certutil -getcrl [-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] OutFile [Index] [delta]

-getcrl

Retrieves the certificate revocation list (CRL).

-f

Overwrites existing files or keys.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-config CAMachineName\CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

OutFile

Specifies the file to which you want to send the output.

Index

Specifies the index identifier number.

delta

Retrieves a delta CRL.

-?

Displays a list of certutil commands.

• To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. If you do not have the appropriate authority, use -cainfo to retrieve CRLs.
  
• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  

To retrieve the most recently published base CRL, MyMostRecentCRL.crl, type:

certutil -getcrl MyMostRecentCRL.crl

To retrieve the third CRL, MyThirdCRL.crl type:

certutil -getcrl MyThirdCRL.crl 3

To retrieve the most recently published delta CRL, MyMostRecentDelta.crl, type:

certutil -getcrl MyMostRecentDelta.crl delta

To retrieve the fifth delta CRL, MyFifthDelta.crl, type:

certutil -getcrl MyFifthDelta.crl 5 delta

certutil -crl [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [DD:HH] [delta]

-crl

Publishes a new certificate revocation list (CRL).

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-split

Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.

-v

Specifies verbose output.

-config CAMachineName\CAName

processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).

DD:HH

Specifies the length of the CRL life in days and hours.

delta

Publishes a delta CRL only.

-?

Displays a list of certutil commands.

• You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  
• If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  
• The CRL is written to the file specified by OutFileResult, or, if you use a minus sign (-), it is written to the default Web location.
  
• The expiration date is set to be one day and one hour from the time of publication to facilitate a daily publishing schedule.
  

certutil -dsPublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] [{CertFile | CRL}] [{ntauthca | rootca | subca | crossca | kra | user | machine}]

-dsPublish

Publishes a new certificate to the CA object in Active Directory.

-f

Overwrites existing files or keys.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

-dc DCName

Targets a specific domain controller.

CertFile

Specifies the certificate that you want to use.

CRL

Specifies the certificate revocation list that you want to use.

ntauthca

Specifies that the certificate is to be published to the NTAuth store.

rootca

Specifies that the certificate is to be published to the root CA store.

subca

Specifies that the certificate is to be published to the subordinate CA store.

crossca

Specifies that the certificate is to be published to the cross-certified CA store.

kra

Specifies that the certificate is to be published to the key recovery agent store.

user

Specifies that the certificate is to be published to the user store.

machine

Specifies that the certificate is to be published to the computer store.

-?

Displays a list of certutil commands.

• If a CA issues certificates for smart card logon, you need to publish the certificate to NTAuth.
  

certutil -dspublish [-f] [-user] [-gmt] [-seconds] [-v] [-dc DCName] NewCert ntauthca

-dspublish

Publishes a new certificate or certificate revocation list (CRL) to the CA object in Active Directory.

-f

Overwrites existing files or keys.

-user

Uses the HKEY_CURRENT_USER keys or certificate store.

-gmt

Displays time as Greenwich mean time.

-seconds

Displays time with seconds and milliseconds.

-v

Specifies verbose output.

-dc DCName

Targets a specific domain controller.

NewCert

Specifies the certificate that you want to publish.

ntauthca

Specifies that the certificate is to be published to the NTAuth store.

-?

Displays a list of certutil commands.

• You must have Enterprise Administrator access to use this command.
  

Formatting legend