Exploring the hidden switches of Certutil and Certreq

Over the past 20 years, certutil.exe and certreq.exe have been two of the most dependable Windows toolkits. These tools have proved essential for handling cryptographic keys and certificates, especially in server contexts where security is critical. It’s no secret that the fundamental use of these tools exposes a plethora of incredibly helpful functionalities.

Beneath their surface, though, is a world of advanced capabilities and numerous switches designed exclusively for server admins, providing unmatched freedom and control over managing requests for and certificates issued. We’ll try to deep dive into the world of these little-known treasures, and try to explore the hidden switches.

Certutil.exe

Certutil, which stands for Certificate Utility, is a versatile command-line utility that enables a range of certificate-related activities in the Windows environment. It provides features to manage certificate stores, inspect certificates, and convert certificates between different formats. Essentially, it can be compared to a Swiss army knife for certificate management.

To visit the official documentation, follow the link: Certutil documentation

Exploring Certutil

Certutil.exe can be used to backup and restore CA components, display configuration information for Certification authorities (CAs), and setup Certificate Services. Additionally, the program verifies certificate chains, key pairs, and certificates.

 When certutil is used on a certification authority without any further parameters, the configuration of the certification authority is shown. Perform certutil with no extra parameters on a non-certification authority, and the command will perform certutil -dump by default.

Certutil offers various useful switches. You can see the choices that your version of certutil provides by running certutil -? or certutil <parameter> -?

Add -v switch for a verbose output: certutil -v -?

Well, you might be thinking about what major difference could “-v” switch could make, so here is the output of a string compared between certutil -? And certutil -v -?

The left side contains the output of the command “certutil -?” and the right side contains the command “Certutil -v -?”.

Exploring hidden switches of Certutil

Hidden switches of Certutil can be seen with the help of a parameter -uSAGE. The below screenshots represents the differences between the “certutil -uSAGE” command (on the left side) and the “certutil -?” command (on the right side). The differences are clear

These hidden switches contain: –

• -encodehex:  Encode file in hexadecimal
• -exportPFX: Import certificate and private key
• -getconfig2: Get the default configuration string via ICertGetConfig
• -getconfig3: Get configuration via ICertConfig
• -SetCATemplates: Set templates for CA
• -ds: Display DS DNs
• -dsCert: Display DS Certificates
• -dsCRL: Display DS CRLs
• -dsDeltaCRL: Display DS Delta CRLs
• -dsTemplate: Display DS Template Attributes
• -dsAddTemplate: Add DS Templates

Several switches are really useful for carrying out tasks and troubleshooting. You may view the appearance of the Active Directory containers by using the –ds switch. To list a specific certificate template, use the –dstemplate switch.

It is possible to completely express the template and expand enrollment and private key flags by throwing a -v before -dstemplate. The computer’s Key Storage Providers and legacy Cryptographic Service Providers are listed and tested using the -csplist and -csptest switches. These are incredibly useful for listing the Cryptographic Algorithms that each provider has disclosed and for debugging HSMs or Smart Cards.

Certreq.exe

Certreq, short for Certificate Request, is another command-line tool integral to managing certificates in Windows environments. Its primary purpose is to generate certificate requests and submit them to a certification authority (CA).

To visit the official documentation, follow the link: Certreq documentation

Exploring Certreq

The certreq command can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.

Certreq command parameters

“Certreq -submit” and “certreq -retrieve” being the most used switches to submit a certificate request and retrieve the issued certificates from Certificate Authority via the command line.

Exploring hidden switches of Certreq

Similar to certutil, hidden switches of certreq can be seen with the help of the -uSAGE parameter. Same as in the case of Certutil, the below screenshots represent the differences between the “certreq -uSAGE” command (on the left side) and the “certreq -?” command (on the right side). The differences are clear

The hidden switches of certreq are:

• -ImportPFX: to import certificate and private key.
• -Autoenroll: Start Auto-Enroll U/I
• -EnrollX: to enroll multiple certificates in one go
• -Request: to create a custom request
• -EOBO: start enroll on behalf of wizard

Among all the hidden switches two switches are the most interesting to look at -ImportPFX in certreq and -ExportPFX in certutil. Similarly, there is also an –importPFX in the public switches for certutil.exe which seem to be vastly different than certreq.exe but with the potential for similar outcome

Conclusion

These tools offer unmatched control over certificate management duties, from adjusting certificate requests to modifying certificate repositories. Server Admins can greatly improve security and efficiency by exploring the depths of Certutil and Certreq and implementing certificate management procedures.

How can Encryption Consulting help?

Encryption Consulting provides specialized services tailored to identify vulnerabilities and mitigate risks by providing PKI Services. Our strategic guidance aligns PKI solutions with organizational objectives, enhancing efficiency and minimizing costs. By partnering with Encryption Consulting, organizations can unlock the full potential of PKI solutions, realizing tangible financial benefits while maintaining strong security measures. 

Encryption Consulting’s PKIaaS provides a flexible and secure PKI solution tailored to your specific needs, offering benefits such as customizable options, high assurance standards, and a low-risk managed approach. PKIaaS automates key and certificate management tasks, reducing operational overhead and minimizing the risk of human error. Additionally, it enhances network visibility by requiring certificates for access. It will take care of building the PKI infrastructure to lead and manage the PKI environment (cloud/ hybrid or On-Prem) of your organization.

CertSecure Manager has a comprehensive suite of lifecycle management features. From discovery and inventory to issuance, deployment, renewal, revocation, and reporting. CertSecure provides an all-encompassing solution. Intelligent report generation, alerting, automation, automatic deployment onto servers, and certificate enrollment add layers of sophistication, making it a versatile and intelligent asset.