![](/uploads/1/2/5/5/125502715/135453171.jpg)
-->
Certadm.dll certcli.dll certreq.exe certutil.exe cert.cer. Creating two separate programs in SCCM with the following two command lines (both chained together. Aug 6, 2012 - In most cases the graphical tools are enough but for others you will need to command line tool. Certutil.exe is important one when deploying.
![Certutil.exe Command Line Tool Certutil.exe Command Line Tool](https://thewindowsclub-thewindowsclubco.netdna-ssl.com/wp-content/uploads/2018/06/Certutil-600x348.png)
CryptoAPI Tools are tools to perform common certificate management tasks.
Tool | Remarks |
---|---|
MakeCert | Creates a test X.509 certificate. |
Cert2SPC | Creates a test Software Publisher Certificate (SPC). |
CertMgr | Manages certificates, CTLs, and certificate revocation lists (CRLs). |
All user input to these tools is case insensitive. Separate options now exist for the key pair name and the private key file.
Additional Tools
Certutil.exe is a command-line tool that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. For more information about Certutil, see the Certutil topic on Microsoft TechNet.
There are many instances where you need to move a server to a new hardware. What you will carry from the old server to the new one will vary; you need to plan according to the server role in order to create your own checklist. Recently I had to move my own TMG Server to a new hardware (in this case a new VM) and I decided to install all over again and just import the rules. In a scenario with TMG, besides the core configuration (XML Backup) you also need to consider the certificates that are in use. As I only have a couple of certificates, there was no big deal, I just opened MMC and exported those certs. However, there are scenarios where you have a great amount of certificates and the process of exporting one by one can get quiet tedious.
But, you can use certutil to automate that. The first step in this procedure is to identity the certificate’s thumbprint (or serial number – depends on the approach in use). To do that you can use the PowerShell commands below:
PS C:UsersAdministrator> cd cert: PS cert:> dir Location : CurrentUser StoreNames : {SmartCardRoot, UserDS, AuthRoot, CA...} Location : LocalMachine StoreNames : {SmartCardRoot, AuthRoot, CA, Trust...} PS cert:> cd LocalMachine PS cert:LocalMachine> dir Name : SmartCardRoot Name : AuthRoot Name : CA Name : Trust Name : Disallowed Name : My Name : Root Name : TrustedPeople Name : TrustedDevices Name : Remote Desktop Name : TrustedPublisher Name : REQUEST PS cert:LocalMachine> dir My Directory: Microsoft.PowerShell.SecurityCertificate::LocalMachineMy Thumbprint Subject ---------- ------- C571112B20BE45D10AD185FAA6A022ADB08F1693 CN=TMGFW 089D8C1FD45893D7BF76F3788D3B1ED7E0974100 CN=mail.contoso.com, OU=Security, O=Contoso, L=Dallas, S=Texas |
Or you can also use the CertUtil command to list all the certificate in your local store:
C:UsersAdministrator>certutil -store my my Certificate 0 Serial Number: 67137d4819445f8947dfe5975c2dcda4 Issuer: CN=TMGFW NotBefore: 1/8/2010 6:19 PM NotAfter: 1/8/2015 6:19 PM Subject: CN=TMGFW Signature matches Public Key Root Certificate: Subject matches Issuer Template: Cert Hash(sha1): c5 71 11 2b 20 be 45 d1 0a d1 85 fa a6 a0 22 ad b0 8f 16 93 Key Container = cb450661-cef0-423d-8c8d-f35770442ef9 Unique container name: 1c5d966ed267ef52208611a02c81673c_5d23994c-569c-4045-8627-97f7be02ff89 Provider = (null) Private key is NOT exportable Encryption test passed Certificate 1 Serial Number: 610df5bb000000000002 Issuer: CN=Contoso CA, DC=contoso, DC=com NotBefore: 1/29/2010 4:21 PM NotAfter: 1/29/2012 4:31 PM Subject: CN=mail.contoso.com, OU=Security, O=Contoso, L=Dallas, S=Texas Non-root Certificate Template: Cert Hash(sha1): 08 9d 8c 1f d4 58 93 d7 bf 76 f3 78 8d 3b 1e d7 e0 97 41 00 Key Container = a5195f11b98a20b15d90c79844b9eeb8_b616de3c-8c7e-4aa6-bb33-aae84203823f Unique container name: 45ec83860a1e2a33a77a819ede5c1d80_5d23994c-569c-4045-8627-97f7be02ff89 Provider = Microsoft Enhanced Cryptographic Provider v1.0 Encryption test passed CertUtil: -store command completed successfully. |
Write it down the certificate’s serial number and assuming that the key is exportable, you now just need to run the command below:
certutil -exportPFX -p 'Password' my 610df5bb000000000002 contoso.pfx
See the article Manual Key Archival for more information about CertUtil tool with -ExportPFX parameter.
![](/uploads/1/2/5/5/125502715/135453171.jpg)