certutil options

The command to display all certutil options that certutil -h does not disclose

certutil -uSAGE



Comments

Post a Comment

Popular posts from this blog

Windows automatic Root CA updates

Image
Microsoft runs its own Trusted Root Program , defining which Root CAs are considered trusted in Microsoft products. The list of trusted Root CAs and/or the corresponding metadata is updated regularly (updates are published here and made available for download in the form of a Certificate Trust List (CTL) here . Windows systems can be configured to automatically update their list of trusted Root CAs, via " Automatic Root Certificates Update ", a setting that can be configured via policy: gpedit.msc > Local Computer Policy > Computer Configuration > System > Internet Communication Management > Internet Communication Settings > Turn off Automatic Root Certificates Update According to the description of the policy setting, having it disabled or not configured will trigger automatic updates via the Windows Update website. The policy editor, especially when it comes to policies not configured, is not always a trustworthy source, so in case of doubt check the corr...
Read more

Automatically removing expired certificates from the CRL

Image
By default, AD CS will automatically remove expired certificates from the CRLs it publishes. Once a certificate expires, whether it was revoked in the past or not is generally not relevant, since the certificate is not time valid anymore it should be rejected. This default behaviour can be modified via one of the CRL flags in the CA configuration, called  CRLF_PUBLISH_EXPIRED_CERT_CRLS . By default the flag is not set, meaning expired  revoked certificates will be removed from the CRL, but it can be set running: certutil -setreg CA\CRLFlags + CRLF_PUBLISH_EXPIRED_CERT_CRLS Once set, expired revoked certificates will remain in the subsequent CRLs even after expiring. To unset the flag simply run: certutil -setreg CA\CRLFlags - CRLF_PUBLISH_EXPIRED_CERT_CRLS There are some cases, though, where it is required to keep certain revoked certificates in the CRL even after those have expired. Classic example for this is code signing certificates: when code is signed using a code signin...
Read more

Java and the Windows certificate store

Image
Java includes its own Root CA trusted certificate store, regularly updated via its  Root Certificate Program  and implemented via its cacerts certificates file (by default under  $JAVA_HOME\lib\security ). In addition to its own trusted certificate store, it is also possible to configure clients to make Java trust the certificates present in a browser's certificate store (limited to Internet Explorer and Mozilla Firefox). This can be achieved via a setting within Control Panel > Java > Advanced > Advanced Security Settings called " Use certificates and keys in browser keystore ": The setting is enabled by default, and it is documented  here . According to its description, in particular on Windows platforms " On Windows, browser keystore is supported through Internet Explorer. Certificates and keys in Internet Explorer are automatically recognized by Java Plug-in and Java Web Start when Java and JavaFX applications are deployed on Windows ". Microsoft W...
Read more