CERTUTIL -addstore -enterprise -f -v root “Certificate.cer”
CERTUTIL -addstore -f CA “Certificate.cer”
CERTUTIL -addstore -enterprise -f -v TrustedPublisher “Certificate.cer”
Notes
View CA Configuration
If you want to view the configuration settings for the CA, which includes the type of information that is set by the CAPolicy.inf or afterward installation by running post configuration scripts, you can issue the following commands:
certutil -dump
certutil -getreg
certutil -getreg CA
Publish expired certificates in the CRL
If you want to maintain a revoked certificate in the CRL beyond the certificate’s expiration date, you can enable the publication of expired certificates to the CRL by running the following command at a command-line prompt and then restarting Certificate Services.
certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CR
Dump certificate templates and settings from the CA
certutil -v -template
Variations of that command
certutil -v -template > templatelist.txt
certutil -v -template clientauth > clientauthsettings.txt
Copy a CRL to a file
If you want to copy a certificate revocation list and name it corprootca.crl to removable media (like a floppy drive of a:), then you can run the following command:
certutil -getcrl a:\corprootca.crl
View Certificate Templates
If you want to dump a list of certificate templates and their settings to a text file (MyTemplates.txt), you can run the following command:
certutil -v -template > MyTemplates.txt
View AIA container
To view the contents of the AIA container in Active Directory Domain Services (AD DS) for a domain named contoso.com, run the following command:
certutil -viewstore “ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?
cACertificate?base?objectclass=certificationAuthority”
View Intermediate CA certificate store
To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.
certutil -enterprise -viewstore CA
View NTAuth Container
To view the content of the NTAuth container in AD DS for a domain named Corp.contoso.com, you would type the following command on a single line and press ENTER:
certutil -viewstore “ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com”
View Trusted Root CAs
To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.
certutil -enterprise -viewstore Root
Purge policy cache
When you are working with Certificate Enrollment Policy Web Services servers, there is a cache located on the local computer of cached policies. You may want to clear when the resulting certificate policies are not what you expect. You can clear this certificate policy cache by running the following command:
certutil -f -policyserver * -policycache delete
Check the certificate revocation chain
certutil -verify -urlfetch
certutil -URL