Tag Archives: certutil

Verify CRL and OCSP of a certificate

One way to verify the revocation status of a certificate is to use the certutil command. Export a certificate from store in DER format. Save it to i.e C:\Temp\Cert.der Open a command promt and type. certutil -url C:\Temp\Cert.der The URL … Continue reading

Posted in Certificate Services | Tagged , , , | Comments Off on Verify CRL and OCSP of a certificate

CA Flags

Disable CRL check on startup certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Posted in Certificate Services | Tagged , , | Comments Off on CA Flags

Publish a CRL created with Openssl into Active Directory

When you sign a CRL with Openssl you don’t have the attribute “Published CRL Locations”. It tells where the revocation lists are or should be published. Without this attribute there is no way for certutil to know where to save … Continue reading

Posted in Active Directory, PKI | Tagged , , , , , | Comments Off on Publish a CRL created with Openssl into Active Directory

Recover an archived certificate from a Microsoft CA

Prerequisites: You KRA certificate must be installed in your certificate store on your machine. Find the serial number of the certificate you want to recover. certutil -getkey [serial number] [outfile] Ex. certutil -getkey 45137316467 d:key.file certuil -recoverkey [infile][outfile_pfx] Ex. certutil … Continue reading

Posted in PKI | Tagged , , , | Comments Off on Recover an archived certificate from a Microsoft CA