Professional Documents
Culture Documents
http://technet.microsoft.com/en-us/library/cc755341.aspx
Certification authorities should be backed up regularly and restored when necessary to provide their services. You
can use certutil to perform these tasks.
To back up a CA database
To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file
To dump the CA database schema, for example, column names, types, and max sizes
Parameters
-backup
Backs up Certificate Services.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup directory.
incremental
Implements an incremental backup instead of a full backup.
keeplog
Preserves database log files.
-?
Displays a list of certutil commands.
Remarks
the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
If you do not specify keeplog, certutil-backup combines the database log files into a single log file that
Examples
To back up keys and certificates for a CA named EnterpriseCA, type:
To back up a CA database
Syntax
certutil-backupdb[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName]
BackupDirectory[[incremental] [keeplog]]
Parameters
-backupdb
Backs up the Certificate Services database.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
BackupDirectory
Specifies the backup directory.
incremental
Implements an incremental backup instead of a full backup.
keeplog
Preserves database log files.
-?
Displays a list of certutil commands.
Remarks
the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using
You can run this command locally or remotely. The server and the CA must be running. Typically,
administrators use this command to perform infrequent full backups followed by frequent incremental
backups. Each backup must be made into a separate directory tree. Starting with the most recent full
backup, all backups are required to correctly restore the database.
If you do not specify keeplog, certutil-backup combines the database log files into a single log file that
Parameters
-backupkey
Backs up the Certificate Services certificate and private key.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup directory.
-?
Displays a list of certutil commands.
Remarks
the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
Parameters
-restore
Restores the CA database, certificates, and keys from the specified BackupDirectory.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup directory from which you want to restore the CA database, certificates, and keys.
-?
Displays a list of certutil commands.
Remarks
the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
Parameters
-restoredb
Restores CA database from the specified BackupDirectory.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
BackupDirectory
Specifies the backup directory from which you want to restore the CA database.
-?
Displays a list of certutil commands.
Remarks
the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using
The CA server and must not be running. You can run this command locally or remotely.
To restore a full backup and incremental backups, you must restore the full backup first, and then restore
all subsequent incremental backups in any order. To overwrite the existing server database files with the
full restore, use -f. Do not start the server until all backups are restored.
When you start the CA server, you initiate database recovery. If you successfully start the CA server (that
is, as recorded in the application event log), this indicates restore and recovery were completed
successfully. If the server fails to start after you run -restore, you receive an error code. For more
information if -restore fails, you can also view the RESTOREINPROGRESS registry key.
To restore the CA certificate and keys from a backup directory or a PKCS #12 (.pfx) file
Syntax
certutil-restorekey[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [-pPassword]
BackupDirectory|PFXFile
Parameters
-restorekey
Restores Certificate Services certificate and private key from the specified BackupDirectory or
PKCS #12PFXFile.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
-p Password
Specifies a password.
BackupDirectory
Specifies the backup location of the PKCS #12 PFX file.
PFXFile
Specifies the PKCS #12 PFX file.
-?
Displays a list of certutil commands.
Remarks
the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using
With a PKCS #12 (.pfx) file, 32 characters is the maximum length allowed for a password.
To dump the CA database schema, for example, column names, types, and max sizes
Syntax
certutil-schema[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [{ext | attib | crl}]
Parameters
-schema
Dumps the CA database schema.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName\CAName
processes the operation by using the CA specified in the configuration string (that is,
CAMachineName\CAName).
ext
Displays the schema for Ext table.
attib
Displays the schema for Attib table.
crl
Displays the schema for the certificate revocation list (CRL).
-?
Displays a list of certutil commands.
Remarks
the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
If you use -config - instead of -config CAComputerName\CAName, the operation is processed using
Examples
To view the CA database schema, type:
certutil -schema
Formatting legend
Format Meaning
Italic Information that the user must supply
Bold Elements that the user must type exactly as shown
Ellipsis (…) Parameter that can be repeated several times in a
command line
Between brackets ([]) Optional items
Between braces ({}); choices separated by pipe (|) Set of choices from which the user must choose
example: {even|odd} only one
Courier font Code or program output