Kiểm tra tập tin certutil.exe trong thư mục windows
Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. certutil
In this articleCertutil.exe is a command-line program, installed as part of Certificate Services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. If certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. If certutil is run on a non-certification authority, the command defaults to running the Important Earlier versions of certutil may not provide all of the options that are described in this document. You can see all the options that a specific version of certutil provides by running Parameters-dumpDump configuration information or files.
-asnParse and display the contents of a file using Abstract Syntax Notation (ASN.1) syntax. File types include .CER, .DER and PKCS #7 formatted files.
-decodehexDecode a hexadecimal-encoded file.
-decodeDecode a Base64-encoded file.
-encodeEncode a file to Base64.
-denyDeny a pending request.
-resubmitResubmit a pending request.
-setattributesSet attributes for a pending certificate request.
Where:
Remarks
-setextensionSet an extension for a pending certificate request.
Where:
Remarks
-revokeRevoke a certificate.
Where:
-isvalidDisplay the disposition of the current certificate.
-getconfigGet the default configuration string.
-pingAttempt to contact the Active Directory Certificate Services Request interface.
Where:
-cainfoDisplay information about the certification authority.
Where:
-ca.certRetrieve the certificate for the certification authority.
Where:
-ca.chainRetrieve the certificate chain for the certification authority.
Where:
-getcrlGets a certificate revocation list (CRL).
Where:
-crlPublish new certificate revocation lists (CRLs) or delta CRLs.
Where:
-shutdownShuts down the Active Directory Certificate Services.
-installcertInstalls a certification authority certificate.
-renewcertRenews a certification authority certificate.
-schemaDumps the schema for the certificate.
Where:
-viewDumps the certificate view.
Where:
Remarks
-dbDumps the raw database.
-deleterowDeletes a row from the server database.
Where:
Examples
-backupBacks up the Active Directory Certificate Services.
Where:
-backupdbBacks up the Active Directory Certificate Services database.
Where:
-backupkeyBacks up the Active Directory Certificate Services certificate and private key.
Where:
-restoreRestores the Active Directory Certificate Services.
Where:
-restoredbRestores the Active Directory Certificate Services database.
Where:
-restorekeyRestores the Active Directory Certificate Services certificate and private key.
Where:
-importpfxImport the certificate and private key. For more info, see the
Where:
Remarks
-dynamicfilelistDisplays a dynamic file list.
-databaselocationsDisplays database locations.
-hashfileGenerates and displays a cryptographic hash over a file.
-storeDumps the certificate store.
Where:
Options
For example:
-addstoreAdds a certificate to the
store. For more info, see the
Where:
-delstoreDeletes a certificate from the store. For more info, see the
Where:
-verifystoreVerifies a certificate in the store. For more info, see the
Where:
-repairstoreRepairs a key association or update certificate properties or the key security descriptor. For more info, see the
Where:
-viewstoreDumps the certificates store. For more info, see the
Where:
Options
For example:
-viewdelstoreDeletes a certificate from the store.
Where:
Options
For example:
-dspublishPublishes a certificate or certificate revocation list (CRL) to Active Directory.
Where:
-adtemplateDisplays Active Directory templates.
-templateDisplays the certificate templates.
-templatecasDisplays the certification authorities (CAs) for a certificate template.
-catemplatesDisplays templates for the Certificate Authority.
-setcasitesManages site names, including setting, verifying, and deleting Certificate Authority site names
Where:
Remarks
-enrollmentserverURLDisplays, adds, or deletes enrollment server URLs associated with a CA.
Where:
-adcaDisplays Active Directory Certificate Authorities.
-caDisplays enrollment policy Certificate Authorities.
-policyDisplays the enrollment policy.
-policycacheDisplays or deletes enrollment policy cache entries.
Where:
-credstoreDisplays, adds, or deletes Credential Store entries.
Where:
-installdefaulttemplatesInstalls default certificate templates.
-URLcacheDisplays or deletes URL cache entries.
Where:
-pulsePulses auto enrollment events.
-machineinfoDisplays information about the Active Directory machine object.
-DCInfoDisplays information about the domain controller. The default displays DC certificates without verification.
Tip The ability to specify an Active Directory Domain Services (AD DS) domain [Domain] and to specify a domain controller (-dc) was added in Windows Server 2012. To successfully run the command, you must use an account that is a member of Domain Admins or Enterprise Admins. The behavior modifications of this command are as follows:
For example, assume there is a domain named CPANDL with a domain controller named CPANDL-DC1. You can run the following command to a retrieve a list of domain controllers and their certificates that from CPANDL-DC1: -entinfoDisplays information about an enterprise Certificate Authority.
-tcainfoDisplays information about the Certificate Authority.
-scinfoDisplays information about the smart card.
Where:
-scrootsManages smart card root certificates.
-verifykeysVerifies a public or private key set.
Where:
Remarks
-verifyVerifies a certificate, certificate revocation list (CRL), or certificate chain.
Where:
Remarks
-verifyCTLVerifies the AuthRoot or Disallowed Certificates CTL.
Where:
-signRe-signs a certificate revocation list (CRL) or certificate.
Where:
Remarks
-vrootCreates or deletes web virtual roots and file shares.
-vocsprootCreates or deletes web virtual roots for an OCSP web proxy.
-addenrollmentserverAdd an Enrollment Server application and application pool if necessary, for the specified Certificate Authority. This command does not install binaries or packages.
Where:
-deleteenrollmentserverDeletes an Enrollment Server application and application pool if necessary, for the specified Certificate Authority. This command does not install binaries or packages.
Where:
-addpolicyserverAdd a Policy Server application and application pool, if necessary. This command does not install binaries or packages.
Where:
-deletepolicyserverDeletes a Policy Server application and application pool, if necessary. This command does not remove binaries or packages.
Where:
-oidDisplays the object identifier or set a display name.
Where:
-errorDisplays the message text associated with an error code.
-getregDisplays a registry value.
Where:
Remarks
-setregSets a registry value.
Where:
Remarks
-delregDeletes a registry value.
Where:
Remarks
-importKMSImports user keys and certificates into the server database for key archival.
Where:
-importcertImports a certificate file into the database.
Where:
RemarksThe Certificate Authority may also need to be configured to support foreign certificates. To do this, type -getkeyRetrieves an archived private key recovery blob, generates a recovery script, or recovers archived keys.
Where:
-recoverkeyRecover an archived private key.
-mergePFXMerges PFX files.
Where:
Remarks
-convertEPFConverts a PFX file into an EPF file.
Where:
Remarks
-?Displays the list of parameters.
Where:
OptionsThis section defines all of the options you're able to specify, based on the command. Each parameter includes information about which options are valid for use.
Additional ReferencesFor some more examples about how to use this command, see
FeedbackSubmit and view feedback for |