Command-Line Utilities

Previous page
Table of content
Next page
[Previous] [Next]

Certificate Services includes three command-line tools that you can use for various administrative tasks. While none of these tools are necessary for ordinary operation of your CAs, sometimes they will come in handy.

The Certsrv Tool

Certsrv.exe is the actual executable that implements the Certificate Services code. Normally, you'll start and stop the server using the Services snap-in; however, you can manually start it from the command line. This allows you to start the server only when you need to issue a new certificate; many sites choose to run their root CAs in this on-demand mode because it helps reduce the risk of an accidental or malicious issuance of an unwanted certificate.

As an extra bonus, if you run Certsrv.exe with the -z command switch, it will display a log of its activities in the console window you used to start it. This is invaluable for debugging or just for gaining a better understanding of how the server accomplishes its tasks.

The Certreq Tool

Most of the time you'll request certificates through the Web interface (see "Requesting Certificates" in Chapter 18) or through a program that's been written to take advantage of Certificate Services. However, sometimes manually requesting a certificate is useful. For example, you typically need to manually request certificates for subordinate stand-alone CAs, and requesting test certificates from a new server is often useful so you can verify that it's working properly. The Certreq tool (Certreq.exe) allows you to request a new certificate from a CA in your domain or retrieve any certificate previously issued by that CA—you can even retrieve revoked or expired certificates.

The Certreq tool has two slightly different forms; the one that you use to request certificates looks like this:

 certreq     [-rpc] [-binary] [-config configString] [-attrib attribString] [requestFile [certFile  | chainFile] ]

  • The -rpc switch forces the Certreq tool to contact the CA with a standard Windows remote procedure call (RPC) request instead of a Distributed COM request.

  • The -binary flag specifies that you want the certificate or CRL to be stored as a binary file instead of in base-64 encoding. You normally use this option when you want to take the object returned from the server and import it into a program that uses certificates directly.

  • Use the -config switch to specify which CA you want to send your request to; you have to specify both the server and CA names. For example, to request a certificate from a CA named Netsolvers Purchasing on a server named HQ4, you'd write

    • certreq -config HQ4\"Netsolvers Purchasing"

    You can also use a single hyphen in place of a server/CA name if you want to request a certificate from the default CA for your domain.

  • If you want to specify additional attributes in the certificate request, use the -attrib switch, along with the attribute names and values you want to use. Each name-value pair must be separated with a newline character, like this:

    • attrib "Hair color:blond\nEye color:blue"

  • If you want to submit a request generated by another program, you can do so by specifying the request's file name. That's what the requestFile parameter is for. The Certreq tool can forward requests in three formats: PKCS #10 (used to request new certificates), PKCS #7 (used to request renewal of an existing certificate), or KeyGen (used to request a new certificate). The request file can be either raw binary or base-64 encoded, as long as it's in one of the supported formats.

  • If you're using Active Directory, the CA will publish newly generated certificates for you. If not, or if you need to get the certificate back as a file so you can do something with it, specify a filename in place of the certFile parameter and Certreq will put a copy of the new certificate in the specified file—provided that the CA approves the request, of course. In the same vein, supplying a filename in place of the chainFile parameter will cause Certreq to provide you with a copy of the entire certificate chain for the new certificate, starting at the root CA and including all subordinate CA certificates.

The Certutil Tool

The Certutil tool is practically a Swiss Army knife—you know, the really big ones you see at camping stores. It has a total of 40 different modes; these modes perform tasks ranging from stopping the CA service to creating a backup of the CA's private keys to scanning a certificate file for particular ASCII characters that can confuse older certificate service implementations.


Previous page
Table of content
Next page
Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366
Authors: Charlie Russel, Sharon Crawford
BUY ON AMAZON
WebLogic: The Definitive Guide
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
GO! with Microsoft Office 2003 Brief (2nd Edition)
Special Edition Using Crystal Reports 10
InDesign Type: Professional Typography with Adobe InDesign CS2
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy