Certutil and Certreq

I have consolidated and updated two command line utilities recently:



I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to give me feedback on these consolidated documents. Thanks!


Comments (20)

  1. Yes, you and all the users of these articles deserve some updates and more examples. I will work on it. In the meantime, please, check out:

    Appendix 3: Certreq.exe Syntax (technet.microsoft.com/…/cc736326.aspx)


    social.technet.microsoft.com/…/3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx at the end of that article.

    Thanks for your feedback!

  2. Mike Kline says:

    Two new favorites for me Kurt 🙂

    Are you on twitter?  Just want to give you credit when I tweet this out.



  3. Anonymous says:

    Speaking of certutil -exportpfx, I don't see that one on the certutil page. It is in help, though, and works as advertised. Be sure to use the NoChain modifier if all you want is the certificate + private key. By default you will get the entire chain.

  4. Vadims Podans says:

    But for sure you can provide a more detailed description for certutil switches.

  5. Vadims Podans says:

    I don't think you need more examples, because it makes too hard to find something special. Moreover, I think it is necessary to split some sections to different articles.

  6. Dear Kurt,

    Thank you very much for answering and sending me these useful links. I'll probably be sending you more feedback to improve the documents as I further work on this.

  7. – In the section Certreq -submit.

    The command description is

    CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]

    There is no exact and specific description on what are CertFileOut CertChainFileOut FullResponseFileOut

    Some more info is supplied in the help text from certreq -submit -?

    You get (among other things):

    RequestFileOut          – Base64-encoded output file name

    PKCS10FileOut           – Base64-encoded PKCS10 output file name

    CertFileOut             – Base64-encoded X-509 file name

    CertChainFileOut        – Base64-encoded PKCS7 file name

    FullResponseFileOut     – Base64-encoded Full Response file name

    PolicyFileIn            – INF file containing a textual representation

                              of extensions used to qualify a request

    But it's still confusing:

    RequestFileOut, PKCS10FileOut,  – what are they and how you specify them in the command line?

    CertFileOut, CertChainFileOut, FullResponseFileOut

    PolicyFileIn – what is this? you're supposed to provide an .inf policy file with certreq -new. Why use one with certreq -submit ? In any case what is the syntax?

    The first (and only) example in the section

    certreq –submit certRequest.req certnew.cer certnew.pfx

    implies that CertFileOut is the .cer file (logical) and CertChainFileOut is the .pfx file. In tests, the produced .pfx file cannot be used as usual (to install the secret key etc.). Instead you get the following message:

    "Invalid Public Key Security Object File

    This file is invalid for use as the following: Personal Information Exchange."

    I apologize if I have missed any basic stuff but still, these documents only provide a partial and confusing picture of certreq, while I still believe that it can prove to be a useful tool.

    I'll be glad to provide more info to help improve things if you're interested.

    Many thanks,


  8. Dear Kurt,

    Thanks for providing the "curated" version of the documentation. Still, let’s work to make the underlying documents better. Here are some comments:

    Revisiting the utilities, the process which they imply and the documentation (even the command line help!), and summing up information from a number of different web pages here are some more comments:

    First of all, to summarize, the documents found online on certreq:

    A. The article on Certreq:

    B. The article on the Certreq.exe Syntax (mostly covering the .inf file syntax) – Appendix 3:


    C. An additional article on How to Request a Certificate With a Custom Subject Alternative Name (SAN):


    This last one is the only that covers the process of manually issuing certificates from the command line, specifically:

    1. certreq.exe -new <RequestPolicy.inf><CertificateRequest.req>

    2. certreq -submit -config "<ServerNameCAName>" "<CertificateRequest.req>" "<CertificateResponse.cer>"

    3. [only if approval is required] certreq –retrieve -config "<ServerNameCAName>" <RequestID> "<CertificateResponse.cer>"

    4. certreq –accept -config "<ServerNameCAName>" "<CertificateResponse.cer>"

    Coming specifically to Document A (your link above).

    – In the section Verbs.

    Hyperlinks to more specific description, e.g. Certreq -submit take you to a page that says "This content has been moved to Certreq (technet.microsoft.com/…/cc725793.aspx)."

    [continued below]

  9. Sure, I found a few other examples: technet.microsoft.com/…/ff625722.aspx, which has a section titled using CertReq that explains more. Also, the Two Tier PKI Hierarchy Test Lab Guide has some steps that illustrate the use of Certreq technet.microsoft.com/…/hh831348.aspx. It is lacking a couple of certutil command line equivalents that I intend to add:

    certutil -resubmit 2

    cerutil -installcert A:APP1.corp.contoso.com_corp-APP1-CA.crt

    start-service certsvc

    The above commands assume: The certificate request ID was 2, the removable media drive is A: and that the certificate that the subordinate CA is actually named APP1.corp.contoso.com_corp-APP1-CA.crt

  10. Vadims Podans says:

    I think you made outstanding job!

  11. Georgios, I will endeavor to improve the documentation. I agree that more examples and explanations could be added.

    If you are trying to actually accomplish a particular task, your best option is to post the task and details on the Security Forum (http://aka.ms/adcsforum) and then to use the Email blog author link to send me an alert on the question. We can them work with both the experts on the Forum as well as the internal experts to resolve your issues.

    As for the hyperlink issues: That is a software redirection issue with the publishing platform. I have already started to taking steps to resolve this problem, but it will take a couple of publishing iterations. For this one, I removed the links. In the future, they will return, but some workarounds are needed in the background.

    As for the certreq -submit question: A simple example of certreq usage from my Test Lab Guide is:

    certreq -submit A:APP1.corp.contoso.com_IssuingCA-APP1.req

    That is the submission of a request from a subordinate CA for a CA signing certificate.

    The Certreq -submit example you mentioned in the document, I did not create, and I could not interpret without the help of the senior developer in charge of the utility and code. Here is a recap of the example:

    certreq -submit certRequest.req certnew.cer certnew.pfx

    So, we already know that the first part is a submission of a request to a CA. Then, what are the certnew.cer and certnew.pfx parts of the example command do?

    The response from the senior developer is as follows:


    • certnew.cer will contain the new certificate

    • certnew.pfx will contain an empty Pkcs7, with a bag of certs attached. The bag will contain the new cert and the full chain of CA certificates, including the root CA cert. (The .pfx extension doesn’t tell certreq to do anything differently).

    • If an additional filename were to be specified on the command line, it would contain the CMC Full

    Response: a non-empty Pkcs7 with CMC content and the same bag of certs attached, and the CMC content will be signed by the CA. The CMC content contains some additional data regarding the request: request processing result, RequestId, issued cert hash, etc.

    All of the output files will be base64 encoded (in ansi text format).

    Add in the -binary option to write binary data instead (DER encoded ASN.1).

    To obtain a PFX, use certreq -accept to install the certificate, and certutil -ExportPFX to export the cert and key into a PFX file (aka Pkcs12). This assumes that certreq -new was used on the same machine to create the request in the first place.


    Another warning he added, that I must endeavor to fix is:

    This certreq doc also has a link to support.microsoft.com/…/931351

    This link describes using certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2, which is a recipe for elevation of privilege [attack] and should not be used in any real deployment.

    Instead, the INF file syntax for certreq -new should be used:

    [Extensions] = "{text}dns=dns.name&dns=dns.name&…"

  12. Dear Kurt,

    Recently I have been a frequent visitor to these pages. I currently manage an MS Certificate Server and I'm looking into ways to make the process of issuing certificates automated (rather than using the web interface) via tools like certreq and certutil.

    If you curate these two pages I'd like to point some omissions that IMHO make these tools difficult to understand and use.

    1. There is no description of the process that one should follow to manually issue certificates: i.e. certreq -new (using the .inf file), -submit, -retrieve

    2. In the certreq page, after describing certreq -submit there are examples mentioned that are never shown

    3. In the certreq page, when describing the .inf files there is only mention of "some of the possible sections" that can be added to an .inf file, e.g. the section [RequestAttributes] which is used to set the most useful CertificateTemplate parameter is shown in the examples but never really explained. Is there any reference document for ALL .inf sections available anywhere?

    These are just some of the many shortcoming that these pages have in my opinion. So, may I kindly ask you if there is any additional (and complete) documentation on these tools available.

    In any case, thank you very much for all your efforts,


  13. Thank you, Vadims and Mike. I do participate in a team Twitter acct /addocteam. I am sure there's plenty of room for improvement on those articles, so I am glad to make improvements. One of the things I think would be helpful is to start linking out or even embedding more examples. Anyways, this is a start and more updates are already planned for this week.

  14. Glen Grady says:

    This is gold! …and is making my life much easier. Thanks very much Kurt.

  15. Kurt,

    Thank you for taking the time to read my comments and even taking them to the developer. I  finally begin to see a more clear picture. For now, I'll take any further practical questions to the Security Forum but I would also like to help improve the documentation. I'll try to provide some more comments as I work more with the tools.



  16. Ram Karthik says:

    Hello, I dont know whether this thread is active but I have a pecular situation where I am trying to migrate the key from different HSMs too. after migrating the Keys my new CA isnt able to find the key. Active Directory Certificate Services setup failed
    with the following error: Key does not exist 0x80009000d(-2146893811).

  17. Jeff C. says:

    Hi all, Is there a way to override the Subject in a CSR when submitting it to a CA? I basically want to add an email address to the Subject if it doesn’t already have it.

    For example, in the CSR the Subject is "CN=contoso.com". I want to change it to "E=webadmins@contoso.com,CN=contoso.com".

    We’re trying to make sure every cert has an email with it so that we can use it to notify the owner before a cert expires.

    Thanks in advance.

  18. r0m3ll says:

    Hi Guys,
    Sorry to bump into this thread with a different question…
    But would you know a way to use certutil to extract certs (starting) on a given date?
    Sample: I would like to extract all certs issued starting Jan 1, 2015.

    The command I issue below doesn’t seem to work:
    certutil -view -restrict "NotBefore>=1/1/2015" -out "RequestID,NotBefore,NotAfter,CertificateTemplate" > file.txt

    Thanks in advance,

  19. Les M. says:

    I’ve been looking for a complete list of certutil commands as I’m back to work role where I need a full reference. Right now my watermark is if the list includes “-SetCAtemplates”. That command saved my bacon last night at about 8PM when one of my issuing CA’s failed to pick up a new template.

    This is clearly a wonderful reference and I’ll certainly be using it, but it does appear to be missing some stuff.

    You have my sincere appreciation for the effort of putting together what’s already here. I’m sure it will be invaluable.

  20. Josh says:

    how do I get a list of certificates that have not been revoked (I don’t want the revoked ones in the list) using the certuil command?

Skip to main content