackupDirectory [增量] [KeepLog]CertUtil [Options] -backupDB BackupDirectory [Incremental] [KeepLog]

备份 Active Directory 证书服务数据库Backup Active Directory Certificate Services database

BackupDirectory:用于存储备份数据库文件的目录BackupDirectory: directory to store backed up database files

增量:仅执行增量备份(默认为完整备份)Incremental: perform incremental backup only (default is full backup)

KeepLog:保留数据库日志文件(默认为截断日志文件)KeepLog: preserve database log files (default is to truncate log files)

[-f][-config Machine\CAName][-f] [-config Machine\CAName]

返回菜单Return to Menu

-backupKey-backupKey

CertUtil [Options]-backupKey BackupDirectoryCertUtil [Options] -backupKey BackupDirectory

备份 Active Directory 证书服务证书和私钥Backup Active Directory Certificate Services certificate and private key

BackupDirectory:用于存储备份的 PFX 文件的目录BackupDirectory: directory to store backed up PFX file

[-f][-config Machine\CAName][-p Password][-t Timeout][-f] [-config Machine\CAName] [-p Password] [-t Timeout]

返回菜单Return to Menu

-restore-restore

CertUtil [选项]-restore BackupDirectoryCertUtil [Options] -restore BackupDirectory

还原 Active Directory 证书服务Restore Active Directory Certificate Services

BackupDirectory:包含要还原的数据的目录BackupDirectory: directory containing data to be restored

[-f][-config Machine\CAName][-p Password][-f] [-config Machine\CAName] [-p Password]

返回菜单Return to Menu

-restoreDB-restoreDB

CertUtil [Options]-restoreDB BackupDirectoryCertUtil [Options] -restoreDB BackupDirectory

还原 Active Directory 证书服务数据库Restore Active Directory Certificate Services database

BackupDirectory:包含要还原的数据库文件的目录BackupDirectory: directory containing database files to be restored

[-f][-config Machine\CAName][-f] [-config Machine\CAName]

返回菜单Return to Menu

-restoreKey-restoreKey

CertUtil [Options]-restoreKey BackupDirectory |PFXFileCertUtil [Options] -restoreKey BackupDirectory | PFXFile

还原 Active Directory 证书服务证书和私钥Restore Active Directory Certificate Services certificate and private key

BackupDirectory:包含要还原的 PFX 文件的目录BackupDirectory: directory containing PFX file to be restored

PFXFile:要还原的 PFX 文件PFXFile: PFX file to be restored

[-f][-config Machine\CAName][-p Password][-f] [-config Machine\CAName] [-p Password]

返回菜单Return to Menu

-importPFX-importPFX

CertUtil [Options]-importPFX [CertificateStoreName] PFXFile [修饰符]CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers]

导入证书和私钥Import certificate and private key

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 请参阅-storeSee -store.

PFXFile:要导入的 PFX 文件PFXFile: PFX file to be imported

修饰符:下列一项或多项的逗号分隔列表:Modifiers: Comma separated list of one or more of the following:

  1. AT_SIGNATURE:将 KeySpec 更改为签名AT_SIGNATURE: Change the KeySpec to Signature
  2. AT_KEYEXCHANGE:将 KeySpec 更改为密钥交换AT_KEYEXCHANGE: Change the KeySpec to Key Exchange
  3. NoExport:使私钥不可导出NoExport: Make the private key non-exportable
  4. NoCert:不导入证书NoCert: Do not import the certificate
  5. NoChain:不导入证书链NoChain: Do not import the certificate chain
  6. NoRoot:不导入根证书NoRoot: Do not import the root certificate
  7. 保护:通过密码保护密钥Protect: Protect keys with password
  8. NoProtect:不通过密码保护密钥NoProtect: Do not password protect keys

默认为 "个人计算机存储"。Defaults to personal machine store.

[-f][-user][-p Password][-csp 提供程序][-f] [-user] [-p Password] [-csp Provider]

返回菜单Return to Menu

-dynamicfilelist-dynamicfilelist

CertUtil [Options]-dynamicfilelistCertUtil [Options] -dynamicfilelist

显示动态文件列表Display dynamic file List

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-databaselocations-databaselocations

CertUtil [Options]-databaselocationsCertUtil [Options] -databaselocations

显示数据库位置Display database locations

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-hashfile-hashfile

CertUtil [Options]-hashfile InFile [HashAlgorithm]CertUtil [Options] -hashfile InFile [HashAlgorithm]

生成和显示文件的加密哈希Generate and display cryptographic hash over a file

返回菜单Return to Menu

-存储-store

CertUtil [Options]-store [CertificateStoreName [证书 id [OutputFile]]]CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]

转储证书存储Dump certificate store

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 示例:Examples:

  • "My"、"CA" (默认)、"Root"、"My", "CA" (default), "Root",
  • "ldap:///CN=Certification 机关,CN = Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate?" objectClass = 证书颁发机构 "(查看根证书)"ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority" (View Root Certificates)
  • "ldap:///CN=CAName,CN=Certification 机关,CN = Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate?" objectClass = 证书颁发机构 "(修改根证书)"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority" (Modify Root Certificates)
  • "ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (查看 Crl)"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint" (View CRLs)
  • "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate? base? objectClass = 证书颁发机构" (企业 CA 证书)"ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority" (Enterprise CA Certificates)
  • ldap:(AD 计算机对象证书)ldap: (AD computer object certificates)
  • -user ldap:(AD 用户对象证书)-user ldap: (AD user object certificates)

证书 id:证书或 CRL 匹配令牌。CertId: Certificate or CRL match token. 这可以是序列号、SHA-1 证书、CRL、CTL 或公钥哈希、数字证书索引 (0、1等等)、数字 CRL 索引 (.0、.1 等等)、数字 CTL 索引 (.)0、。1等)、公钥、签名或扩展 ObjectId、证书使用者公用名、电子邮件地址、UPN 或 DNS 名称、密钥容器名称或 CSP 名称、模板名称或 ObjectId、EKU 或应用程序策略 ObjectId 或 CRL 颁发者公用名。This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. 其中许多项可能会导致多个匹配项。Many of these may result in multiple matches.

OutputFile:保存匹配证书的文件OutputFile: file to save matching cert

使用-user 访问用户存储而不是计算机存储。Use -user to access a user store instead of a machine store.

使用-enterprise 来访问计算机企业应用商店。Use -enterprise to access a machine enterprise store.

使用-service 访问计算机服务存储。Use -service to access a machine service store.

使用-microsoft-windows-grouppolicy 访问计算机组策略存储。Use -grouppolicy to access a machine group policy store.

示例:Examples:

  • -enterprise NTAuth-enterprise NTAuth
  • -enterprise Root 37-enterprise Root 37
  • -user My 26e0aaaf000000000004-user My 26e0aaaf000000000004
  • CA 11CA .11

[-f][-enterprise][-user][-Microsoft-windows-grouppolicy][-无声][-split][-dc DCName][-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName]

返回菜单Return to Menu

-addstore-addstore

CertUtil [Options]-addstore CertificateStoreName InFileCertUtil [Options] -addstore CertificateStoreName InFile

将证书添加到存储Add certificate to store

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 请参阅-storeSee -store.

InFile:要添加到存储区中的证书或 CRL 文件。InFile: Certificate or CRL file to add to store.

[-f][-enterprise][-user][-Microsoft-windows-grouppolicy][-dc DCName][-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

返回菜单Return to Menu

-delstore-delstore

CertUtil [Options]-delstore CertificateStoreName 证书 idCertUtil [Options] -delstore CertificateStoreName CertId

从存储中删除证书Delete certificate from store

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 请参阅-storeSee -store.

证书 id:证书或 CRL 匹配令牌。CertId: Certificate or CRL match token. 请参阅-storeSee -store.

[-enterprise][-user][-Microsoft-windows-grouppolicy][-dc DCName][-enterprise] [-user] [-GroupPolicy] [-dc DCName]

返回菜单Return to Menu

-verifystore-verifystore

CertUtil [Options]-verifystore CertificateStoreName [证书 id]CertUtil [Options] -verifystore CertificateStoreName [CertId]

验证存储中的证书Verify certificate in store

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 请参阅-storeSee -store.

证书 id:证书或 CRL 匹配令牌。CertId: Certificate or CRL match token. 请参阅-storeSee -store.

[-enterprise][-user][-Microsoft-windows-grouppolicy][-无声][-split][-dc DCName][-t Timeout][-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-dc DCName] [-t Timeout]

返回菜单Return to Menu

-repairstore-repairstore

CertUtil [Options]-repairstore CertificateStoreName CertIdList [PropertyInfFile |SDDLSecurityDescriptor]CertUtil [Options] -repairstore CertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]

修复密钥关联或更新证书属性或密钥安全描述符Repair key association or update certificate properties or key security descriptor

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 请参阅-storeSee -store.

CertIdList:以逗号分隔的证书或 CRL 匹配令牌列表。CertIdList: comma separated list of Certificate or CRL match tokens. 请参阅-store证书 id description。See -store CertId description.

PropertyInfFile-包含外部属性的 INF 文件:PropertyInfFile -- INF file containing external properties:

[Properties]
     19 = Empty ; Add archived property, OR:
     19 =       ; Remove archived property

     11 = "{text}Friendly Name" ; Add friendly name property

     127 = "{hex}" ; Add custom hexadecimal property
         _continue_ = "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"
         _continue_ = "10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f"

     2 = "{text}" ; Add Key Provider Information property
       _continue_ = "Container=Container Name&"
       _continue_ = "Provider=Microsoft Strong Cryptographic Provider&"
       _continue_ = "ProviderType=1&"
       _continue_ = "Flags=0&"
       _continue_ = "KeySpec=2"

     9 = "{text}" ; Add Enhanced Key Usage property
       _continue_ = "1.3.6.1.5.5.7.3.2,"
       _continue_ = "1.3.6.1.5.5.7.3.1,"

[-f][-enterprise][-user][-Microsoft-windows-grouppolicy][-无声][-split][-csp 提供程序][-f] [-enterprise] [-user] [-GroupPolicy] [-silent] [-split] [-csp Provider]

返回菜单Return to Menu

-viewstore-viewstore

CertUtil [Options]-viewstore [CertificateStoreName [证书 id [OutputFile]]]CertUtil [Options] -viewstore [CertificateStoreName [CertId [OutputFile]]]

转储证书存储Dump certificate store

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 示例:Examples:

  • "My"、"CA" (默认)、"Root"、"My", "CA" (default), "Root",
  • "ldap:///CN=Certification 机关,CN = Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate?" objectClass = 证书颁发机构 "(查看根证书)"ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority" (View Root Certificates)
  • "ldap:///CN=CAName,CN=Certification 机关,CN = Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate?" objectClass = 证书颁发机构 "(修改根证书)"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority" (Modify Root Certificates)
  • "ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (查看 Crl)"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint" (View CRLs)
  • "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate? base? objectClass = 证书颁发机构" (企业 CA 证书)"ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority" (Enterprise CA Certificates)
  • ldap:(AD 计算机对象证书)ldap: (AD machine object certificates)
  • -user ldap:(AD 用户对象证书)-user ldap: (AD user object certificates)

证书 id:证书或 CRL 匹配令牌。CertId: Certificate or CRL match token. 这可以是序列号、SHA-1 证书、CRL、CTL 或公钥哈希、数字证书索引 (0、1等等)、数字 CRL 索引 (.0、.1 等等)、数字 CTL 索引 (.)0、。1等)、公钥、签名或扩展 ObjectId、证书使用者公用名、电子邮件地址、UPN 或 DNS 名称、密钥容器名称或 CSP 名称、模板名称或 ObjectId、EKU 或应用程序策略 ObjectId 或 CRL 颁发者公用名。This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. 其中许多项可能会导致多个匹配项。Many of these may result in multiple matches.

OutputFile:保存匹配证书的文件OutputFile: file to save matching cert

使用-user 访问用户存储而不是计算机存储。Use -user to access a user store instead of a machine store.

使用-enterprise 来访问计算机企业应用商店。Use -enterprise to access a machine enterprise store.

使用-service 访问计算机服务存储。Use -service to access a machine service store.

使用-microsoft-windows-grouppolicy 访问计算机组策略存储。Use -grouppolicy to access a machine group policy store.

示例:Examples:

  1. -enterprise NTAuth-enterprise NTAuth
  2. -enterprise Root 37-enterprise Root 37
  3. -user My 26e0aaaf000000000004-user My 26e0aaaf000000000004
  4. CA 11CA .11

[-f][-enterprise][-user][-Microsoft-windows-grouppolicy][-dc DCName][-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

返回菜单Return to Menu

-viewdelstore-viewdelstore

CertUtil [Options]-viewdelstore [CertificateStoreName [证书 id [OutputFile]]]CertUtil [Options] -viewdelstore [CertificateStoreName [CertId [OutputFile]]]

从存储中删除证书Delete certificate from store

CertificateStoreName:证书存储区名称。CertificateStoreName: Certificate store name. 示例:Examples:

  • "My"、"CA" (默认)、"Root"、"My", "CA" (default), "Root",
  • "ldap:///CN=Certification 机关,CN = Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate?" objectClass = 证书颁发机构 "(查看根证书)"ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority" (View Root Certificates)
  • "ldap:///CN=CAName,CN=Certification 机关,CN = Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate?" objectClass = 证书颁发机构 "(修改根证书)"ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority" (Modify Root Certificates)
  • "ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? certificateRevocationList? base? objectClass = cRLDistributionPoint" (查看 Crl)"ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint" (View CRLs)
  • "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN = Services,CN = Configuration,DC = cpandl,DC = com? cACertificate? base? objectClass = 证书颁发机构" (企业 CA 证书)"ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority" (Enterprise CA Certificates)
  • ldap:(AD 计算机对象证书)ldap: (AD machine object certificates)
  • -user ldap:(AD 用户对象证书)-user ldap: (AD user object certificates)

证书 id:证书或 CRL 匹配令牌。CertId: Certificate or CRL match token. 这可以是序列号、SHA-1 证书、CRL、CTL 或公钥哈希、数字证书索引 (0、1等等)、数字 CRL 索引 (.0、.1 等等)、数字 CTL 索引 (.)0、。1等)、公钥、签名或扩展 ObjectId、证书使用者公用名、电子邮件地址、UPN 或 DNS 名称、密钥容器名称或 CSP 名称、模板名称或 ObjectId、EKU 或应用程序策略 ObjectId 或 CRL 颁发者公用名。This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. 其中许多项可能会导致多个匹配项。Many of these may result in multiple matches.

OutputFile:保存匹配证书的文件OutputFile: file to save matching cert

使用-user 访问用户存储而不是计算机存储。Use -user to access a user store instead of a machine store.

使用-enterprise 来访问计算机企业应用商店。Use -enterprise to access a machine enterprise store.

使用-service 访问计算机服务存储。Use -service to access a machine service store.

使用-microsoft-windows-grouppolicy 访问计算机组策略存储。Use -grouppolicy to access a machine group policy store.

示例:Examples:

  1. -enterprise NTAuth-enterprise NTAuth
  2. -enterprise Root 37-enterprise Root 37
  3. -user My 26e0aaaf000000000004-user My 26e0aaaf000000000004
  4. CA 11CA .11

[-f][-enterprise][-user][-Microsoft-windows-grouppolicy][-dc DCName][-f] [-enterprise] [-user] [-GroupPolicy] [-dc DCName]

返回菜单Return to Menu

-dsPublish-dsPublish

CertUtil [Options]-dsPublish CertFile [NTAuthCA |Rootca.cer |SubCA |CrossCA |KRA |用户 |设备CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]

CertUtil [Options]-dsPublish CRLFile [DSCDPContainer [DSCDPCN]]CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]

将证书或 CRL 发布到 Active DirectoryPublish certificate or CRL to Active Directory

CertFile:要发布的证书文件CertFile: certificate file to publish

NTAuthCA:将证书发布到 DS 企业应用商店NTAuthCA: Publish cert to DS Enterprise store

Rootca.cer:将证书发布到受 DS 信任的根存储RootCA: Publish cert to DS Trusted Root store

SubCA:将 CA 证书发布到 DS CA 对象SubCA: Publish CA cert to DS CA object

CrossCA:将跨证书发布到 DS CA 对象CrossCA: Publish cross cert to DS CA object

KRA:将证书发布到 DS 密钥恢复代理对象KRA: Publish cert to DS Key Recovery Agent object

User:向用户 DS 对象发布证书User: Publish cert to User DS object

计算机:将证书发布到计算机 DS 对象Machine: Publish cert to Machine DS object

CRLFile:要发布的 CRL 文件CRLFile: CRL file to publish

DSCDPContainer: DS CDP 容器 CN,通常是 CA 计算机名称DSCDPContainer: DS CDP container CN, usually the CA machine name

DSCDPCN: DS CDP 对象 CN,通常基于净化的 CA 短名称和密钥索引DSCDPCN: DS CDP object CN, usually based on the sanitized CA short name and key index

使用-f 创建 DS 对象。Use -f to create DS object.

[-f][-user][-dc DCName][-f] [-user] [-dc DCName]

返回菜单Return to Menu

-ADTemplate-ADTemplate

CertUtil [Options]-ADTemplate [Template]CertUtil [Options] -ADTemplate [Template]

显示 AD 模板Display AD templates

[-f][-user][-[-mt][-dc DCName][-f] [-user] [-ut] [-mt] [-dc DCName]

-Template-Template

CertUtil [Options]-Template [模板]CertUtil [Options] -Template [Template]

显示注册策略模板Display Enrollment Policy templates

[-f][-user][-无声][-PolicyServer URLOrId][-Anonymous][-Kerberos][-ClientCertificate ClientCertId][-UserName UserName][-p Password][-f] [-user] [-silent] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

返回菜单Return to Menu

-TemplateCAs-TemplateCAs

CertUtil [Options]-TemplateCAs 模板CertUtil [Options] -TemplateCAs Template

显示模板的 CaDisplay CAs for template

[-f][-user][-dc DCName][-f] [-user] [-dc DCName]

返回菜单Return to Menu

-Catemplates.txt-CATemplates

CertUtil [Options]-Catemplates.txt [Template]CertUtil [Options] -CATemplates [Template]

显示 CA 的模板Display templates for CA

[-f][-user][-[-mt][-config Machine\CAName][-dc DCName][-f] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]

返回菜单Return to Menu

-SetCASites-SetCASites

CertUtil [Options]-SetCASites [set] [SiteName]CertUtil [Options] -SetCASites [set] [SiteName]

CertUtil [Options]-SetCASites verify [SiteName]CertUtil [Options] -SetCASites verify [SiteName]

CertUtil [Options]-SetCASites deleteCertUtil [Options] -SetCASites delete

设置、验证或删除 CA 站点名称Set, Verify or Delete CA site names

  • 使用-config 选项来针对单个 CA (默认值为 "所有 Ca")Use the -config option to target a single CA (Default is all CAs)
  • 仅当面向单个 CA 时才允许SiteNameSiteName is allowed only when targeting a single CA
  • 使用-f 替代指定SiteName的验证错误Use -f to override validation errors for the specified SiteName
  • 使用-f 删除所有 CA 站点名称Use -f to delete all CA site names

[-f][-config Machine\CAName][-dc DCName][-f] [-config Machine\CAName] [-dc DCName]

备注

有关为 Active Directory 域服务(AD DS)站点感知配置 Ca 的详细信息,请参阅AD DS AD CS 和 PKI 客户端的站点感知For more information on configuring CAs for Active Directory Domain Services (AD DS) site awareness, see AD DS Site Awareness for AD CS and PKI clients.

返回菜单Return to Menu

-enrollmentServerURL-enrollmentServerURL

CertUtil [Options]-enrollmentServerURL [URL AuthenticationType [Priority] [修饰符]]CertUtil [Options] -enrollmentServerURL [URL AuthenticationType [Priority] [Modifiers]]

CertUtil [Options]-enrollmentServerURL URL 删除CertUtil [Options] -enrollmentServerURL URL delete

显示、添加或删除与 CA 关联的注册服务器 UrlDisplay, add or delete enrollment server URLs associated with a CA

AuthenticationType:添加 URL 时指定下列客户端身份验证方法之一AuthenticationType: Specify one of the following client authentication methods while adding a URL

  1. Kerberos:使用 Kerberos SSL 凭据Kerberos: Use Kerberos SSL credentials
  2. 用户名:使用命名帐户作为 SSL 凭据UserName: Use named account for SSL credentials
  3. ClientCertificate:使用 x.509 证书 SSL 凭据ClientCertificate: Use X.509 Certificate SSL credentials
  4. 匿名:使用匿名 SSL 凭据Anonymous: Use anonymous SSL credentials

删除:删除与 CA 关联的指定 URLdelete: deletes the specified URL associated with the CA

优先级:如果在添加 URL 时未指定,则默认为 "1"Priority: defaults to '1' if not specified when adding a URL

修饰符--以下一个或多个的逗号分隔列表:Modifiers -- Comma separated list of one or more of the following:

  1. AllowRenewalsOnly:只能通过此 URL 将续订请求提交到此 CAAllowRenewalsOnly: Only renewal requests can be submitted to this CA via this URL
  2. AllowKeyBasedRenewal:允许使用在 AD 中没有关联帐户的证书。AllowKeyBasedRenewal: Allows use of a certificate that has no associated account in the AD. 这仅适用于 ClientCertificate 和 AllowRenewalsOnly 模式This applies only with ClientCertificate and AllowRenewalsOnly Mode

[-config Machine\CAName][-dc DCName][-config Machine\CAName] [-dc DCName]

返回菜单Return to Menu

-ADCA-ADCA

CertUtil [Options]-ADCA [CAName]CertUtil [Options] -ADCA [CAName]

显示 AD CaDisplay AD CAs

[-f][-split][-dc DCName][-f] [-split] [-dc DCName]

返回菜单Return to Menu

-CA-CA

CertUtil [Options]-CA [CAName |TemplateNameCertUtil [Options] -CA [CAName | TemplateName]

显示注册策略 CaDisplay Enrollment Policy CAs

[-f][-user][-无声][-split][-PolicyServer URLOrId][-Anonymous][-Kerberos][-ClientCertificate ClientCertId][-UserName UserName][-p Password][-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

返回菜单Return to Menu

-Policy-Policy

显示注册策略Display Enrollment Policy

[-f][-user][-无声][-split][-PolicyServer URLOrId][-Anonymous][-Kerberos][-ClientCertificate ClientCertId][-UserName UserName][-p Password][-f] [-user] [-silent] [-split] [-PolicyServer URLOrId] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

返回菜单Return to Menu

-PolicyCache-PolicyCache

CertUtil [Options]-PolicyCache [delete]CertUtil [Options] -PolicyCache [delete]

显示或删除注册策略缓存条目Display or delete Enrollment Policy Cache entries

删除:删除策略服务器缓存条目delete: delete Policy Server cache entries

-f:使用-f 删除所有缓存条目-f: use -f to delete all cache entries

[-f][-user][-PolicyServer URLOrId][-f] [-user] [-PolicyServer URLOrId]

返回菜单Return to Menu

-CredStore-CredStore

CertUtil [Options]-CredStore [URL]CertUtil [Options] -CredStore [URL]

CertUtil [Options]-CredStore URL 添加CertUtil [Options] -CredStore URL add

CertUtil [Options]-CredStore URL 删除CertUtil [Options] -CredStore URL delete

显示、添加或删除凭据存储区项Display, add or delete Credential Store entries

URL:目标 URL。URL: target URL. 使用 * 匹配所有条目。Use * to match all entries. 使用 https://machine* 来匹配 URL 前缀。Use https://machine* to match a URL prefix.

添加:添加凭据存储项。add: add a Credential Store entry. 还必须指定 SSL 凭据。SSL credentials must also be specified.

删除:删除凭据存储项delete: delete Credential Store entries

-f:使用-f 覆盖项或删除多个项。-f: use -f to overwrite an entry or to delete multiple entries.

[-f][-user][-无声][-Anonymous][-Kerberos][-ClientCertificate ClientCertId][-UserName UserName][-p Password][-f] [-user] [-silent] [-Anonymous] [-Kerberos] [-ClientCertificate ClientCertId] [-UserName UserName] [-p Password]

返回菜单Return to Menu

-InstallDefaultTemplates-InstallDefaultTemplates

CertUtil [Options]-InstallDefaultTemplatesCertUtil [Options] -InstallDefaultTemplates

安装默认证书模板Install default certificate templates

[-dc DCName][-dc DCName]

返回菜单Return to Menu

-URLCache-URLCache

CertUtil [Options]-URLCache [URL |CRL |* [删除]]CertUtil [Options] -URLCache [URL | CRL | * [delete]]

显示或删除 URL 缓存条目Display or delete URL cache entries

URL:缓存的 URLURL: cached URL

CRL:仅操作所有缓存的 CRL UrlCRL: operate on all cached CRL URLs only

*:对所有缓存的 Url 执行操作*: operate on all cached URLs

删除:从当前用户的本地缓存中删除相关的 Urldelete: delete relevant URLs from the current user's local cache

使用-f 强制提取特定 URL 并更新缓存。Use -f to force fetching a specific URL and updating the cache.

[-f][-split][-f] [-split]

返回菜单Return to Menu

-脉冲-pulse

CertUtil [Options]-脉冲CertUtil [Options] -pulse

脉冲自动注册事件Pulse autoenrollment events

[-user][-user]

返回菜单Return to Menu

-MachineInfo-MachineInfo

CertUtil [Options]-MachineInfo DomainName\MachineName $CertUtil [Options] -MachineInfo DomainName\MachineName$

显示 Active Directory 计算机对象信息Display Active Directory computer object information

返回菜单Return to Menu

-DCInfo-DCInfo

CertUtil [Options]-DCInfo [域] [验证 |DeleteBad |DeleteAllCertUtil [Options] -DCInfo [Domain] [Verify | DeleteBad | DeleteAll]

显示域控制器信息Display domain controller information

默认值是在不验证的情况下显示 DC 证书Default is to display DC certs without verification

[-f][-user][-urlfetch][-dc DCName][-t Timeout][-f] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

提示

指定 Active Directory 域服务(AD DS)域 [域] 并指定在 Windows Server 2012 中添加域控制器( -dc)的功能。The ability to specify an Active Directory Domain Services (AD DS) domain [Domain] and to specify a domain controller (-dc) was added in Windows Server 2012. 若要成功运行此命令,你必须使用属于Domain adminsEnterprise admins成员的帐户。To successfully run the command, you must use an account that is a member of Domain Admins or Enterprise Admins. 此命令的行为修改如下:The behavior modifications of this command are as follows:
> 1。> 1. 如果未指定域并且未指定特定的域控制器,则此选项将返回要从默认域控制器处理的域控制器的列表。If a domain is not specified and a specific domain controller is not specified, this option returns a list of domain controllers to process from the default domain controller.
> 2。> 2. 如果未指定域,但指定了域控制器,则会生成指定域控制器上的证书报表。If a domain is not specified, but a domain controller is specified, a report of the certificates on the specified domain controller is generated.
> 3。> 3. 如果指定了域,但未指定域控制器,则会在列表中的每个域控制器的证书上生成域控制器的列表。If a domain is specified, but a domain controller is not specified, a list of domain controllers is generated along with reports on the certificates for each domain controller in the list.
> 4。> 4. 如果指定了域和域控制器,则会从目标域控制器生成域控制器的列表。If the domain and domain controller are specified, a list of domain controllers is generated from the targeted domain controller. 还会生成列表中每个域控制器的证书报表。A report of the certificates for each domain controller in the list is also generated.

例如,假设有一个名为 CPANDL 的域,其中包含名为 CPANDL-DC1 的域控制器。For example, assume there is a domain named CPANDL with a domain controller named CPANDL-DC1. 可以运行以下命令,从 CPANDL-DC1: certutil-dc CPANDL-dcinfo CPANDL 检索域控制器及其证书的列表。You could run the following command to a retrieve a list of domain controllers and their certificates that from CPANDL-DC1: certutil -dc cpandl-dc1 -dcinfo cpandl

返回菜单Return to Menu

-EntInfo-EntInfo

CertUtil [Options]-EntInfo DomainName\MachineName $CertUtil [Options] -EntInfo DomainName\MachineName$

[-f][-user][-f] [-user]

返回菜单Return to Menu

-TCAInfo-TCAInfo

CertUtil [Options]-TCAInfo [DomainDN |-]CertUtil [Options] -TCAInfo [DomainDN | -]

显示 CA 信息Display CA information

[-f][-enterprise][-user][-urlfetch][-dc DCName][-t Timeout][-f] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t Timeout]

返回菜单Return to Menu

-SCInfo-SCInfo

CertUtil [Options]-SCInfo [ReaderName [CRYPT_DELETEKEYSET]]CertUtil [Options] -SCInfo [ReaderName [CRYPT_DELETEKEYSET]]

显示智能卡信息Display smart card information

CRYPT_DELETEKEYSET:删除智能卡上的所有密钥CRYPT_DELETEKEYSET: Delete all keys on the smart card

[-无声][-split][-urlfetch][-t Timeout][-silent] [-split] [-urlfetch] [-t Timeout]

返回菜单Return to Menu

-SCRoots-SCRoots

CertUtil [Options]-SCRoots update [+] [InputRootFile] [ReaderName]CertUtil [Options] -SCRoots update [+][InputRootFile] [ReaderName]

CertUtil [Options]-SCRoots save @OutputRootFile [ReaderName]CertUtil [Options] -SCRoots save @OutputRootFile [ReaderName]

CertUtil [Options]-SCRoots 视图 [InputRootFile |ReaderName]CertUtil [Options] -SCRoots view [InputRootFile | ReaderName]

CertUtil [Options]-SCRoots delete [ReaderName]CertUtil [Options] -SCRoots delete [ReaderName]

管理智能卡根证书Manage smart card root certificates

[-f][-split][-p Password][-f] [-split] [-p Password]

返回菜单Return to Menu

-verifykeys-verifykeys

CertUtil [Options]-verifykeys [Cspparameters.keycontainername CACertFile]CertUtil [Options] -verifykeys [KeyContainerName CACertFile]

验证公钥/私钥集Verify public/private key set

Cspparameters.keycontainername:要验证的密钥的密钥容器名称。KeyContainerName: key container name of the key to verify. 默认为计算机密钥。Defaults to machine keys. 使用用户的用户密钥。Use -user for user keys.

CACertFile:签名或加密证书文件CACertFile: signing or encryption certificate file

如果未指定任何参数,则将根据其私钥验证每个签名 CA 证书。If no arguments are specified, each signing CA cert is verified against its private key.

只能对本地 CA 或本地密钥执行此操作。This operation can only be performed against a local CA or local keys.

[-f][-user][-无声][-config Machine\CAName][-f] [-user] [-silent] [-config Machine\CAName]

返回菜单Return to Menu

-验证-verify

CertUtil [Options]-verify CertFile [ApplicationPolicyList |-[IssuancePolicyList]]CertUtil [Options] -verify CertFile [ApplicationPolicyList | - [IssuancePolicyList]]

CertUtil [Options]-verify CertFile [CACertFile [CrossedCACertFile]]CertUtil [Options] -verify CertFile [CACertFile [CrossedCACertFile]]

CertUtil [Options]-验证 CRLFile CACertFile [IssuedCertFile]CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile]

CertUtil [Options]-验证 CRLFile CACertFile [DeltaCRLFile]CertUtil [Options] -verify CRLFile CACertFile [DeltaCRLFile]

验证证书、CRL 或链Verify certificate, CRL or chain

CertFile:要验证的证书CertFile: Certificate to verify

ApplicationPolicyList:可选的以逗号分隔的所需应用程序策略 ObjectIds 列表ApplicationPolicyList: optional comma separated list of required Application Policy ObjectIds

IssuancePolicyList:可选的以逗号分隔的所需颁发策略 ObjectIds 列表IssuancePolicyList: optional comma separated list of required Issuance Policy ObjectIds

CACertFile:要对其进行验证的可选颁发 CA 证书CACertFile: optional issuing CA certificate to verify against

CrossedCACertFile:可选证书由 CertFile 交叉认证CrossedCACertFile: optional certificate cross-certified by CertFile

CRLFile:要验证的 CRLCRLFile: CRL to verify

IssuedCertFile: CRLFile 涵盖的可选颁发证书IssuedCertFile: optional issued certificate covered by CRLFile

DeltaCRLFile:可选的增量 CRLDeltaCRLFile: optional delta CRL

如果指定了 ApplicationPolicyList,则链生成限制为指定应用程序策略的有效链。If ApplicationPolicyList is specified, chain building is restricted to chains valid for the specified Application Policies.

如果指定了 IssuancePolicyList,则链生成限制为指定的发布策略的有效链。If IssuancePolicyList is specified, chain building is restricted to chains valid for the specified Issuance Policies.

如果指定了 CACertFile,则会对照 CertFile 或 CRLFile 来验证 CACertFile 中的字段。If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile.

如果未指定 CACertFile,则使用 CertFile 生成并验证完整的链。If CACertFile is not specified, CertFile is used to build and verify a full chain.

如果同时指定了 CACertFile 和 CrossedCACertFile,则会对照 CertFile 验证 CACertFile 和 CrossedCACertFile 中的字段。If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile are verified against CertFile.

如果指定了 IssuedCertFile,则 IssuedCertFile 中的字段将根据 CRLFile 进行验证。If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile.

如果指定了 DeltaCRLFile,则 DeltaCRLFile 中的字段将根据 CRLFile 进行验证。If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.

[-f][-enterprise][-user][-无声][-split][-urlfetch][-t Timeout][-f] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t Timeout]

返回菜单Return to Menu

-verifyCTL-verifyCTL

CertUtil [Options]-verifyCTL CTLObject [CertDir] [CertFile]CertUtil [Options] -verifyCTL CTLObject [CertDir] [CertFile]

验证 AuthRoot 或不允许的证书 CTLVerify AuthRoot or Disallowed Certificates CTL

CTLObject:标识要验证的 CTL:CTLObject: Identifies the CTL to verify:

  • AuthRootWU:从 URL 缓存读取 AuthRoot CAB 和匹配的证书。AuthRootWU: read AuthRoot CAB and matching certificates from the URL cache. 改为使用-f 从 Windows 更新下载。Use -f to download from Windows Update instead.
  • DisallowedWU:读取不允许的证书 CAB,并从 URL 缓存禁用证书存储区文件。DisallowedWU: read Disallowed Certificates CAB and disallowed certificate store file from the URL cache. 改为使用-f 从 Windows 更新下载。Use -f to download from Windows Update instead.
  • AuthRoot:读取注册表缓存的 AuthRoot CTL。AuthRoot: read registry cached AuthRoot CTL. 使用 with-f 和不受信任的 CertFile 来强制更新注册表缓存的 AuthRoot 和不允许的证书 Ctl。Use with -f and a CertFile that is not already trusted to force updating the registry cached AuthRoot and Disallowed Certificate CTLs.
  • 不允许:读取注册表缓存不允许的证书 CTL。Disallowed: read registry cached Disallowed Certificates CTL. -f 与 AuthRoot 的行为相同。-f has the same behavior as with AuthRoot.
  • CTLFileName: file 或 http: CTL 或 CAB 的路径CTLFileName: file or http: path to CTL or CAB

CertDir:包含与 CTL 条目匹配的证书的文件夹。CertDir: folder containing certificates matching CTL entries. Http:文件夹路径必须以路径分隔符结尾。An http: folder path must end with a path separator. 如果未使用 AuthRoot 指定文件夹,则将在多个位置中搜索匹配的证书:本地证书存储、crypt32.dll 资源和本地 URL 缓存。If a folder is not specified with AuthRoot or Disallowed, multiple locations will be searched for matching certificates: local certificate stores, crypt32.dll resources and the local URL cache. 必要时,请使用-f 从 Windows 更新下载。Use -f to download from Windows Update when necessary. 否则,默认为与 CTLObject 相同的文件夹或网站。Otherwise defaults to the same folder or web site as the CTLObject.

CertFile:包含要验证的证书的文件。CertFile: file containing certificate(s) to verify. 证书将与 CTL 条目匹配,并显示匹配结果。Certificates will be matched against CTL entries, and match results displayed. 禁止显示大多数默认输出。Suppresses most of the default output.

[-f][-user][-split][-f] [-user] [-split]

返回菜单Return to Menu

-sign-sign

CertUtil [Options]-sign InFileList |SerialNumber |CRL OutFileList [开始日期 + dd: hh] [+ SerialNumberList |-SerialNumberList |-ObjectIdList | @ExtensionFile]CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [StartDate+dd:hh] [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile]

CertUtil [Options]-sign InFileList |SerialNumber |CRL OutFileList [#HashAlgorithm] [+ 内容: alternatesignaturealgorithm |-内容: alternatesignaturealgorithm]CertUtil [Options] -sign InFileList|SerialNumber|CRL OutFileList [#HashAlgorithm] [+AlternateSignatureAlgorithm | -AlternateSignatureAlgorithm]

重新签署 CRL 或证书Re-sign CRL or certificate

InFileList:逗号分隔的证书或 CRL 文件列表,用于修改和重新签名InFileList: comma separated list of Certificate or CRL files to modify and re-sign

SerialNumber:要创建的证书的序列号。SerialNumber: Serial number of certificate to create. 有效期和其他选项不得存在。Validity period and other options must not be present.

CRL:创建空 CRL。CRL: Create an empty CRL. 有效期和其他选项不得存在。Validity period and other options must not be present.

OutFileList:以逗号分隔的已修改证书或 CRL 输出文件的列表。OutFileList: comma separated list of modified Certificate or CRL output files. 文件数量必须与 InFileList 匹配。The number of files must match InFileList.

开始日期 + dd: hh:新的有效期:可选的日期加上;可选日期和小时有效期;如果同时指定两者,则使用加号(+)分隔符。StartDate+dd:hh: new validity period: optional date plus; optional days and hours validity period; If both are specified, use a plus sign (+) separator. 使用 "now [+ dd: hh]" 从当前时间开始。Use "now[+dd:hh]" to start at the current time. 使用 "从不" 无到期日期(仅适用于 Crl)。Use "never" to have no expiration date (for CRLs only).

SerialNumberList:要添加或删除的以逗号分隔的序列号列表SerialNumberList: comma separated serial number list to add or remove

ObjectIdList:要删除的以逗号分隔的扩展 ObjectId 列表ObjectIdList: comma separated extension ObjectId list to remove

@ExtensionFile: INF 文件包含要更新或删除的扩展:@ExtensionFile: INF file containing extensions to update or remove:

[Extensions]
     2.5.29.31 = ; Remove CRL Distribution Points extension
     2.5.29.15 = "{hex}" ; Update Key Usage extension
     _continue_="03 02 01 86"

HashAlgorithm:哈希算法的名称,前面加上一个 # 号HashAlgorithm: Name of the hash algorithm preceded by a # sign

内容: alternatesignaturealgorithm:备用签名算法说明符AlternateSignatureAlgorithm: alternate Signature algorithm specifier

减号将导致序列号和扩展被删除。A minus sign causes serial numbers and extensions to be removed. 加号将导致序列号添加到 CRL。A plus sign causes serial numbers to be added to a CRL. 从 CRL 中删除项时,列表可能同时包含序列号和 ObjectIds。When removing items from a CRL, the list may contain both serial numbers and ObjectIds. 内容: alternatesignaturealgorithm 之前的减号导致使用旧签名格式。A minus sign before AlternateSignatureAlgorithm causes the legacy signature format to be used. 内容: alternatesignaturealgorithm 之前的加号会导致使用 alternature 签名格式。A plus sign before AlternateSignatureAlgorithm causes the alternature signature format to be used. 如果未指定内容: alternatesignaturealgorithm,则使用证书或 CRL 中的签名格式。If AlternateSignatureAlgorithm is not specified then the signature format in the certificate or CRL is used.

[-nullsign][-f][-无声][-Cert 证书 id][-nullsign] [-f] [-silent] [-Cert CertId]

返回菜单Return to Menu

-vroot-vroot

CertUtil [Options]-vroot [delete]CertUtil [Options] -vroot [delete]

创建/删除 web 虚拟根和文件共享Create/delete web virtual roots and file shares

返回菜单Return to Menu

-vocsproot-vocsproot

CertUtil [Options]-vocsproot [delete]CertUtil [Options] -vocsproot [delete]

为 OCSP web 代理创建/删除 web 虚拟根Create/delete web virtual roots for OCSP web proxy

返回菜单Return to Menu

-addEnrollmentServer-addEnrollmentServer

CertUtil [Options]-addEnrollmentServer Kerberos |用户名 |ClientCertificate [AllowRenewalsOnly] [AllowKeyBasedRenewal]CertUtil [Options] -addEnrollmentServer Kerberos | UserName | ClientCertificate [AllowRenewalsOnly] [AllowKeyBasedRenewal]

添加注册服务器应用程序Add an Enrollment Server application

为指定的 CA 添加注册服务器应用程序和应用程序池(如有必要)。Add an Enrollment Server application and application pool if necessary, for the specified CA. 此命令不安装二进制文件或包。This command does not install binaries or packages. 与客户端连接到证书注册服务器的下列身份验证方法之一。One of the following authentication methods with which the client connects to a Certificate Enrollment Server.

  • Kerberos:使用 Kerberos SSL 凭据Kerberos: Use Kerberos SSL credentials
  • 用户名:使用命名帐户作为 SSL 凭据UserName: Use named account for SSL credentials
  • ClientCertificate:使用 x.509 证书 SSL 凭据ClientCertificate: Use X.509 Certificate SSL credentials
  • AllowRenewalsOnly:只能通过此 URL 将续订请求提交到此 CAAllowRenewalsOnly: Only renewal requests can be submitted to this CA via this URL
  • AllowKeyBasedRenewal--允许使用在 AD 中没有关联帐户的证书。AllowKeyBasedRenewal -- Allows use of a certificate that has no associated account in the AD. 这仅适用于 ClientCertificate 和 AllowRenewalsOnly 模式。This applies only with ClientCertificate and AllowRenewalsOnly mode.

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-deleteEnrollmentServer-deleteEnrollmentServer

CertUtil [Options]-deleteEnrollmentServer Kerberos |用户名 |ClientCertificateCertUtil [Options] -deleteEnrollmentServer Kerberos | UserName | ClientCertificate

删除注册服务器应用程序Delete an Enrollment Server application

为指定的 CA 删除注册服务器应用程序和应用程序池(如有必要)。Delete an Enrollment Server application and application pool if necessary, for the specified CA. 此命令不删除二进制文件或包。This command does not remove binaries or packages. 与客户端连接到证书注册服务器的下列身份验证方法之一。One of the following authentication methods with which the client connects to a Certificate Enrollment Server.

  1. Kerberos:使用 Kerberos SSL 凭据Kerberos: Use Kerberos SSL credentials
  2. 用户名:使用命名帐户作为 SSL 凭据UserName: Use named account for SSL credentials
  3. ClientCertificate:使用 x.509 证书 SSL 凭据ClientCertificate: Use X.509 Certificate SSL credentials

[-config Machine\CAName][-config Machine\CAName]

返回菜单Return to Menu

-addPolicyServer-addPolicyServer

CertUtil [Options]-addPolicyServer Kerberos |用户名 |ClientCertificate [KeyBasedRenewal]CertUtil [Options] -addPolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

添加策略服务器应用程序Add a Policy Server application

如有必要,请添加策略服务器应用程序和应用程序池。Add a Policy Server application and application pool if necessary. 此命令不安装二进制文件或包。This command does not install binaries or packages. 与客户端连接到证书策略服务器的下列身份验证方法之一:One of the following authentication methods with which the client connects to a Certificate Policy Server:

  • Kerberos:使用 Kerberos SSL 凭据Kerberos: Use Kerberos SSL credentials
  • 用户名:使用命名帐户作为 SSL 凭据UserName: Use named account for SSL credentials
  • ClientCertificate:使用 x.509 证书 SSL 凭据ClientCertificate: Use X.509 Certificate SSL credentials
  • KeyBasedRenewal:仅将包含 KeyBasedRenewal 模板的策略返回到客户端。KeyBasedRenewal: Only policies that contain KeyBasedRenewal templates are returned to the client. 此标志仅适用于 UserName 和 ClientCertificate authentication。This flag applies only for UserName and ClientCertificate authentication.

返回菜单Return to Menu

-deletePolicyServer-deletePolicyServer

CertUtil [Options]-deletePolicyServer Kerberos |用户名 |ClientCertificate [KeyBasedRenewal]CertUtil [Options] -deletePolicyServer Kerberos | UserName | ClientCertificate [KeyBasedRenewal]

删除策略服务器应用程序Delete a Policy Server application

如有必要,请删除策略服务器应用程序和应用程序池。Delete a Policy Server application and application pool if necessary. 此命令不删除二进制文件或包。This command does not remove binaries or packages. 与客户端连接到证书策略服务器的下列身份验证方法之一:One of the following authentication methods with which the client connects to a Certificate Policy Server:

  1. Kerberos:使用 Kerberos SSL 凭据Kerberos: Use Kerberos SSL credentials
  2. 用户名:使用命名帐户作为 SSL 凭据UserName: Use named account for SSL credentials
  3. ClientCertificate:使用 x.509 证书 SSL 凭据ClientCertificate: Use X.509 Certificate SSL credentials
  4. KeyBasedRenewal: KeyBasedRenewal 策略服务器KeyBasedRenewal: KeyBasedRenewal policy server

返回菜单Return to Menu

-oid-oid

CertUtil [Options]-oid ObjectId [DisplayName | delete [LanguageId [Type]]]CertUtil [Options] -oid ObjectId [DisplayName | delete [LanguageId [Type]]]

CertUtil [Options]-oid GroupIdCertUtil [Options] -oid GroupId

CertUtil [Options]-oid AlgId |AlgorithmName [GroupId]CertUtil [Options] -oid AlgId | AlgorithmName [GroupId]

显示 ObjectId 或设置显示名称Display ObjectId or set display name

  • ObjectId--要显示或添加显示名称的 ObjectIdObjectId -- ObjectId to display or to add display name
  • GroupId--要枚举的 ObjectIds 的十进制 GroupId 编号GroupId -- decimal GroupId number for ObjectIds to enumerate
  • AlgId--要查找的 ObjectId 的十六进制 AlgIdAlgId -- hexadecimal AlgId for ObjectId to look up
  • AlgorithmName-要查找的 ObjectId 的算法名称AlgorithmName -- Algorithm Name for ObjectId to look up
  • DisplayName-要存储在 DS 中的显示名称DisplayName -- Display Name to store in DS
  • 删除--删除显示名称delete -- delete display name
  • LanguageId--Language Id (默认为当前值:1033)LanguageId -- Language Id (defaults to current: 1033)
  • 键入--要创建的 DS 对象类型:1表示模板(默认值),2表示颁发策略,3表示应用程序策略Type -- DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy
  • 使用-f 创建 DS 对象。Use -f to create DS object.

[-f][-f]

返回菜单Return to Menu

-错误-error

CertUtil [Options]-错误 ErrorCodeCertUtil [Options] -error ErrorCode

显示错误代码消息文本Display error code message text

返回菜单Return to Menu

-getreg-getreg

CertUtil [Options]-getreg [{ca | 还原 | 策略 | 退出 | 模板 | 注册 | 链 |PolicyServers}[ProgId]] [RegistryValueName]CertUtil [Options] -getreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}[ProgId]][RegistryValueName]

显示注册表值Display registry value

ca:使用 CA 的注册表项ca: Use CA's registry key

还原:使用 CA 的还原注册表项restore: Use CA's restore registry key

策略:使用策略模块的注册表项policy: Use policy module's registry key

exit:使用第一个退出模块的注册表项exit: Use first exit module's registry key

模板:使用模板注册表项(使用用户模板的用户)template: Use template registry key (use -user for user templates)

注册:使用注册注册表项(使用-user 作为用户上下文)enroll: Use enrollment registry key (use -user for user context)

链:使用链配置注册表项chain: Use chain configuration registry key

PolicyServers:使用策略服务器注册表项PolicyServers: Use Policy Servers registry key

ProgId:使用策略或退出模块的 ProgId (注册表子项名称)ProgId: Use policy or exit module's ProgId (registry subkey name)

RegistryValueName:注册表值名称(使用 "名称*" 以前缀匹配)RegistryValueName: registry value name (use "Name*" to prefix match)

值:新的数字、字符串或日期注册表值或文件名。Value: new numeric, string or date registry value or filename. 如果数字值以 "+" 或 "-" 开头,则在现有注册表值中设置或清除在新值中指定的位。If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value.

如果字符串值以 "+" 或 "-" 开头,并且现有值是 REG_MULTI_SZ 值,则会将该字符串添加到现有注册表值中或从中删除。If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要强制创建 REG_MULTI_SZ 值,请将 "\n" 添加到字符串值的末尾。To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value.

如果值以 "@" 开头,则该值的其余部分是包含二进制值的十六进制文本表示形式的文件的名称。If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未引用有效的文件,则会将其视为 [Date] [+ |-] [dd: hh]--可选的日期加上或减去可选的日和小时。If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours. 如果同时指定两者,则使用加号(+)或减号(-)分隔符。If both are specified, use a plus sign (+) or minus sign (-) separator. 使用 "now + dd: hh" 表示相对于当前时间的日期。Use "now+dd:hh" for a date relative to the current time.

使用 "chain\ChainCacheResyncFiletime @now" 有效地刷新缓存的 Crl。Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

[-f][-user][-Microsoft-windows-grouppolicy][-config Machine\CAName][-f] [-user] [-GroupPolicy] [-config Machine\CAName]

返回菜单Return to Menu

-setreg-setreg

CertUtil [Options]-setreg [{ca | 还原 | 策略 | 退出 | 模板 | 注册 | 链 |PolicyServers}[ProgId]] RegistryValueName 值CertUtil [Options] -setreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}[ProgId]]RegistryValueName Value

设置注册表值Set registry value

ca:使用 CA 的注册表项ca: Use CA's registry key

还原:使用 CA 的还原注册表项restore: Use CA's restore registry key

策略:使用策略模块的注册表项policy: Use policy module's registry key

exit:使用第一个退出模块的注册表项exit: Use first exit module's registry key

模板:使用模板注册表项(使用用户模板的用户)template: Use template registry key (use -user for user templates)

注册:使用注册注册表项(使用-user 作为用户上下文)enroll: Use enrollment registry key (use -user for user context)

链:使用链配置注册表项chain: Use chain configuration registry key

PolicyServers:使用策略服务器注册表项PolicyServers: Use Policy Servers registry key

ProgId:使用策略或退出模块的 ProgId (注册表子项名称)ProgId: Use policy or exit module's ProgId (registry subkey name)

RegistryValueName:注册表值名称(使用 "名称*" 以前缀匹配)RegistryValueName: registry value name (use "Name*" to prefix match)

值:新的数字、字符串或日期注册表值或文件名。Value: new numeric, string or date registry value or filename. 如果数字值以 "+" 或 "-" 开头,则在现有注册表值中设置或清除在新值中指定的位。If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value.

如果字符串值以 "+" 或 "-" 开头,并且现有值是 REG_MULTI_SZ 值,则会将该字符串添加到现有注册表值中或从中删除。If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要强制创建 REG_MULTI_SZ 值,请将 "\n" 添加到字符串值的末尾。To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value.

如果值以 "@" 开头,则该值的其余部分是包含二进制值的十六进制文本表示形式的文件的名称。If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未引用有效的文件,则会将其视为 [Date] [+ |-] [dd: hh]--可选的日期加上或减去可选的日和小时。If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours. 如果同时指定两者,则使用加号(+)或减号(-)分隔符。If both are specified, use a plus sign (+) or minus sign (-) separator. 使用 "now + dd: hh" 表示相对于当前时间的日期。Use "now+dd:hh" for a date relative to the current time.

使用 "chain\ChainCacheResyncFiletime @now" 有效地刷新缓存的 Crl。Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

[-f][-user][-Microsoft-windows-grouppolicy][-config Machine\CAName][-f] [-user] [-GroupPolicy] [-config Machine\CAName]

返回菜单Return to Menu

-delreg-delreg

CertUtil [Options]-delreg [{ca | 还原 | 策略 | 退出 | 模板 | 注册 | 链 |PolicyServers}[ProgId]] [RegistryValueName]CertUtil [Options] -delreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}[ProgId]][RegistryValueName]

删除注册表值Delete registry value

ca:使用 CA 的注册表项ca: Use CA's registry key

还原:使用 CA 的还原注册表项restore: Use CA's restore registry key

策略:使用策略模块的注册表项policy: Use policy module's registry key

exit:使用第一个退出模块的注册表项exit: Use first exit module's registry key

模板:使用模板注册表项(使用用户模板的用户)template: Use template registry key (use -user for user templates)

注册:使用注册注册表项(使用-user 作为用户上下文)enroll: Use enrollment registry key (use -user for user context)

链:使用链配置注册表项chain: Use chain configuration registry key

PolicyServers:使用策略服务器注册表项PolicyServers: Use Policy Servers registry key

ProgId:使用策略或退出模块的 ProgId (注册表子项名称)ProgId: Use policy or exit module's ProgId (registry subkey name)

RegistryValueName:注册表值名称(使用 "名称*" 以前缀匹配)RegistryValueName: registry value name (use "Name*" to prefix match)

值:新的数字、字符串或日期注册表值或文件名。Value: new numeric, string or date registry value or filename. 如果数字值以 "+" 或 "-" 开头,则在现有注册表值中设置或清除在新值中指定的位。If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value.

如果字符串值以 "+" 或 "-" 开头,并且现有值是 REG_MULTI_SZ 值,则会将该字符串添加到现有注册表值中或从中删除。If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要强制创建 REG_MULTI_SZ 值,请将 "\n" 添加到字符串值的末尾。To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value.

如果值以 "@" 开头,则该值的其余部分是包含二进制值的十六进制文本表示形式的文件的名称。If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未引用有效的文件,则会将其视为 [Date] [+ |-] [dd: hh]--可选的日期加上或减去可选的日和小时。If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours. 如果同时指定两者,则使用加号(+)或减号(-)分隔符。If both are specified, use a plus sign (+) or minus sign (-) separator. 使用 "now + dd: hh" 表示相对于当前时间的日期。Use "now+dd:hh" for a date relative to the current time.

使用 "chain\ChainCacheResyncFiletime @now" 有效地刷新缓存的 Crl。Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

[-f][-user][-Microsoft-windows-grouppolicy][-config Machine\CAName][-f] [-user] [-GroupPolicy] [-config Machine\CAName]

返回菜单Return to Menu

-ImportKMS-ImportKMS

CertUtil [Options]-ImportKMS UserKeyAndCertFile [证书 id]CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId]

将用户密钥和证书导入到服务器数据库以进行密钥存档Import user keys and certificates into server database for key archival

UserKeyAndCertFile-包含要存档的用户私钥和证书的数据文件。UserKeyAndCertFile -- Data file containing user private keys and certificates to be archived. 这可以是以下任一项:This can be any of the following:

  • Exchange 密钥管理服务器(KMS)导出文件Exchange Key Management Server (KMS) export file
  • PFX 文件PFX file

证书 id: KMS 导出文件解密证书匹配令牌。CertId: KMS export file decryption certificate match token. 请参阅-storeSee -store.

使用-f 导入不由 CA 颁发的证书。Use -f to import certificates not issued by the CA.

[-f][-无声][-split][-config Machine\CAName][-p Password][-symkeyalg SymmetricKeyAlgorithm [,KeyLength]][-f] [-silent] [-split] [-config Machine\CAName] [-p Password] [-symkeyalg SymmetricKeyAlgorithm[,KeyLength]]

返回菜单Return to Menu

-ImportCert-ImportCert

CertUtil [Options]-ImportCert Certfile [ExistingRow]CertUtil [Options] -ImportCert Certfile [ExistingRow]

将证书文件导入到数据库中Import a certificate file into the database

使用 ExistingRow 导入证书,以代替对同一密钥的挂起的请求。Use ExistingRow to import the certificate in place of a pending request for the same key.

使用-f 导入不由 CA 颁发的证书。Use -f to import certificates not issued by the CA.

还可能需要将 CA 配置为支持外接证书导入: certutil-setreg ca\KRAFlags + KRAF_ENABLEFOREIGNThe CA may also need to be configured to support foreign certificate import: certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

[-f][-config Machine\CAName][-f] [-config Machine\CAName]

返回菜单Return to Menu

-GetKey-GetKey

CertUtil [Options]-GetKey SearchToken [RecoveryBlobOutFile]CertUtil [Options] -GetKey SearchToken [RecoveryBlobOutFile]

CertUtil [Options]-GetKey SearchToken script OutputScriptFileCertUtil [Options] -GetKey SearchToken script OutputScriptFile

CertUtil [Options]-GetKey SearchToken 检索 |恢复 OutputFileBaseNameCertUtil [Options] -GetKey SearchToken retrieve | recover OutputFileBaseName

检索存档的私钥恢复 blob、生成恢复脚本或恢复存档的密钥Retrieve archived private key recovery blob, generate a recovery script, or recover archived keys

脚本:生成用于检索和恢复密钥的脚本(如果找到多个匹配的恢复候选项,则为默认行为; 如果未指定输出文件,则为默认行为)。script: generate a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if the output file is not specified).

检索:检索一个或多个密钥恢复 Blob (如果只找到一个匹配的恢复候选项,则检索默认行为; 如果指定了输出文件)retrieve: retrieve one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified)

recover:在一个步骤中检索和恢复私钥(需要密钥恢复代理证书和私钥)recover: retrieve and recover private keys in one step (requires Key Recovery Agent certificates and private keys)

SearchToken:用于选择要恢复的密钥和证书。SearchToken: Used to select the keys and certificates to be recovered.

可以是以下任一项:Can be any of the following:

  1. 证书公用名Certificate Common Name
  2. 证书序列号Certificate Serial Number
  3. 证书 SHA-1 哈希(指纹)Certificate SHA-1 hash (thumbprint)
  4. 证书 KeyId SHA-1 哈希(使用者密钥标识符)Certificate KeyId SHA-1 hash (Subject Key Identifier)
  5. 申请人姓名(域 \ 用户)Requester Name (domain\user)
  6. UPN (用户@域)UPN (user@domain)

RecoveryBlobOutFile:输出文件包含一个或多个密钥恢复代理证书,它仍加密为一个证书链和一个关联的私钥。RecoveryBlobOutFile: output file containing a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.

OutputScriptFile:输出文件,其中包含用于检索和恢复私钥的批处理脚本。OutputScriptFile: output file containing a batch script to retrieve and recover private keys.

OutputFileBaseName:输出文件基名称。OutputFileBaseName: output file base name. 对于检索,将截断任何扩展,并为每个密钥恢复 blob 追加特定于证书的字符串和扩展名。For retrieve, any extension is truncated and a certificate-specific string and the .rec extension are appended for each key recovery blob. 每个文件都包含一个证书链和一个关联的私钥,仍加密为一个或多个密钥恢复代理证书。Each file contains a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates. 对于恢复,将截断任何扩展,并追加 p12 扩展名。For recover, any extension is truncated and the .p12 extension is appended. 包含已恢复的证书链和关联的私钥,作为 PFX 文件存储。Contains the recovered certificate chains and associated private keys, stored as a PFX file.

[-f][-UnicodeText][-无声][-config Machine\CAName][-p Password][-ProtectTo SAMNameAndSIDList][-csp 提供程序][-f] [-UnicodeText] [-silent] [-config Machine\CAName] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]

返回菜单Return to Menu

-RecoverKey-RecoverKey

CertUtil [Options]-RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]]CertUtil [Options] -RecoverKey RecoveryBlobInFile [PFXOutFile [RecipientIndex]]

恢复存档的私钥Recover archived private key

[-f][-user][-无声][-split][-p Password][-ProtectTo SAMNameAndSIDList][-csp 提供程序][-t Timeout][-f] [-user] [-silent] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider] [-t Timeout]

返回菜单Return to Menu

-MergePFX-MergePFX

CertUtil [Options]-MergePFX PFXInFileList PFXOutFile [ExtendedProperties]CertUtil [Options] -MergePFX PFXInFileList PFXOutFile [ExtendedProperties]

PFXInFileList:以逗号分隔的 PFX 输入文件列表PFXInFileList: Comma separated PFX input file list

PFXOutFile: PFX 输出文件PFXOutFile: PFX output file

ExtendedProperties:包含扩展属性ExtendedProperties: Include extended properties

在命令行中指定的密码是以逗号分隔的密码列表。The password specified on the command line is a comma separated password list. 如果指定了多个密码,则将最后一个密码用于输出文件。If more than one password is specified, the last password is used for the output file. 如果只提供了一个密码或最后一个密码为 "*",则系统会提示用户输入输出文件密码。If only one password is provided or if the last password is "*", the user will be prompted for the output file password.

[-f][-user][-split][-p Password][-ProtectTo SAMNameAndSIDList][-csp 提供程序][-f] [-user] [-split] [-p Password] [-ProtectTo SAMNameAndSIDList] [-csp Provider]

返回菜单Return to Menu

-ConvertEPF-ConvertEPF

CertUtil [Options]-ConvertEPF PFXInFileList EPFOutFile [cast | cast] [V3CACertId] [,Salt]CertUtil [Options] -ConvertEPF PFXInFileList EPFOutFile [cast | cast-] [V3CACertId][,Salt]

将 PFX 文件转换为 EPF 文件Convert PFX files to EPF file

PFXInFileList:以逗号分隔的 PFX 输入文件列表PFXInFileList: Comma separated PFX input file list

EPF: EPF 输出文件EPF: EPF output file

cast:使用强制转换64加密cast: Use CAST 64 encryption

cast-:使用强制转换64加密(导出)cast-: Use CAST 64 encryption (export)

V3CACertId: V3 CA 证书匹配令牌。V3CACertId: V3 CA Certificate match token. 请参阅-store证书 id description。See -store CertId description.

Salt: EPF 输出文件 salt 字符串Salt: EPF output file salt string

在命令行中指定的密码是以逗号分隔的密码列表。The password specified on the command line is a comma separated password list. 如果指定了多个密码,则将最后一个密码用于输出文件。If more than one password is specified, the last password is used for the output file. 如果只提供了一个密码或最后一个密码为 "*",则系统会提示用户输入输出文件密码。If only one password is provided or if the last password is "*", the user will be prompted for the output file password.

[-f][-无声][-split][-dc DCName][-p Password][-csp 提供程序][-f] [-silent] [-split] [-dc DCName] [-p Password] [-csp Provider]

返回菜单Return to Menu

选项Options

本部分定义可通过命令指定的选项。This section defines the options that you can specify with the command.

选项Options 描述Description
-nullsign-nullsign 使用数据哈希作为签名Use hash of data as signature
-f-f 强制覆盖Force overwrite
-enterprise-enterprise 使用本地计算机企业注册表证书存储Use local machine Enterprise registry certificate store
-user-user 使用 HKEY_CURRENT_USER 密钥或证书存储Use HKEY_CURRENT_USER keys or certificate store
-Microsoft-windows-grouppolicy-GroupPolicy 使用组策略证书存储Use Group Policy certificate store
-未-ut 显示用户模板Display user templates
-mt-mt 显示计算机模板Display machine templates
-Unicode-Unicode 以 Unicode 编写重定向的输出Write redirected output in Unicode
-UnicodeText-UnicodeText 用 Unicode 写入输出文件Write output file in Unicode
-gmt-gmt 将时间显示为 GMTDisplay times as GMT
-秒-seconds 显示时间(以秒和毫秒为单位)Display times with seconds and milliseconds
-无提示-silent 使用无提示标志获取 dm-crypt 上下文Use silent flag to acquire crypt context
-split-split 拆分嵌入的 node.js 元素,并保存到文件Split embedded ASN.1 elements, and save to files
-v-v 详细操作Verbose operation
-privatekey.ppk-privatekey 显示密码和私钥数据Display password and private key data
-pin PIN-pin PIN 智能卡 PINSmart Card PIN
-urlfetch-urlfetch 检索并验证 AIA 证书和 CDP CrlRetrieve and verify AIA Certs and CDP CRLs
-config Machine\CAName-config Machine\CAName CA 和计算机名字符串CA and computer name string
-PolicyServer URLOrId-PolicyServer URLOrId 策略服务器 URL 或 Id。对于选择 U/I,请使用-PolicyServer。Policy Server URL or Id. For selection U/I, use -PolicyServer. 对于所有策略服务器,请使用-PolicyServer *For all Policy Servers, use -PolicyServer *
-Anonymous-Anonymous 使用匿名 SSL 凭据Use anonymous SSL credentials
-Kerberos-Kerberos 使用 Kerberos SSL 凭据Use Kerberos SSL credentials
-ClientCertificate ClientCertId-ClientCertificate ClientCertId 使用 x.509 证书 SSL 凭据。Use X.509 Certificate SSL credentials. 对于选择 U/I,请使用-clientCertificate。For selection U/I, use -clientCertificate.
-用户名用户名-UserName UserName 使用命名帐户作为 SSL 凭据。Use named account for SSL credentials. 对于选择 U/I,请使用-UserName。For selection U/I, use -UserName.
-Cert 证书 id-Cert CertId 签名证书Signing certificate
-dc DCName-dc DCName 面向特定域控制器Target a specific Domain Controller
-限制 RestrictionList-restrict RestrictionList 逗号分隔的限制列表。Comma separated Restriction List. 每个限制都包含列名称、关系运算符和常量整数、字符串或日期。Each restriction consists of a column name, a relational operator and a constant integer, string or date. 一个列名前面可能有一个加号或减号,用来指示排序顺序。One column name may be preceded by a plus or minus sign to indicate the sort order. 示例:Examples:
"RequestId = 47""RequestId = 47"
"+ RequesterName > = a,RequesterName < b""+RequesterName >= a, RequesterName < b"
"-RequesterName > 域,处置 = 21""-RequesterName > DOMAIN, Disposition = 21"
-out ColumnList-out ColumnList 逗号分隔的列列表Comma separated Column List
-p 密码-p Password 密码Password
-ProtectTo SAMNameAndSIDList-ProtectTo SAMNameAndSIDList 逗号分隔 SAM 名称/SID 列表Comma separated SAM Name/SID List
-csp 提供程序-csp Provider 提供程序Provider
-t 超时-t Timeout URL 提取超时值(毫秒)URL fetch timeout in milliseconds
-symkeyalg SymmetricKeyAlgorithm [,KeyLength]-symkeyalg SymmetricKeyAlgorithm[,KeyLength] 具有可选密钥长度的对称密钥算法的名称,示例: AES、128或3DESName of Symmetric Key Algorithm with optional key length, example: AES,128 or 3DES

返回菜单Return to Menu

其他 certutil 示例Additional certutil examples

有关如何使用此命令的一些示例,请参阅For some examples of how to use this command, see

  1. 用于从命令行管理 Active Directory 证书服务(AD CS)的 Certutil 示例Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line
  2. 用于管理证书的 Certutil 任务Certutil tasks for managing certificates
  3. 使用 CertUtil 命令行工具演练进行二进制请求导出Binary Request Export Using the CertUtil.exe Command-Line Tool Walkthrough
  4. 根 CA 证书续订Root CA certificate renewal
  5. CertutilCertutil

返回菜单Return to Menu