certutilcertutil

Certutil.exe 是一種命令列程式,已安裝為憑證服務的一部分。Certutil.exe is a command-line program, installed as part of Certificate Services. 您可以使用 certutil.exe 來傾印和顯示憑證授權單位單位(CA)設定資訊、設定憑證服務、備份和還原 CA 元件,以及驗證憑證、金鑰組和憑證鏈。You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

如果 certutil 是在沒有其他參數的憑證授權單位單位上執行,則會顯示目前的憑證授權單位單位設定。If certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. 如果 certutil 是在非憑證授權單位單位上執行,此命令會預設為執行 certutil [-dump] 命令。If certutil is run on a non-certification authority, the command defaults to running the certutil [-dump] command.

重要

較早版本的 certutil 可能無法提供本檔中所述的所有選項。Earlier versions of certutil may not provide all of the options that are described in this document. 您可以藉由執行或,查看特定版本的 certutil 所提供的所有選項 certutil -? certutil <parameter> -?You can see all the options that a specific version of certutil provides by running certutil -? or certutil <parameter> -?.

參數Parameters

-傾印-dump

傾印設定資訊或檔案。Dump configuration information or files.

certutil [options] [-dump]
certutil [options] [-dump] file
[-f] [-silent] [-split] [-p password] [-t timeout]

-asn-asn

剖析 asn.1 檔案。Parse the ASN.1 file.

certutil [options] -asn file [type]

[type]:數值 CRYPT_STRING_ * 解碼類型[type]: numeric CRYPT_STRING_* decoding type

-decodehex-decodehex

將十六進位編碼的檔案解碼。Decode a hexadecimal-encoded file.

certutil [options] -decodehex infile outfile [type]

[type]:數值 CRYPT_STRING_ * 編碼類型[type]: numeric CRYPT_STRING_* encoding type

[-f]

-解碼-decode

將 Base64 編碼的檔案解碼。Decode a Base64-encoded file.

certutil [options] -decode infile outfile
[-f]

-編碼-encode

將檔案編碼為 Base64。Encode a file to Base64.

certutil [options] -encode infile outfile
[-f] [-unicodetext]

-拒絕-deny

拒絕擱置中的要求。Deny a pending request.

certutil [options] -deny requestID
[-config Machine\CAName]

-重新提交-resubmit

重新提交待決的要求。Resubmit a pending request.

certutil [options] -resubmit requestId
[-config Machine\CAName]

-setattributes-setattributes

設定擱置中憑證要求的屬性。Set attributes for a pending certificate request.

certutil [options] -setattributes RequestID attributestring

其中:Where:

  • requestID是待決要求的數值要求識別碼。requestID is the numeric Request ID for the pending request.

  • attributestring是要求屬性名稱和值配對。attributestring is the request attribute name and value pairs.

[-config Machine\CAName]

備註Remarks

  • 名稱和值必須以冒號分隔,而多個名稱,值組必須以分行符號分隔。Names and values must be colon separated, while multiple name, value pairs must be newline separated. 例如: CertificateTemplate:User\nEMail:User@Domain.com \n 序列轉換成分行符號的位置。For example: CertificateTemplate:User\nEMail:User@Domain.com where the \n sequence is converted to a newline separator.

-setextension-setextension

設定擱置中憑證要求的延伸模組。Set an extension for a pending certificate request.

certutil [options] -setextension requestID extensionname flags {long | date | string | \@infile}

其中:Where:

  • requestID是待決要求的數值要求識別碼。requestID is the numeric Request ID for the pending request.

  • extensionname是延伸模組的 ObjectId 字串。extensionname is the ObjectId string for the extension.

  • 旗標會設定擴充功能的優先順序。flags sets the priority of the extension. 0建議使用,而 1 將延伸模組設為 [重大]、 2 停用延伸模組,並 3 同時執行這兩項工作。0 is recommended, while 1 sets the extension to critical, 2 disables the extension, and 3 does both.

[-config Machine\CAName]

備註Remarks

  • 如果最後一個參數是數值,則會將其視為LongIf the last parameter is numeric, it's taken as a Long.

  • 如果最後一個參數可剖析為日期,則會被視為日期If the last parameter can be parsed as a date, it's taken as a Date.

  • 如果最後一個參數以為開頭 \@ ,則會以二進位資料或 ascii 文字十六進位傾印的形式,將其餘的標記當做檔案名。If the last parameter starts with \@, the rest of the token is taken as the filename with binary data or an ascii-text hex dump.

  • 如果最後一個參數是任何其他參數,則會將它視為字串。If the last parameter is anything else, it's taken as a String.

-revoke-revoke

撤銷憑證。Revoke a certificate.

certutil [options] -revoke serialnumber [reason]

其中:Where:

  • serialnumber是要撤銷的憑證序號清單(以逗號分隔)。serialnumber is a comma-separated list of certificate serial numbers to revoke.

  • 原因是撤銷原因的數位或符號標記法,包括:reason is the numeric or symbolic representation of the revocation reason, including:

    • 0. CRL_REASON_UNSPECIFIED未指定(預設值)0. CRL_REASON_UNSPECIFIED - Unspecified (default)

    • 1. CRL_REASON_KEY_COMPROMISE金鑰洩露1. CRL_REASON_KEY_COMPROMISE - Key compromise

    • 2. CRL_REASON_CA_COMPROMISE -憑證授權單位單位洩露2. CRL_REASON_CA_COMPROMISE - Certificate Authority compromise

    • 3. CRL_REASON_AFFILIATION_CHANGED -關係聯盟已變更3. CRL_REASON_AFFILIATION_CHANGED - Affiliation changed

    • 4. CRL_REASON_SUPERSEDED -已取代4. CRL_REASON_SUPERSEDED - Superseded

    • 5. CRL_REASON_CESSATION_OF_OPERATION作業的哈5. CRL_REASON_CESSATION_OF_OPERATION - Cessation of operation

    • 6. CRL_REASON_CERTIFICATE_HOLD -憑證保存6. CRL_REASON_CERTIFICATE_HOLD - Certificate hold

    • 8. CRL_REASON_REMOVE_FROM_CRL -從 CRL 移除8. CRL_REASON_REMOVE_FROM_CRL - Remove From CRL

    • 1. 解除吊銷-解除吊銷1. Unrevoke - Unrevoke

[-config Machine\CAName]

-isvalid-isvalid

顯示目前憑證的處置。Display the disposition of the current certificate.

certutil [options] -isvalid serialnumber | certhash
[-config Machine\CAName]

-getconfig-getconfig

取得預設設定字串。Get the default configuration string.

certutil [options] -getconfig
[-config Machine\CAName]

-ping-ping

嘗試聯絡 Active Directory 憑證服務要求介面。Attempt to contact the Active Directory Certificate Services Request interface.

certutil [options] -ping [maxsecondstowait | camachinelist]

其中:Where:

  • camachinelist是以逗號分隔的 CA 電腦名稱稱清單。camachinelist is a comma-separated list of CA machine names. 若為單一電腦,請使用結尾的逗號。For a single machine, use a terminating comma. 此選項也會顯示每部 CA 電腦的網站成本。This option also displays the site cost for each CA machine.
[-config Machine\CAName]

-cainfo-cainfo

顯示憑證授權單位單位的相關資訊。Display information about the certification authority.

certutil [options] -cainfo [infoname [index | errorcode]]

其中:Where:

  • infoname會根據下列 infoname 引數語法,指出要顯示的 CA 屬性:infoname indicates the CA property to display, based on the following infoname argument syntax:

    • 檔案檔版本file - File version

    • 產品產品版本product - Product version

    • exitcount -Exit 模組計數exitcount - Exit module count

    • **結束 [index] **-Exit 模組描述exit [index] - Exit module description

    • 原則-原則模組描述policy - Policy module description

    • 名稱-CA 名稱name - CA name

    • sanitizedname -已清理的 CA 名稱sanitizedname - Sanitized CA name

    • dsname -已清理的 CA 簡短名稱(DS 名稱)dsname - Sanitized CA short name (DS name)

    • sharedfolder -共用資料夾sharedfolder - Shared folder

    • Error1 ErrorCode -錯誤訊息正文error1 ErrorCode - Error message text

    • Error2 相關說明 ErrorCode -錯誤訊息正文和錯誤碼error2 ErrorCode - Error message text and error code

    • 類型-CA 類型type - CA type

    • 資訊-CA 資訊info - CA info

    • 父系-父系 CAparent - Parent CA

    • certcount -CA 憑證計數certcount - CA cert count

    • xchgcount -CA 交換憑證計數xchgcount - CA exchange cert count

    • kracount -KRA 憑證計數kracount - KRA cert count

    • kraused -KRA cert 已使用計數kraused - KRA cert used count

    • propidmax -CA PropId 上限propidmax - Maximum CA PropId

    • **certstate [index] **-CA 憑證certstate [index] - CA cert

    • **certversion [index] **-CA 憑證版本certversion [index] - CA cert version

    • **certstatuscode [index] **-CA 憑證驗證狀態certstatuscode [index] - CA cert verify status

    • **crlstate [index] **-CRLcrlstate [index] - CRL

    • **krastate [index] **-KRA certkrastate [index] - KRA cert

    • **crossstate + [index] **-正向交叉憑證crossstate+ [index] - Forward cross cert

    • **crossstate- [index] **-後向交叉 certcrossstate- [index] - Backward cross cert

    • **cert [index] **-CA 憑證cert [index] - CA cert

    • **certchain [index] **-CA 憑證鏈certchain [index] - CA cert chain

    • **certcrlchain [index] **-具有 Crl 的 CA 憑證鏈certcrlchain [index] - CA cert chain with CRLs

    • **xchg [index] **-CA exchange 憑證xchg [index] - CA exchange cert

    • **xchgchain [index] **-CA exchange 憑證鏈xchgchain [index] - CA exchange cert chain

    • **xchgcrlchain [index] **-具有 Crl 的 CA exchange 憑證鏈xchgcrlchain [index] - CA exchange cert chain with CRLs

    • **kra [index] **-KRA certkra [index] - KRA cert

    • **跨 + [index] **-正向交叉憑證cross+ [index] - Forward cross cert

    • **跨 [index] **-後向交叉 certcross- [index] - Backward cross cert

    • **CRL [index] **-基底 CRLCRL [index] - Base CRL

    • **deltacrl [index] **-Delta CRLdeltacrl [index] - Delta CRL

    • **crlstatus [index] **-CRL 發佈狀態crlstatus [index] - CRL Publish Status

    • **deltacrlstatus [index] **-Delta CRL 發佈狀態deltacrlstatus [index] - Delta CRL Publish Status

    • dns -dns 名稱dns - DNS Name

    • 角色-角色隔離role - Role Separation

    • ads -Advanced Serverads - Advanced Server

    • 範本-範本templates - Templates

    • **csp [index] **-OCSP Urlcsp [index] - OCSP URLs

    • **aia [index] **-AIA Urlaia [index] - AIA URLs

    • **cdp [index] **-CDP Urlcdp [index] - CDP URLs

    • localename -CA 地區設定名稱localename - CA locale name

    • subjecttemplateoids -主旨範本 oidsubjecttemplateoids - Subject Template OIDs

    • * -顯示所有屬性* - Displays all properties

  • index是選擇性的以零為基底的屬性索引。index is the optional zero-based property index.

  • errorcode是數值的錯誤碼。errorcode is the numeric error code.

[-f] [-split] [-config Machine\CAName]

-ca cert-ca.cert

取得憑證授權單位單位的憑證。Retrieve the certificate for the certification authority.

certutil [options] -ca.cert outcacertfile [index]

其中:Where:

  • outcacertfile是輸出檔案。outcacertfile is the output file.

  • [索引] 是 CA 憑證更新索引(預設為最新的)。index is the CA certificate renewal index (defaults to most recent).

[-f] [-split] [-config Machine\CAName]

-ca. 鏈-ca.chain

取得憑證授權單位單位的憑證鏈。Retrieve the certificate chain for the certification authority.

certutil [options] -ca.chain outcacertchainfile [index]

其中:Where:

  • outcacertchainfile是輸出檔案。outcacertchainfile is the output file.

  • [索引] 是 CA 憑證更新索引(預設為最新的)。index is the CA certificate renewal index (defaults to most recent).

[-f] [-split] [-config Machine\CAName]

-getcrl-getcrl

取得憑證撤銷清單(CRL)。Gets a certificate revocation list (CRL).

certutil [options]-getcrl outfile [index] [delta]certutil [options] -getcrl outfile [index] [delta]

其中:Where:

  • index是 crl 索引或金鑰索引(預設為最新金鑰的 crl)。index is the CRL index or key index (defaults to CRL for most recent key).

  • delta是 delta crl (預設值為「基底 crl」)。delta is the delta CRL (default is base CRL).

[-f] [-split] [-config Machine\CAName]

-crl-crl

發佈新的憑證撤銷清單(Crl)或 delta Crl。Publish new certificate revocation lists (CRLs) or delta CRLs.

certutil [options] -crl [dd:hh | republish] [delta]

其中:Where:

  • dd: hh是新的 CRL 有效期間(以天和小時為單位)。dd:hh is the new CRL validity period in days and hours.

  • 重新發佈將最新的 crl。republish republishes the most recent CRLs.

  • 差異只會發佈 delta crl (預設值為基底和 delta crl)。delta publishes the delta CRLs only (default is base and delta CRLs).

[-split] [-config Machine\CAName]

-關機-shutdown

關閉 Active Directory 憑證服務。Shuts down the Active Directory Certificate Services.

certutil [options] -shutdown
[-config Machine\CAName]

-installcert-installcert

安裝憑證授權單位單位憑證。Installs a certification authority certificate.

certutil [options] -installcert [cacertfile]
[-f] [-silent] [-config Machine\CAName]

-renewcert-renewcert

更新憑證授權單位單位憑證。Renews a certification authority certificate.

certutil [options] -renewcert [reusekeys] [Machine\ParentCAName]
  • 使用 -f 來忽略未處理的更新要求,並產生新的要求。Use -f to ignore an outstanding renewal request, and to generate a new request.
[-f] [-silent] [-config Machine\CAName]

-架構-schema

傾印憑證的架構。Dumps the schema for the certificate.

certutil [options] -schema [ext | attrib | cRL]

其中:Where:

  • 此命令預設為要求和憑證資料表。The command defaults to the Request and Certificate table.

  • ext是延伸模組資料表。ext is the extension table.

  • attribute是屬性資料表。attribute is the attribute table.

  • crl是 crl 資料表。crl is the CRL table.

[-split] [-config Machine\CAName]

-view-view

傾印憑證視圖。Dumps the certificate view.

certutil [options] -view [queue | log | logfail | revoked | ext | attrib | crl] [csv]

其中:Where:

  • 佇列會傾印特定的要求佇列。queue dumps a specific request queue.

  • 記錄會傾印發行或撤銷的憑證,再加上任何失敗的要求。log dumps the issued or revoked certificates, plus any failed requests.

  • logfail傾印失敗的要求。logfail dumps the failed requests.

  • 撤銷傾印已撤銷的憑證。revoked dumps the revoked certificates.

  • ext傾印延伸模組資料表。ext dumps the extension table.

  • 屬性會傾印屬性資料表。attribute dumps the attribute table.

  • crl會傾印 crl 資料表。crl dumps the CRL table.

  • csv提供使用逗號分隔值的輸出。csv provides the output using comma-separated values.

[-silent] [-split] [-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

備註Remarks

  • 若要顯示所有專案的StatusCode資料行,請輸入-out StatusCodeTo display the StatusCode column for all entries, type -out StatusCode

  • 若要顯示最後一個專案的所有資料行,請輸入:-restrict RequestId==$To display all columns for the last entry, type: -restrict RequestId==$

  • 若要顯示三個要求的 RequestID和配置,請輸入:-restrict requestID>37,requestID<40 -out requestID,dispositionTo display the RequestID and Disposition for three requests, type: -restrict requestID>37,requestID<40 -out requestID,disposition

  • 若要顯示所有基底 Crl 的資料列識別碼資料列識別碼CRL 號碼,請輸入:-restrict crlminbase=0 -out crlrowID,crlnumber crlTo display Row IDsRow IDs and CRL numbers for all Base CRLs, type: -restrict crlminbase=0 -out crlrowID,crlnumber crl

  • 若要顯示,請輸入:-v -restrict crlminbase=0,crlnumber=3 -out crlrawcrl crlTo display , type: -v -restrict crlminbase=0,crlnumber=3 -out crlrawcrl crl

  • 若要顯示整個 CRL 資料表,請輸入:CRLTo display the entire CRL table, type: CRL

  • 使用 Date[+|-dd:hh] 日期限制。Use Date[+|-dd:hh] for date restrictions.

  • now+dd:hh針對與目前時間相關的日期使用。Use now+dd:hh for a date relative to the current time.

-db-db

傾印原始資料庫。Dumps the raw database.

certutil [options] -db
[-config Machine\CAName] [-restrict RestrictionList] [-out ColumnList]

-deleterow-deleterow

刪除伺服器資料庫中的資料列。Deletes a row from the server database.

certutil [options] -deleterow rowID | date [request | cert | ext | attrib | crl]

其中:Where:

  • [要求] 會根據提交日期來刪除失敗和待決的要求。request deletes the failed and pending requests, based on submission date.

  • cert會根據到期日刪除過期和撤銷的憑證。cert deletes the expired and revoked certificates, based on expiration date.

  • ext會刪除延伸模組資料表。ext deletes the extension table.

  • 屬性會刪除屬性資料表。attribute deletes the attribute table.

  • crl會刪除 crl 資料表。crl deletes the CRL table.

[-f] [-config Machine\CAName]

範例Examples

  • 若要刪除2001年1月22日提交的失敗和擱置要求,請輸入:1/22/2001 requestTo delete failed and pending requests submitted by January 22, 2001, type: 1/22/2001 request

  • 若要刪除2001年1月22日過期的所有憑證,請輸入:1/22/2001 certTo delete all certificates that expired by January 22, 2001, type: 1/22/2001 cert

  • 若要刪除 RequestID 37 的憑證資料列、屬性和延伸模組,請輸入:37To delete the certificate row, attributes, and extensions for RequestID 37, type: 37

  • 若要刪除2001年1月22日到期的 Crl,請輸入:1/22/2001 crlTo delete CRLs that expired by January 22, 2001, type: 1/22/2001 crl

-backup-backup

備份 Active Directory 憑證服務。Backs up the Active Directory Certificate Services.

certutil [options] -backup backupdirectory [incremental] [keeplog]

其中:Where:

  • backupdirectory是用來儲存備份資料的目錄。backupdirectory is the directory to store the backed up data.

  • 增量只會執行增量備份(預設為完整備份)。incremental performs an incremental backup only (default is full backup).

  • keeplog會保留資料庫記錄檔(預設為截斷記錄檔)。keeplog preserves the database log files (default is to truncate log files).

[-f] [-config Machine\CAName] [-p Password]

-backupdb-backupdb

備份憑證服務資料庫 Active Directory。Backs up the Active Directory Certificate Services database.

certutil [options] -backupdb backupdirectory [incremental] [keeplog]

其中:Where:

  • backupdirectory是用來儲存備份資料庫檔案的目錄。backupdirectory is the directory to store the backed up database files.

  • 增量只會執行增量備份(預設為完整備份)。incremental performs an incremental backup only (default is full backup).

  • keeplog會保留資料庫記錄檔(預設為截斷記錄檔)。keeplog preserves the database log files (default is to truncate log files).

[-f] [-config Machine\CAName]

-backupkey-backupkey

備份憑證服務憑證和私密金鑰 Active Directory。Backs up the Active Directory Certificate Services certificate and private key.

certutil [options] -backupkey backupdirectory

其中:Where:

  • backupdirectory是用來儲存備份 PFX 檔案的目錄。backupdirectory is the directory to store the backed up PFX file.
[-f] [-config Machine\CAName] [-p password] [-t timeout]

-restore-restore

還原 Active Directory 憑證服務。Restores the Active Directory Certificate Services.

certutil [options] -restore backupdirectory

其中:Where:

  • backupdirectory是包含要還原之資料的目錄。backupdirectory is the directory containing the data to be restored.
[-f] [-config Machine\CAName] [-p password]

-restoredb-restoredb

還原 Active Directory 憑證服務資料庫。Restores the Active Directory Certificate Services database.

certutil [options] -restoredb backupdirectory

其中:Where:

  • backupdirectory是包含要還原之資料庫檔案的目錄。backupdirectory is the directory containing the database files to be restored.
[-f] [-config Machine\CAName]

-restorekey-restorekey

還原 Active Directory 憑證服務憑證和私密金鑰。Restores the Active Directory Certificate Services certificate and private key.

certutil [options] -restorekey backupdirectory | pfxfile

其中:Where:

  • backupdirectory是包含要還原之 PFX 檔案的目錄。backupdirectory is the directory containing PFX file to be restored.
[-f] [-config Machine\CAName] [-p password]

-importpfx-importpfx

匯入憑證和私密金鑰。Import the certificate and private key. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

certutil [options] -importpfx [certificatestorename] pfxfile [modifiers]

其中:Where:

  • certificatestorename是憑證存放區的名稱。certificatestorename is the name of the certificate store.

  • 修飾詞是以逗號分隔的清單,其中可以包含下列一或多項:modifiers are the comma-separated list, which can include one or more of the following:

    1. AT_SIGNATURE -將 keyspec 變更為 SIGNATUREAT_SIGNATURE - Changes the keyspec to signature

    2. AT_KEYEXCHANGE -將 keyspec 變更為金鑰交換AT_KEYEXCHANGE - Changes the keyspec to key exchange

    3. NoExport -使私密金鑰無法匯出NoExport - Makes the private key non-exportable

    4. NoCert -不匯入憑證NoCert - Doesn't import the certificate

    5. NoChain -不匯入憑證鏈NoChain - Doesn't import the certificate chain

    6. NoRoot -不匯入根憑證NoRoot - Doesn't import the root certificate

    7. 保護-使用密碼保護金鑰Protect - Protects keys by using a password

    8. NoProtect -不使用密碼來保護金鑰NoProtect - Doesn't password protect keys by using a password

[-f] [-user] [-p password] [-csp provider]

備註Remarks

  • 預設為個人電腦存放區。Defaults to personal machine store.

-dynamicfilelist-dynamicfilelist

顯示動態檔案清單。Displays a dynamic file list.

certutil [options] -dynamicfilelist
[-config Machine\CAName]

-databaselocations-databaselocations

顯示資料庫位置。Displays database locations.

certutil [options] -databaselocations
[-config Machine\CAName]

-hashfile-hashfile

產生並顯示檔案的密碼編譯雜湊。Generates and displays a cryptographic hash over a file.

certutil [options] -hashfile infile [hashalgorithm]

-store-store

傾印證書存儲。Dumps the certificate store.

certutil [options] -store [certificatestorename [certID [outputfile]]]

其中:Where:

  • certificatestorename是憑證存放區名稱。certificatestorename is the certificate store name. 例如:For example:

    • My, CA (default), Root,

    • ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?one?objectClass=certificationAuthority (View Root Certificates)

    • ldap:///CN=CAName,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Modify Root Certificates)

    • ldap:///CN=CAName,CN=MachineName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (View CRLs)

    • ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=cpandl,DC=com?cACertificate?base?objectClass=certificationAuthority (Enterprise CA Certificates)

    • ldap: (AD computer object certificates)

    • -user ldap: (AD user object certificates)

  • certID是憑證或 CRL 相符 token。certID is the certificate or CRL match token. 這可以是序號、SHA-1 憑證、CRL、CTL 或公開金鑰雜湊、數值憑證索引(0、1等等)、數值 CRL 索引(.0、.1 等等)、數值 CTL 索引(.)。0、.。1等等)、公用金鑰、簽章或延伸 ObjectId、憑證主體一般名稱、電子郵件地址、UPN 或 DNS 名稱、金鑰容器名稱或 CSP 名稱、範本名稱或 ObjectId、EKU 或應用程式原則 ObjectId,或 CRL 簽發者一般名稱。This can be a serial number, a SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (..0, ..1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. 其中有許多可能會導致多個相符專案。Many of these may result in multiple matches.

  • outputfile是用來儲存相符憑證的檔案。outputfile is the file used to save the matching certificates.

[-f] [-user] [-enterprise] [-service] [-grouppolicy] [-silent] [-split] [-dc DCName]

選項。Options

  • -user選項會存取使用者存放區,而不是電腦存放區。The -user option accesses a user store instead of a machine store.

  • -enterprise選項會存取機器企業商店。The -enterprise option accesses a machine enterprise store.

  • -service選項會存取機器服務存放區。The -service option accesses a machine service store.

  • -grouppolicy選項會存取電腦群組策略存放區。The -grouppolicy option accesses a machine group policy store.

例如:For example:

  • -enterprise NTAuth

  • -enterprise Root 37

  • -user My 26e0aaaf000000000004

  • CA .11

-addstore-addstore

將憑證新增至存放區。Adds a certificate to the store. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

certutil [options] -addstore certificatestorename infile

其中:Where:

  • certificatestorename是憑證存放區名稱。certificatestorename is the certificate store name.

  • infile是您想要新增至存放區的憑證或 CRL 檔案。infile is the certificate or CRL file you want to add to store.

[-f] [-user] [-enterprise] [-grouppolicy] [-dc DCName]

-delstore-delstore

從存放區中刪除憑證。Deletes a certificate from the store. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

certutil [options] -delstore certificatestorename certID

其中:Where:

  • certificatestorename是憑證存放區名稱。certificatestorename is the certificate store name.

  • certID是憑證或 CRL 相符 token。certID is the certificate or CRL match token.

[-enterprise] [-user] [-grouppolicy] [-dc DCName]

-verifystore-verifystore

驗證存放區中的憑證。Verifies a certificate in the store. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

certutil [options] -verifystore certificatestorename [certID]

其中:Where:

  • certificatestorename是憑證存放區名稱。certificatestorename is the certificate store name.

  • certID是憑證或 CRL 相符 token。certID is the certificate or CRL match token.

[-enterprise] [-user] [-grouppolicy] [-silent] [-split] [-dc DCName] [-t timeout]

-repairstore-repairstore

修復金鑰關聯或更新憑證屬性或金鑰安全描述項。Repairs a key association or update certificate properties or the key security descriptor. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

certutil [options] -repairstore certificatestorename certIDlist [propertyinffile | SDDLsecuritydescriptor]

其中:Where:

  • certificatestorename是憑證存放區名稱。certificatestorename is the certificate store name.

  • certIDlist是以逗號分隔的憑證或 CRL 相符權杖清單。certIDlist is the comma-separated list of certificate or CRL match tokens. 如需詳細資訊,請參閱本文 -store certID 中的描述。For more info, see the -store certID description in this article.

  • propertyinffile是包含外部屬性的 INF 檔案,包括:propertyinffile is the INF file containing external properties, including:

    [Properties]
        19 = Empty ; Add archived property, OR:
        19 =       ; Remove archived property
    
        11 = {text}Friendly Name ; Add friendly name property
    
        127 = {hex} ; Add custom hexadecimal property
            _continue_ = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
            _continue_ = 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
    
        2 = {text} ; Add Key Provider Information property
          _continue_ = Container=Container Name&
          _continue_ = Provider=Microsoft Strong Cryptographic Provider&
          _continue_ = ProviderType=1&
          _continue_ = Flags=0&
          _continue_ = KeySpec=2
    
        9 = {text} ; Add Enhanced Key Usage property
          _continue_ = 1.3.6.1.5.5.7.3.2,
          _continue_ = 1.3.6.1.5.5.7.3.1,
    
[-f] [-enterprise] [-user] [-grouppolicy] [-silent] [-split] [-csp provider]

-viewstore-viewstore

傾印證書存儲。Dumps the certificates store. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

certutil [options] -viewstore [certificatestorename [certID [outputfile]]]

其中:Where:

  • certificatestorename是憑證存放區名稱。certificatestorename is the certificate store name.

  • certID是憑證或 CRL 相符 token。certID is the certificate or CRL match token.

  • outputfile是用來儲存相符憑證的檔案。outputfile is the file used to save the matching certificates.

[-f] [-user] [-enterprise] [-service] [-grouppolicy] [-dc DCName]

選項。Options

  • -user選項會存取使用者存放區,而不是電腦存放區。The -user option accesses a user store instead of a machine store.

  • -enterprise選項會存取機器企業商店。The -enterprise option accesses a machine enterprise store.

  • -service選項會存取機器服務存放區。The -service option accesses a machine service store.

  • -grouppolicy選項會存取電腦群組策略存放區。The -grouppolicy option accesses a machine group policy store.

例如:For example:

  • -enterprise NTAuth

  • -enterprise Root 37

  • -user My 26e0aaaf000000000004

  • CA .11

-viewdelstore-viewdelstore

從存放區中刪除憑證。Deletes a certificate from the store.

certutil [options] -viewdelstore [certificatestorename [certID [outputfile]]]

其中:Where:

  • certificatestorename是憑證存放區名稱。certificatestorename is the certificate store name.

  • certID是憑證或 CRL 相符 token。certID is the certificate or CRL match token.

  • outputfile是用來儲存相符憑證的檔案。outputfile is the file used to save the matching certificates.

[-f] [-user] [-enterprise] [-service] [-grouppolicy] [-dc DCName]

選項。Options

  • -user選項會存取使用者存放區,而不是電腦存放區。The -user option accesses a user store instead of a machine store.

  • -enterprise選項會存取機器企業商店。The -enterprise option accesses a machine enterprise store.

  • -service選項會存取機器服務存放區。The -service option accesses a machine service store.

  • -grouppolicy選項會存取電腦群組策略存放區。The -grouppolicy option accesses a machine group policy store.

例如:For example:

  • -enterprise NTAuth

  • -enterprise Root 37

  • -user My 26e0aaaf000000000004

  • CA .11

-dspublish-dspublish

發行憑證或憑證撤銷清單(CRL)以 Active Directory。Publishes a certificate or certificate revocation list (CRL) to Active Directory.

certutil [options] -dspublish certfile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
certutil [options] -dspublish CRLfile [DSCDPContainer [DSCDPCN]]

其中:Where:

  • certfile是要發佈之憑證檔案的名稱。certfile is the name of the certificate file to publish.

  • NTAuthCA會將憑證發佈至 DS Enterprise store。NTAuthCA publishes the certificate to the DS Enterprise store.

  • Rootca.cer會將憑證發佈至 DS 受信任的根存放區。RootCA publishes the certificate to the DS Trusted Root store.

  • SubCA會將 CA 憑證發佈至 DS CA 物件。SubCA publishes the CA certificate to the DS CA object.

  • CrossCA會將交互憑證發佈至 DS CA 物件。CrossCA publishes the cross-certificate to the DS CA object.

  • KRA會將憑證發佈至 DS 金鑰復原代理物件。KRA publishes the certificate to the DS Key Recovery Agent object.

  • 使用者將憑證發佈至使用者 DS 物件。User publishes the certificate to the User DS object.

  • 電腦會將憑證發佈至電腦 DS 物件。Machine publishes the certificate to the Machine DS object.

  • Crlfile.crl是要發行之 CRL 檔案的名稱。CRLfile is the name of the CRL file to publish.

  • DSCDPContainer是 DS CDP 容器 CN,通常是 CA 電腦名稱稱。DSCDPContainer is the DS CDP container CN, usually the CA machine name.

  • DSCDPCN是 DS CDP 物件 CN,通常是以已清理的 CA 簡短名稱和金鑰索引為基礎。DSCDPCN is the DS CDP object CN, usually based on the sanitized CA short name and key index.

  • 使用 -f 來建立新的 DS 物件。Use -f to create a new DS object.

[-f] [-user] [-dc DCName]

-adtemplate-adtemplate

顯示 Active Directory 範本。Displays Active Directory templates.

certutil [options] -adtemplate [template]
[-f] [-user] [-ut] [-mt] [-dc DCName]

-範本-template

顯示憑證範本。Displays the certificate templates.

certutil [options] -template [template]
[-f] [-user] [-silent] [-policyserver URLorID] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-templatecas-templatecas

顯示憑證範本的憑證授權單位單位(Ca)。Displays the certification authorities (CAs) for a certificate template.

certutil [options] -templatecas template
[-f] [-user] [-dc DCName]

-之 catemplates.txt 檔-catemplates

顯示憑證授權單位單位的範本。Displays templates for the Certificate Authority.

certutil [options] -catemplates [template]
[-f] [-user] [-ut] [-mt] [-config Machine\CAName] [-dc DCName]

-setcasites-setcasites

管理網站名稱,包括設定、驗證和刪除憑證授權單位單位網站名稱Manages site names, including setting, verifying, and deleting Certificate Authority site names

certutil [options] -setcasites [set] [sitename]
certutil [options] -setcasites verify [sitename]
certutil [options] -setcasites delete

其中:Where:

  • 只有在以單一憑證授權單位單位為目標時,才允許sitenamesitename is allowed only when targeting a single Certificate Authority.
[-f] [-config Machine\CAName] [-dc DCName]

備註Remarks

  • -config選項的目標是單一憑證授權單位單位(預設值為 [所有 ca])。The -config option targets a single Certificate Authority (Default is all CAs).

  • -f選項可以用來覆寫指定sitename的驗證錯誤,或刪除所有 CA sitenames。The -f option can be used to override validation errors for the specified sitename or to delete all CA sitenames.

注意

如需有關為 Active Directory Domain Services (AD DS)網站感知設定 Ca 的詳細資訊,請參閱AD DS AD CS 和 PKI 用戶端的網站感知For more information about configuring CAs for Active Directory Domain Services (AD DS) site awareness, see AD DS Site Awareness for AD CS and PKI clients.

-enrollmentserverURL-enrollmentserverURL

顯示、新增或刪除與 CA 相關聯的註冊伺服器 Url。Displays, adds, or deletes enrollment server URLs associated with a CA.

certutil [options] -enrollmentServerURL [URL authenticationtype [priority] [modifiers]]
certutil [options] -enrollmentserverURL URL delete

其中:Where:

  • authenticationtype指定下列其中一個用戶端驗證方法,同時新增 URL:authenticationtype specifies one of the following client authentication methods, while adding a URL:

    1. kerberos -使用 kerberos SSL 認證。kerberos - Use Kerberos SSL credentials.

    2. 使用者名稱-針對 SSL 認證使用已命名的帳戶。username - Use a named account for SSL credentials.

    3. clientcertificate:-使用 X.509 憑證 SSL 認證。clientcertificate: - Use X.509 Certificate SSL credentials.

    4. 匿名-使用匿名 SSL 認證。anonymous - Use anonymous SSL credentials.

  • [刪除] 會刪除與 CA 相關聯的指定 URL。delete deletes the specified URL associated with the CA.

  • priority 1 如果在新增 URL 時未指定,則優先順序預設為。priority defaults to 1 if not specified when adding a URL.

  • 修飾詞是以逗號分隔的清單,其中包含下列一或多項:modifiers is a comma-separated list, which includes one or more of the following:

  1. allowrenewalsonly -只有續訂要求可以透過此 URL 提交給此 CA。allowrenewalsonly - Only renewal requests can be submitted to this CA via this URL.

  2. allowkeybasedrenewal -允許使用在 AD 中沒有相關聯帳戶的憑證。allowkeybasedrenewal - Allows use of a certificate that has no associated account in the AD. 這僅適用于 clientcertificate 和 allowrenewalsonly 模式This applies only with clientcertificate and allowrenewalsonly Mode

[-config Machine\CAName] [-dc DCName]

-adca-adca

顯示 Active Directory 憑證授權單位單位。Displays Active Directory Certificate Authorities.

certutil [options] -adca [CAName]
[-f] [-split] [-dc DCName]

-ca-ca

顯示註冊原則憑證授權單位單位。Displays enrollment policy Certificate Authorities.

certutil [options] -CA [CAName | templatename]
[-f] [-user] [-silent] [-split] [-policyserver URLorID] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-原則-policy

顯示註冊原則。Displays the enrollment policy.

[-f] [-user] [-silent] [-split] [-policyserver URLorID] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-policycache-policycache

顯示或刪除註冊原則快取專案。Displays or deletes enrollment policy cache entries.

certutil [options] -policycache [delete]

其中:Where:

  • [刪除] 會刪除原則伺服器快取專案。delete deletes the policy server cache entries.

  • -f刪除所有快取專案-f deletes all cache entries

[-f] [-user] [-policyserver URLorID]

-credstore-credstore

顯示、新增或刪除認證存放區專案。Displays, adds, or deletes Credential Store entries.

certutil [options] -credstore [URL]
certutil [options] -credstore URL add
certutil [options] -credstore URL delete

其中:Where:

  • Url是目標 url。URL is the target URL. 您也可以使用 * 來比對所有專案,或符合 https://machine* URL 前置詞。You can also use * to match all entries or https://machine* to match a URL prefix.

  • 新增新增認證存放區專案。add adds a credential store entry. 使用此選項時,也需要使用 SSL 認證。Using this option also requires the use of SSL credentials.

  • delete刪除認證存放區專案。delete deletes credential store entries.

  • -f會覆寫單一專案或刪除多個專案。-f overwrites a single entry or deletes multiple entries.

[-f] [-user] [-silent] [-anonymous] [-kerberos] [-clientcertificate clientcertID] [-username username] [-p password]

-installdefaulttemplates 動作-installdefaulttemplates

安裝預設憑證範本。Installs default certificate templates.

certutil [options] -installdefaulttemplates
[-dc DCName]

-URLcache-URLcache

顯示或刪除 URL 快取專案。Displays or deletes URL cache entries.

certutil [options] -URLcache [URL | CRL | * [delete]]

其中:Where:

  • Url是快取的 url。URL is the cached URL.

  • CRL只會在所有快取的 CRL url 上執行。CRL runs on all cached CRL URLs only.

  • * 會在所有快取的 url 上運作。* operates on all cached URLs.

  • [刪除] 會從目前使用者的本機快取中刪除相關的 url。delete deletes relevant URLs from the current user's local cache.

  • -f會強制提取特定的 URL,並更新快取。-f forces fetching a specific URL and updating the cache.

[-f] [-split]

-脈衝-pulse

脈衝自動註冊事件。Pulses auto enrollment events.

certutil [options] -pulse
[-user]

-machineinfo-machineinfo

顯示 Active Directory 機物件的相關資訊。Displays information about the Active Directory machine object.

certutil [options] -machineinfo domainname\machinename$

-DCInfo-DCInfo

顯示網域控制站的相關資訊。Displays information about the domain controller. 預設會顯示 DC 憑證而不進行驗證。The default displays DC certificates without verification.

certutil [options] -DCInfo [domain] [verify | deletebad | deleteall]
[-f] [-user] [-urlfetch] [-dc DCName] [-t timeout]

提示

指定 Active Directory Domain Services (AD DS)網域 [domain] 以及指定網域控制站(-dc)的功能已在 Windows Server 2012 中新增。The ability to specify an Active Directory Domain Services (AD DS) domain [Domain] and to specify a domain controller (-dc) was added in Windows Server 2012. 若要成功執行命令,您必須使用屬於Domain adminsEnterprise admins成員的帳戶。To successfully run the command, you must use an account that is a member of Domain Admins or Enterprise Admins. 此命令的行為修改如下所示:The behavior modifications of this command are as follows:

  1. 1. 如果未指定網域,而且未指定特定網域控制站,則此選項會傳回要從預設網域控制站處理的網域控制站清單。1. If a domain is not specified and a specific domain controller is not specified, this option returns a list of domain controllers to process from the default domain controller.
  2. 2. 如果未指定網域,但指定網域控制站,則會產生指定網域控制站上的憑證報告。2. If a domain is not specified, but a domain controller is specified, a report of the certificates on the specified domain controller is generated.
  3. 3. 如果指定網域,但未指定網域控制站,則會在清單中的每個網域控制站的憑證上產生網域控制站清單,以及報告。3. If a domain is specified, but a domain controller is not specified, a list of domain controllers is generated along with reports on the certificates for each domain controller in the list.
  4. 4. 如果指定網域和網域控制站,則會從目標網域控制站產生網域控制站清單。4. If the domain and domain controller are specified, a list of domain controllers is generated from the targeted domain controller. 也會產生清單中每個網域控制站的憑證報告。A report of the certificates for each domain controller in the list is also generated.

例如,假設有一個名為 CPANDL 的網域,且名為 CPANDL 的網域控制站。For example, assume there is a domain named CPANDL with a domain controller named CPANDL-DC1. 您可以執行下列命令,從 CPANDL-DC1 取得網域控制站及其憑證的清單:certutil -dc cpandl-dc1 -DCInfo cpandlYou can run the following command to a retrieve a list of domain controllers and their certificates that from CPANDL-DC1: certutil -dc cpandl-dc1 -DCInfo cpandl

-entinfo-entinfo

顯示企業憑證授權單位單位的相關資訊。Displays information about an enterprise Certificate Authority.

certutil [options] -entinfo domainname\machinename$
[-f] [-user]

-tcainfo-tcainfo

顯示憑證授權單位單位的相關資訊。Displays information about the Certificate Authority.

certutil [options] -tcainfo [domainDN | -]
[-f] [-enterprise] [-user] [-urlfetch] [-dc DCName] [-t timeout]

-scinfo-scinfo

顯示智慧卡的相關資訊。Displays information about the smart card.

certutil [options] -scinfo [readername [CRYPT_DELETEKEYSET]]

其中:Where:

  • CRYPT_DELETEKEYSET刪除智慧卡上的所有金鑰。CRYPT_DELETEKEYSET deletes all keys on the smart card.
[-silent] [-split] [-urlfetch] [-t timeout]

-scroots-scroots

管理智慧卡的根憑證。Manages smart card root certificates.

certutil [options] -scroots update [+][inputrootfile] [readername]
certutil [options] -scroots save \@in\\outputrootfile [readername]
certutil [options] -scroots view [inputrootfile | readername]
certutil [options] -scroots delete [readername]
[-f] [-split] [-p Password]

-verifykeys-verifykeys

驗證公用或私用金鑰組。Verifies a public or private key set.

certutil [options] -verifykeys [keycontainername cacertfile]

其中:Where:

  • cspparameters.keycontainername是要驗證之金鑰的金鑰容器名稱。keycontainername is the key container name for the key to verify. 此選項預設為電腦金鑰。This option defaults to machine keys. 若要切換至使用者金鑰,請使用 -userTo switch to user keys, use -user.

  • cacertfile簽署或加密憑證檔案。cacertfile signs or encrypts certificate files.

[-f] [-user] [-silent] [-config Machine\CAName]

備註Remarks

  • 如果未指定任何引數,則會根據其私密金鑰來驗證每個簽署 CA 憑證。If no arguments are specified, each signing CA certificate is verified against its private key.

  • 這項作業只能針對本機 CA 或本機密鑰來執行。This operation can only be performed against a local CA or local keys.

-驗證-verify

驗證憑證、憑證撤銷清單(CRL)或憑證鏈。Verifies a certificate, certificate revocation list (CRL), or certificate chain.

certutil [options] -verify certfile [applicationpolicylist | - [issuancepolicylist]]
certutil [options] -verify certfile [cacertfile [crossedcacertfile]]
certutil [options] -verify CRLfile cacertfile [issuedcertfile]
certutil [options] -verify CRLfile cacertfile [deltaCRLfile]

其中:Where:

  • certfile是要驗證之憑證的名稱。certfile is the name of the certificate to verify.

  • applicationpolicylist是必要的應用程式原則 objectid 的選擇性逗號分隔清單。applicationpolicylist is the optional comma-separated list of required Application Policy ObjectIds.

  • issuancepolicylist是必要發佈原則 objectid 的選擇性逗號分隔清單。issuancepolicylist is the optional comma-separated list of required Issuance Policy ObjectIds.

  • cacertfile是要驗證的選擇性發行 CA 憑證。cacertfile is the optional issuing CA certificate to verify against.

  • crossedcacertfilecertfile所交叉認證的選擇性憑證。crossedcacertfile is the optional certificate cross-certified by certfile.

  • Crlfile.crl是用來驗證cacertfile的 CRL 檔案。CRLfile is the CRL file used to verify the cacertfile.

  • issuedcertfile是 crlfile.crl 所涵蓋的選擇性發行憑證。issuedcertfile is the optional issued certificate covered by the CRLfile.

  • deltaCRLfile是選擇性的 delta CRL 檔案。deltaCRLfile is the optional delta CRL file.

[-f] [-enterprise] [-user] [-silent] [-split] [-urlfetch] [-t timeout]

備註Remarks

  • 使用applicationpolicylist會將鏈建築物限制為僅適用于指定之應用程式原則的有效鏈。Using applicationpolicylist restricts chain building to only chains valid for the specified Application Policies.

  • 使用issuancepolicylist會將鏈建築物限制為僅適用于指定發佈原則的連結。Using issuancepolicylist restricts chain building to only chains valid for the specified Issuance Policies.

  • 使用cacertfile會根據certfilecrlfile.crl來驗證檔案中的欄位。Using cacertfile verifies the fields in the file against certfile or CRLfile.

  • 使用issuedcertfile會針對crlfile.crl驗證檔案中的欄位。Using issuedcertfile verifies the fields in the file against CRLfile.

  • 使用 deltaCRLfile 會針對certfile驗證檔案中的欄位。Using deltaCRLfile verifies the fields in the file against certfile.

  • 如果未指定cacertfile ,則會針對certfile建立並驗證完整鏈。If cacertfile isn't specified, the full chain is built and verified against certfile.

  • 如果同時指定cacertfilecrossedcacertfile ,這兩個檔案中的欄位都會針對certfile進行驗證。If cacertfile and crossedcacertfile are both specified, the fields in both files are verified against certfile.

-verifyCTL-verifyCTL

驗證 AuthRoot 或不允許的憑證 CTL。Verifies the AuthRoot or Disallowed Certificates CTL.

certutil [options] -verifyCTL CTLobject [certdir] [certfile]

其中:Where:

  • CTLobject會識別要驗證的 CTL,包括:CTLobject identifies the CTL to verify, including:

    • AuthRootWU -從 URL 快取讀取 AuthRoot CAB 和相符的憑證。AuthRootWU - Reads the AuthRoot CAB and matching certificates from the URL cache. 請改用 -f ,改為從 Windows Update 下載。Use -f to download from Windows Update instead.

    • DisallowedWU -從 URL 快取讀取不允許的憑證 CAB 和不允許的憑證存放區檔案。DisallowedWU - Reads the Disallowed Certificates CAB and disallowed certificate store file from the URL cache. 請改用 -f ,改為從 Windows Update 下載。Use -f to download from Windows Update instead.

    • AuthRoot -讀取登錄快取的 AuthRoot CTL。AuthRoot - Reads the registry-cached AuthRoot CTL. 使用搭配 -f 和不受信任的certfile ,以強制登錄快取的 AuthRoot 和不允許的憑證 ctl 進行更新。Use with -f and an untrusted certfile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.

    • 允許-讀取登錄-快取的不允許憑證 CTL。Disallowed - Reads the registry-cached Disallowed Certificates CTL. 使用搭配 -f 和不受信任的certfile ,以強制登錄快取的 AuthRoot 和不允許的憑證 ctl 進行更新。Use with -f and an untrusted certfile to force the registry cached AuthRoot and Disallowed Certificate CTLs to update.

  • CTLfilename指定 CTL 或 CAB 檔案的檔案或 HTTP 路徑。CTLfilename specifies the file or http path to the CTL or CAB file.

  • certdir指定包含符合 CTL 專案之憑證的資料夾。certdir specifies the folder containing certificates matching the CTL entries. 預設為與CTLobject相同的資料夾或網站。Defaults to the same folder or website as the CTLobject. 使用 HTTP 資料夾路徑時,結尾必須有路徑分隔符號。Using an http folder path requires a path separator at the end. 如果您未指定AuthRoot或不允許,則會搜尋多個位置以尋找相符的憑證,包括本機憑證存放區、crypt32.dll 資源和本機 URL 快取。If you don't specify AuthRoot or Disallowed, multiple locations will be searched for matching certificates, including local certificate stores, crypt32.dll resources and the local URL cache. -f視需要使用從 Windows Update 下載。Use -f to download from Windows Update, as needed.

  • certfile會指定要驗證的憑證。certfile specifies the certificate(s) to verify. 憑證會與 CTL 專案進行比對,並顯示結果。Certificates are matched against CTL entries, displaying the results. 此選項會隱藏大部分的預設輸出。This option suppresses most of the default output.

[-f] [-user] [-split]

-sign-sign

重新簽署憑證撤銷清單(CRL)或憑證。Re-signs a certificate revocation list (CRL) or certificate.

certutil [options] -sign infilelist | serialnumber | CRL outfilelist [startdate+dd:hh] [+serialnumberlist | -serialnumberlist | -objectIDlist | \@extensionfile]
certutil [options] -sign infilelist | serialnumber | CRL outfilelist [#hashalgorithm] [+alternatesignaturealgorithm | -alternatesignaturealgorithm]

其中:Where:

  • infilelist是要修改和重新簽署的憑證或 CRL 檔案清單(以逗號分隔)。infilelist is the comma-separated list of certificate or CRL files to modify and re-sign.

  • serialnumber是要建立之憑證的序號。serialnumber is the serial number of the certificate to create. 不能有有效期間和其他選項。The validity period and other options can't be present.

  • Crl會建立空的 crl。CRL creates an empty CRL. 不能有有效期間和其他選項。The validity period and other options can't be present.

  • outfilelist是已修改的憑證或 CRL 輸出檔案清單(以逗號分隔)。outfilelist is the comma-separated list of modified certificate or CRL output files. 檔案數目必須符合 infilelist。The number of files must match infilelist.

  • 開始日期 + dd: hh是憑證或 CRL 檔案的新有效期間,包括:startdate+dd:hh is the new validity period for the certificate or CRL files, including:

    • 選擇性的日期加上optional date plus

    • 選擇性的天數和時數有效期間optional days and hours validity period

    如果同時指定這兩者,您就必須使用加號(+)分隔字元。If both are specified, you must use a plus sign (+) separator. 使用從 now[+dd:hh] 目前的時間開始。Use now[+dd:hh] to start at the current time. 使用沒有 never 到期日(僅適用于 crl)。Use never to have no expiration date (for CRLs only).

  • serialnumberlist是要新增或移除之檔案的逗點分隔序號清單。serialnumberlist is the comma-separated serial number list of the files to add or remove.

  • objectIDlist是要移除之檔案的逗號分隔擴充功能 ObjectId 清單。objectIDlist is the comma-separated extension ObjectId list of the files to remove.

  • ** @ EXTENSIONFILE**是 INF 檔案,其中包含要更新或移除的延伸模組。@extensionfile is the INF file that contains the extensions to update or remove. 例如:For example:

    [Extensions]
        2.5.29.31 = ; Remove CRL Distribution Points extension
        2.5.29.15 = {hex} ; Update Key Usage extension
        _continue_=03 02 01 86
    
  • hashalgorithm是雜湊演算法的名稱。hashalgorithm is the name of the hash algorithm. 這必須是前面加上 # 正負號的文字。This must only be the text preceded by the # sign.

  • alternatesignaturealgorithm是替代簽章演算法規範。alternatesignaturealgorithm is the alternate signature algorithm specifier.

[-nullsign] [-f] [-silent] [-cert certID]

備註Remarks

  • 使用減號(-)會移除序號和延伸模組。Using the minus sign (-) removes serial numbers and extensions.

  • 使用加號(+)會將序號新增至 CRL。Using the plus sign (+) adds serial numbers to a CRL.

  • 您可以使用清單同時從 CRL 移除序號和 Objectid。You can use a list to remove both serial numbers and ObjectIDs from a CRL at the same time.

  • alternatesignaturealgorithm之前使用減號,可讓您使用舊版簽章格式。Using the minus sign before alternatesignaturealgorithm allows you to use the legacy signature format. 使用加號可讓您使用替代簽章格式。Using the plus sign allows you to use the alternate signature format. 如果您未指定alternatesignaturealgorithm,則會使用憑證或 CRL 中的簽章格式。If you don't specify alternatesignaturealgorithm, the signature format in the certificate or CRL is used.

-vroot-vroot

建立或刪除 web 虛擬根目錄和檔案共用。Creates or deletes web virtual roots and file shares.

certutil [options] -vroot [delete]

-vocsproot-vocsproot

建立或刪除 OCSP Web Proxy 的 web 虛擬根目錄。Creates or deletes web virtual roots for an OCSP web proxy.

certutil [options] -vocsproot [delete]

-addenrollmentserver-addenrollmentserver

如有必要,請為指定的憑證授權單位單位新增註冊伺服器應用程式和應用程式集區。Add an Enrollment Server application and application pool if necessary, for the specified Certificate Authority. 此命令不會安裝二進位檔或封裝。This command does not install binaries or packages.

certutil [options] -addenrollmentserver kerberos | username | clientcertificate [allowrenewalsonly] [allowkeybasedrenewal]

其中:Where:

  • addenrollmentserver會要求您針對與憑證註冊伺服器的用戶端連線使用驗證方法,包括:addenrollmentserver requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:

    • kerberos使用 kerberos SSL 認證。kerberos uses Kerberos SSL credentials.

    • 使用者名稱使用命名帳戶作為 SSL 認證。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 憑證 SSL 認證。clientcertificate uses X.509 Certificate SSL credentials.

  • allowrenewalsonly只允許透過 URL 向憑證授權單位單位提交更新要求。allowrenewalsonly allows only renewal request submissions to the Certificate Authority through the URL.

  • allowkeybasedrenewal允許在 Active Directory 中使用沒有相關聯帳戶的憑證。allowkeybasedrenewal allows use of a certificate with no associated account in Active Directory. 這適用于搭配clientcertificateallowrenewalsonly模式使用時。This applies when used with clientcertificate and allowrenewalsonly mode.

[-config Machine\CAName]

-deleteenrollmentserver-deleteenrollmentserver

必要時,為指定的憑證授權單位單位刪除註冊伺服器應用程式和應用程式集區。Deletes an Enrollment Server application and application pool if necessary, for the specified Certificate Authority. 此命令不會安裝二進位檔或封裝。This command does not install binaries or packages.

certutil [options] -deleteenrollmentserver kerberos | username | clientcertificate

其中:Where:

  • deleteenrollmentserver會要求您針對與憑證註冊伺服器的用戶端連線使用驗證方法,包括:deleteenrollmentserver requires you to use an authentication method for the client connection to the Certificate Enrollment Server, including:

    • kerberos使用 kerberos SSL 認證。kerberos uses Kerberos SSL credentials.

    • 使用者名稱使用命名帳戶作為 SSL 認證。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 憑證 SSL 認證。clientcertificate uses X.509 Certificate SSL credentials.

[-config Machine\CAName]

-addpolicyserver-addpolicyserver

視需要新增原則伺服器應用程式和應用程式集區。Add a Policy Server application and application pool, if necessary. 此命令不會安裝二進位檔或封裝。This command does not install binaries or packages.

certutil [options] -addpolicyserver kerberos | username | clientcertificate [keybasedrenewal]

其中:Where:

  • addpolicyserver會要求您針對與憑證原則伺服器的用戶端連線使用驗證方法,包括:addpolicyserver requires you to use an authentication method for the client connection to the Certificate Policy Server, including:

    • kerberos使用 kerberos SSL 認證。kerberos uses Kerberos SSL credentials.

    • 使用者名稱使用命名帳戶作為 SSL 認證。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 憑證 SSL 認證。clientcertificate uses X.509 Certificate SSL credentials.

  • keybasedrenewal允許使用傳回給包含 keybasedrenewal 範本之用戶端的原則。keybasedrenewal allows use of policies returned to the client containing keybasedrenewal templates. 此選項只適用于使用者名稱clientcertificate驗證。This option applies only for username and clientcertificate authentication.

-deletepolicyserver-deletepolicyserver

視需要刪除原則伺服器應用程式和應用程式集區。Deletes a Policy Server application and application pool, if necessary. 此命令不會移除二進位檔或封裝。This command does not remove binaries or packages.

certutil [options]-deletePolicyServer kerberos |使用者名稱 |clientcertificate [keybasedrenewal]certutil [options] -deletePolicyServer kerberos | username | clientcertificate [keybasedrenewal]

其中:Where:

  • deletepolicyserver會要求您針對與憑證原則伺服器的用戶端連線使用驗證方法,包括:deletepolicyserver requires you to use an authentication method for the client connection to the Certificate Policy Server, including:

    • kerberos使用 kerberos SSL 認證。kerberos uses Kerberos SSL credentials.

    • 使用者名稱使用命名帳戶作為 SSL 認證。username uses named account for SSL credentials.

    • clientcertificate使用 X.509 憑證 SSL 認證。clientcertificate uses X.509 Certificate SSL credentials.

  • keybasedrenewal允許使用 keybasedrenewal 原則伺服器。keybasedrenewal allows use of a KeyBasedRenewal policy server.

-oid-oid

顯示物件識別碼或設定顯示名稱。Displays the object identifier or set a display name.

certutil [options] -oid objectID [displayname | delete [languageID [type]]]
certutil [options] -oid groupID
certutil [options] -oid agID | algorithmname [groupID]

其中:Where:

  • objectID顯示或加入顯示名稱。objectID displays or to adds the display name.

  • groupid是 objectid 列舉的 groupid 數位(decimal)。groupID is the groupID number (decimal) that objectIDs enumerate.

  • algID是 objectID 所查詢的十六進位識別碼。algID is the hexadecimal ID that objectID looks up.

  • algorithmname是 objectID 所查詢的演算法名稱。algorithmname is the algorithm name that objectID looks up.

  • displayname會顯示要儲存在 DS 中的名稱。displayname displays the name to store in DS.

  • delete刪除顯示名稱。delete deletes the display name.

  • LanguageId是語言識別項值(預設為目前的:1033)。LanguageId is the language ID value (defaults to current: 1033).

  • 類型是要建立的 DS 物件類型,包括:Type is the type of DS object to create, including:

    • 1-Template (預設值)1 - Template (default)

    • 2-發行原則2 - Issuance Policy

    • 3-應用程式原則3 - Application Policy

  • -f建立 DS 物件。-f creates a DS object.

-錯誤-error

顯示與錯誤碼相關聯的郵件內文。Displays the message text associated with an error code.

certutil [options] -error errorcode

-getreg-getreg

顯示登錄值。Displays a registry value.

certutil [options] -getreg [{ca | restore | policy | exit | template | enroll |chain | policyservers}\[progID\]][registryvaluename]

其中:Where:

  • ca會使用憑證授權單位單位的登錄機碼。ca uses a Certificate Authority's registry key.

  • restore會使用憑證授權單位單位的 restore 登錄機碼。restore uses Certificate Authority's restore registry key.

  • 原則會使用原則模組的登錄機碼。policy uses the policy module's registry key.

  • exit會使用第一個結束模組的登錄機碼。exit uses the first exit module's registry key.

  • 範本會使用範本登錄機碼(用於 -user 使用者範本)。template uses the template registry key (use -user for user templates).

  • 註冊會使用註冊登錄機碼(用於 -user 使用者內容)。enroll uses the enrollment registry key (use -user for user context).

  • 會使用連鎖設定登錄機碼。chain uses the chain configuration registry key.

  • policyservers會使用原則伺服器登錄機碼。policyservers uses the Policy Servers registry key.

  • progID會使用原則或結束模組的 progID (登錄子機碼名稱)。progID uses the policy or exit module's ProgID (registry subkey name).

  • registryvaluename會使用登錄值名稱(使用 Name* 前置詞相符)。registryvaluename uses the registry value name (use Name* to prefix match).

  • 使用新的數值、字串或日期登錄值或檔案名。value uses the new numeric, string or date registry value or filename. 如果數值開頭為 + 或,則 - 會在現有的登錄值中設定或清除在新值中指定的位。If a numeric value starts with + or -, the bits specified in the new value are set or cleared in the existing registry value.

[-f] [-user] [-grouppolicy] [-config Machine\CAName]

備註Remarks

  • 如果字串值的開頭為 +- ,且現有的值為 REG_MULTI_SZ 值,則會在現有的登錄值中加入或移除字串。If a string value starts with + or -, and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要強制建立 REG_MULTI_SZ 值,請將新增 \n 至字串值的結尾。To force creation of a REG_MULTI_SZ value, add \n to the end of the string value.

  • 如果值以開頭 \@ ,則值的其餘部分會是包含二進位值之十六進位文字表示的檔案名。If the value starts with \@, the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未參考有效的檔案,則會改為將其剖析為 [Date][+|-][dd:hh] 選擇性的日期加或減去選擇性的日和小時。If it doesn't refer to a valid file, it's instead parsed as [Date][+|-][dd:hh] - an optional date plus or minus optional days and hours. 如果同時指定這兩者,請使用加號(+)或減號(-)分隔字元。If both are specified, use a plus sign (+) or minus sign (-) separator. now+dd:hh針對與目前時間相關的日期使用。Use now+dd:hh for a date relative to the current time.

  • chain\chaincacheresyncfiletime \@now 來有效地清除快取的 crl。Use chain\chaincacheresyncfiletime \@now to effectively flush cached CRLs.

-setreg-setreg

設定登錄值。Sets a registry value.

certutil [options] -setreg [{ca | restore | policy | exit | template | enroll |chain | policyservers}\[progID\]]registryvaluename value

其中:Where:

  • ca會使用憑證授權單位單位的登錄機碼。ca uses a Certificate Authority's registry key.

  • restore會使用憑證授權單位單位的 restore 登錄機碼。restore uses Certificate Authority's restore registry key.

  • 原則會使用原則模組的登錄機碼。policy uses the policy module's registry key.

  • exit會使用第一個結束模組的登錄機碼。exit uses the first exit module's registry key.

  • 範本會使用範本登錄機碼(用於 -user 使用者範本)。template uses the template registry key (use -user for user templates).

  • 註冊會使用註冊登錄機碼(用於 -user 使用者內容)。enroll uses the enrollment registry key (use -user for user context).

  • 會使用連鎖設定登錄機碼。chain uses the chain configuration registry key.

  • policyservers會使用原則伺服器登錄機碼。policyservers uses the Policy Servers registry key.

  • progID會使用原則或結束模組的 progID (登錄子機碼名稱)。progID uses the policy or exit module's ProgID (registry subkey name).

  • registryvaluename會使用登錄值名稱(使用 Name* 前置詞相符)。registryvaluename uses the registry value name (use Name* to prefix match).

  • 使用新的數值、字串或日期登錄值或檔案名。value uses the new numeric, string or date registry value or filename. 如果數值開頭為 + 或,則 - 會在現有的登錄值中設定或清除在新值中指定的位。If a numeric value starts with + or -, the bits specified in the new value are set or cleared in the existing registry value.

[-f] [-user] [-grouppolicy] [-config Machine\CAName]

備註Remarks

  • 如果字串值的開頭為 +- ,且現有的值為 REG_MULTI_SZ 值,則會在現有的登錄值中加入或移除字串。If a string value starts with + or -, and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要強制建立 REG_MULTI_SZ 值,請將新增 \n 至字串值的結尾。To force creation of a REG_MULTI_SZ value, add \n to the end of the string value.

  • 如果值以開頭 \@ ,則值的其餘部分會是包含二進位值之十六進位文字表示的檔案名。If the value starts with \@, the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未參考有效的檔案,則會改為將其剖析為 [Date][+|-][dd:hh] 選擇性的日期加或減去選擇性的日和小時。If it doesn't refer to a valid file, it's instead parsed as [Date][+|-][dd:hh] - an optional date plus or minus optional days and hours. 如果同時指定這兩者,請使用加號(+)或減號(-)分隔字元。If both are specified, use a plus sign (+) or minus sign (-) separator. now+dd:hh針對與目前時間相關的日期使用。Use now+dd:hh for a date relative to the current time.

  • chain\chaincacheresyncfiletime \@now 來有效地清除快取的 crl。Use chain\chaincacheresyncfiletime \@now to effectively flush cached CRLs.

-delreg-delreg

刪除登錄值。Deletes a registry value.

certutil [options] -delreg [{ca | restore | policy | exit | template | enroll |chain | policyservers}\[progID\]][registryvaluename]

其中:Where:

  • ca會使用憑證授權單位單位的登錄機碼。ca uses a Certificate Authority's registry key.

  • restore會使用憑證授權單位單位的 restore 登錄機碼。restore uses Certificate Authority's restore registry key.

  • 原則會使用原則模組的登錄機碼。policy uses the policy module's registry key.

  • exit會使用第一個結束模組的登錄機碼。exit uses the first exit module's registry key.

  • 範本會使用範本登錄機碼(用於 -user 使用者範本)。template uses the template registry key (use -user for user templates).

  • 註冊會使用註冊登錄機碼(用於 -user 使用者內容)。enroll uses the enrollment registry key (use -user for user context).

  • 會使用連鎖設定登錄機碼。chain uses the chain configuration registry key.

  • policyservers會使用原則伺服器登錄機碼。policyservers uses the Policy Servers registry key.

  • progID會使用原則或結束模組的 progID (登錄子機碼名稱)。progID uses the policy or exit module's ProgID (registry subkey name).

  • registryvaluename會使用登錄值名稱(使用 Name* 前置詞相符)。registryvaluename uses the registry value name (use Name* to prefix match).

  • 使用新的數值、字串或日期登錄值或檔案名。value uses the new numeric, string or date registry value or filename. 如果數值開頭為 + 或,則 - 會在現有的登錄值中設定或清除在新值中指定的位。If a numeric value starts with + or -, the bits specified in the new value are set or cleared in the existing registry value.

[-f] [-user] [-grouppolicy] [-config Machine\CAName]

備註Remarks

  • 如果字串值的開頭為 +- ,且現有的值為 REG_MULTI_SZ 值,則會在現有的登錄值中加入或移除字串。If a string value starts with + or -, and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. 若要強制建立 REG_MULTI_SZ 值,請將新增 \n 至字串值的結尾。To force creation of a REG_MULTI_SZ value, add \n to the end of the string value.

  • 如果值以開頭 \@ ,則值的其餘部分會是包含二進位值之十六進位文字表示的檔案名。If the value starts with \@, the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. 如果未參考有效的檔案,則會改為將其剖析為 [Date][+|-][dd:hh] 選擇性的日期加或減去選擇性的日和小時。If it doesn't refer to a valid file, it's instead parsed as [Date][+|-][dd:hh] - an optional date plus or minus optional days and hours. 如果同時指定這兩者,請使用加號(+)或減號(-)分隔字元。If both are specified, use a plus sign (+) or minus sign (-) separator. now+dd:hh針對與目前時間相關的日期使用。Use now+dd:hh for a date relative to the current time.

  • chain\chaincacheresyncfiletime \@now 來有效地清除快取的 crl。Use chain\chaincacheresyncfiletime \@now to effectively flush cached CRLs.

-importKMS-importKMS

將使用者金鑰和憑證匯入至伺服器資料庫,以進行金鑰保存。Imports user keys and certificates into the server database for key archival.

certutil [options] -importKMS userkeyandcertfile [certID]

其中:Where:

  • userkeyandcertfile是一個資料檔案,其中包含要封存的使用者私密金鑰和憑證。userkeyandcertfile is a data file with user private keys and certificates that are to be archived. 這個檔案可以是:This file can be:

    • Exchange 金鑰管理伺服器(KMS)匯出檔案。An Exchange Key Management Server (KMS) export file.

    • PFX 檔案。A PFX file.

  • certID 是一項 KMS 匯出檔案解密憑證比對權杖。certID is a KMS export file decryption certificate match token. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

  • -f匯入不是由憑證授權單位單位所發行的憑證。-f imports certificates not issued by the Certificate Authority.

[-f] [-silent] [-split] [-config Machine\CAName] [-p password] [-symkeyalg symmetrickeyalgorithm[,keylength]]

-importcert-importcert

將憑證檔案匯入資料庫。Imports a certificate file into the database.

certutil [options] -importcert certfile [existingrow]

其中:Where:

  • existingrow會匯入憑證,以取代相同金鑰的暫止要求。existingrow imports the certificate in place of a pending request for the same key.

  • -f匯入不是由憑證授權單位單位所發行的憑證。-f imports certificates not issued by the Certificate Authority.

[-f] [-config Machine\CAName]

備註Remarks

憑證授權單位單位也可能需要設定為支援外部憑證。The Certificate Authority may also need to be configured to support foreign certificates. 若要這麼做,請輸入 import - certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGNTo do this, type import - certutil -setreg ca\KRAFlags +KRAF_ENABLEFOREIGN.

-getkey-getkey

抓取封存的私密金鑰修復 blob、產生復原腳本,或復原封存的金鑰。Retrieves an archived private key recovery blob, generates a recovery script, or recovers archived keys.

certutil [options] -getkey searchtoken [recoverybloboutfile]
certutil [options] -getkey searchtoken script outputscriptfile
certutil [options] -getkey searchtoken retrieve | recover outputfilebasename

其中:Where:

  • 腳本會產生腳本來抓取和復原金鑰(如果找到多個相符的復原候選人,或未指定輸出檔,則為預設行為)。script generates a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if the output file is not specified).

  • retrieve抓取會抓取一或多個金鑰修復 blob (如果只找到一個符合的復原候選,而且已指定輸出檔,則會有預設行為)。retrieve retrieves one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified). 使用此選項會截斷任何延伸模組,並為每個金鑰修復 blob 附加憑證特定的字串和 rec 副檔名。Using this option truncates any extension and appends the certificate-specific string and the .rec extension for each key recovery blob. 每個檔案都包含憑證鏈和相關聯的私密金鑰,但仍加密為一或多個金鑰復原代理憑證。Each file contains a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.

  • 復原會在一個步驟中(需要金鑰復原代理憑證和私密金鑰)來抓取和復原私密金鑰。recover retrieves and recovers private keys in one step (requires Key Recovery Agent certificates and private keys). 使用此選項會截斷任何延伸模組,並附加 p12 副檔名。Using this option truncates any extension and appends the .p12 extension. 每個檔案都包含已復原的憑證鏈和相關聯的私密金鑰,並儲存為 PFX 檔案。Each file contains the recovered certificate chains and associated private keys, stored as a PFX file.

  • searchtoken會選取要復原的金鑰和憑證,包括:searchtoken selects the keys and certificates to be recovered, including:

      1. 憑證一般名稱Certificate Common Name
      1. 憑證序號Certificate Serial Number
      1. 憑證 SHA-1 雜湊(指紋)Certificate SHA-1 hash (thumbprint)
      1. 憑證 KeyId SHA-1 雜湊(主體金鑰識別碼)Certificate KeyId SHA-1 hash (Subject Key Identifier)
      1. 要求者名稱(網域 \ 使用者)Requester Name (domain\user)
      1. UPN (使用者 @ 網域)UPN (user@domain)
  • recoverybloboutfile會使用憑證鏈和相關聯的私密金鑰來輸出檔案,仍然加密為一或多個金鑰復原代理憑證。recoverybloboutfile outputs a file with a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.

  • outputscriptfile會使用批次腳本輸出檔案,以抓取和復原私密金鑰。outputscriptfile outputs a file with a batch script to retrieve and recover private keys.

  • outputfilebasename會輸出檔案基底名稱。outputfilebasename outputs a file base name.

[-f] [-unicodetext] [-silent] [-config Machine\CAName] [-p password] [-protectto SAMnameandSIDlist] [-csp provider]

-recoverkey-recoverkey

復原已封存的私密金鑰。Recover an archived private key.

certutil [options] -recoverkey recoveryblobinfile [PFXoutfile [recipientindex]]
[-f] [-user] [-silent] [-split] [-p password] [-protectto SAMnameandSIDlist] [-csp provider] [-t timeout]

-mergePFX-mergePFX

合併 PFX 檔案。Merges PFX files.

certutil [options] -mergePFX PFXinfilelist PFXoutfile [extendedproperties]

其中:Where:

  • PFXinfilelist是 PFX 輸入檔的逗號分隔清單。PFXinfilelist is a comma-separated list of PFX input files.

  • PFXoutfile是 PFX 輸出檔案的名稱。PFXoutfile is the name of the PFX output file.

  • extendedproperties包含任何擴充屬性。extendedproperties includes any extended properties.

[-f] [-user] [-split] [-p password] [-protectto SAMnameAndSIDlist] [-csp provider]

備註Remarks

  • 在命令列上指定的密碼必須是以逗號分隔的密碼清單。The password specified on the command line must be a comma-separated password list.

  • 如果指定了一個以上的密碼,則會將最後一個密碼用於輸出檔案。If more than one password is specified, the last password is used for the output file. 如果只提供一個密碼,或最後一個密碼為 * ,則會提示使用者輸入輸出檔案密碼。If only one password is provided or if the last password is *, the user will be prompted for the output file password.

-convertEPF-convertEPF

將 PFX 檔案轉換為 EPF 檔案。Converts a PFX file into an EPF file.

certutil [options] -convertEPF PFXinfilelist PFXoutfile [cast | cast-] [V3CAcertID][,salt]

其中:Where:

  • PFXinfilelist是 PFX 輸入檔的逗號分隔清單。PFXinfilelist is a comma-separated list of PFX input files.

  • PFXoutfile是 PFX 輸出檔案的名稱。PFXoutfile is the name of the PFX output file.

  • EPF是 EPF 輸出檔的名稱。EPF is the name of the EPF output file.

  • cast會使用 cast 64 加密。cast uses CAST 64 encryption.

  • cast- 使用 cast 64 加密(export)cast- uses CAST 64 encryption (export)

  • V3CAcertID是 V3 CA 憑證對應 token。V3CAcertID is the V3 CA certificate match token. 如需詳細資訊,請參閱本文 -store 中的參數。For more info, see the -store parameter in this article.

  • salt是 EPF 輸出檔 salt 字串。salt is the EPF output file salt string.

[-f] [-silent] [-split] [-dc DCName] [-p password] [-csp provider]

備註Remarks

  • 在命令列上指定的密碼必須是以逗號分隔的密碼清單。The password specified on the command line must be a comma-separated password list.

  • 如果指定了一個以上的密碼,則會將最後一個密碼用於輸出檔案。If more than one password is specified, the last password is used for the output file. 如果只提供一個密碼,或最後一個密碼為 * ,則會提示使用者輸入輸出檔案密碼。If only one password is provided or if the last password is *, the user will be prompted for the output file password.

-?-?

顯示參數的清單。Displays the list of parameters.

certutil -?
certutil <name_of_parameter> -?
certutil -? -v

其中:Where:

  • -?-? 顯示完整的參數清單displays the full list of parameters

  • -<name_of_parameter> -?-<name_of_parameter> -? 顯示指定之參數的說明內容。displays help content for the specified parameter.

  • -?-v會顯示完整的參數和選項清單。-? -v displays a full list of parameters and options.

選項。Options

此區段會根據命令定義您可以指定的所有選項。This section defines all of the options you're able to specify, based on the command. 每個參數都包含哪些選項可供使用的相關資訊。Each parameter includes information about which options are valid for use.

選項。Options 描述Description
-nullsign-nullsign 使用資料的雜湊做為簽章。Use the hash of the data as a signature.
-f-f 強制覆寫。Force overwrite.
-enterprise-enterprise 使用本機電腦的 enterprise registry 憑證存放區。Use the local machine enterprise registry certificate store.
-使用者-user 使用 HKEY_CURRENT_USER 金鑰或憑證存放區。Use the HKEY_CURRENT_USER keys or certificate store.
-GroupPolicy-GroupPolicy 使用 [群組原則] 憑證存放區。Use the group policy certificate store.
-ut-ut 顯示使用者範本。Display user templates.
-mt-mt 顯示電腦範本。Display machine templates.
-Unicode-Unicode 以 Unicode 撰寫重新導向的輸出。Write redirected output in Unicode.
-UnicodeText-UnicodeText 以 Unicode 寫入輸出檔。Write output file in Unicode.
-gmt-gmt 使用 GMT 顯示時間。Display times using GMT.
-秒-seconds 以秒和毫秒為單位顯示時間。Display times using seconds and milliseconds.
-silent-silent 使用 silent 旗標來取得 crypt 內容。Use the silent flag to acquire crypt context.
-split-split 分割內嵌的 asn.1 元素,並儲存至檔案。Split embedded ASN.1 elements, and save to files.
-v-v 提供更詳細的資訊(詳細資訊)。Provide more detailed (verbose) information.
-privatekey-privatekey 顯示密碼和私密金鑰資料。Display password and private key data.
-pin 釘選-pin PIN 智慧卡 PIN。Smart card PIN.
-urlfetch verify-urlfetch 取得並驗證 AIA 憑證和 CDP Crl。Retrieve and verify AIA Certs and CDP CRLs.
-config Machine\CAName-config Machine\CAName 憑證授權單位單位和電腦名稱稱字串。Certificate Authority and computer name string.
-policyserver URLorID-policyserver URLorID 原則伺服器 URL 或識別碼。Policy Server URL or ID. 針對 [選取] U/I,請使用 -policyserverFor selection U/I, use -policyserver. 針對所有原則伺服器,使用-policyserver *For all Policy Servers, use -policyserver *
-匿名-anonymous 使用匿名 SSL 認證。Use anonymous SSL credentials.
-kerberos-kerberos 使用 Kerberos SSL 認證。Use Kerberos SSL credentials.
-clientcertificate clientcertID-clientcertificate clientcertID 使用 x.509 憑證 SSL 認證。Use X.509 Certificate SSL credentials. 針對 [選取] U/I,請使用 -clientcertificateFor selection U/I, use -clientcertificate.
-username 使用者名稱-username username 使用命名帳戶作為 SSL 認證。Use named account for SSL credentials. 針對 [選取] U/I,請使用 -usernameFor selection U/I, use -username.
-cert certID-cert certID 簽署憑證。Signing certificate.
-dc DCName-dc DCName 以特定網域控制站為目標。Target a specific Domain Controller.
-限制 restrictionlist-restrict restrictionlist 以逗號分隔的限制清單。Comma-separated Restriction List. 每個限制都包含一個資料行名稱、一個關聯式運算子和一個常數整數、字串或日期。Each restriction consists of a column name, a relational operator and a constant integer, string or date. 一個資料行名稱前面可能會加上加號或減號,以指出排序次序。One column name may be preceded by a plus or minus sign to indicate the sort order. 例如:requestID = 47+requestername >= a, requestername-requestername > DOMAIN, Disposition = 21For example: requestID = 47, +requestername >= a, requestername, or -requestername > DOMAIN, Disposition = 21
-out columnlist-out columnlist 以逗號分隔的資料行清單。Comma-separated column list.
-p 密碼-p password 密碼Password
-protectto SAMnameandSIDlist-protectto SAMnameandSIDlist 以逗號分隔的 SAM 名稱/SID 清單。Comma-separated SAM name/SID list.
-csp 提供者-csp provider 提供者Provider
-t timeout-t timeout URL 提取超時(以毫秒為單位)。URL fetch timeout in milliseconds.
-symkeyalg symmetrickeyalgorithm [,keylength]-symkeyalg symmetrickeyalgorithm[,keylength] 具有選擇性金鑰長度之對稱金鑰演算法的名稱。Name of the Symmetric Key Algorithm with optional key length. 例如:AES,1283DESFor example: AES,128 or 3DES

其他參考Additional References

如需有關如何使用此命令的其他範例,請參閱For some more examples about how to use this command, see