Certificate Services includes three command-line tools that you can use for various administrative tasks. While none of these tools are necessary for ordinary operation of your CAs, sometimes they will come in handy.
Certsrv.exe is the actual executable that implements the Certificate Services code. Normally, you'll start and stop the server using the Services snap-in; however, you can manually start it from the command line. This allows you to start the server only when you need to issue a new certificate; many sites choose to run their root CAs in this on-demand mode because it helps reduce the risk of an accidental or malicious issuance of an unwanted certificate.
As an extra bonus, if you run Certsrv.exe with the -z command switch, it will display a log of its activities in the console window you used to start it. This is invaluable for debugging or just for gaining a better understanding of how the server accomplishes its tasks.
Most of the time you'll request certificates through the Web interface (see "Requesting Certificates" in Chapter 18) or through a program that's been written to take advantage of Certificate Services. However, sometimes manually requesting a certificate is useful. For example, you typically need to manually request certificates for subordinate stand-alone CAs, and requesting test certificates from a new server is often useful so you can verify that it's working properly. The Certreq tool (Certreq.exe) allows you to request a new certificate from a CA in your domain or retrieve any certificate previously issued by that CA—you can even retrieve revoked or expired certificates.
The Certreq tool has two slightly different forms; the one that you use to request certificates looks like this:
certreq [-rpc] [-binary] [-config configString] [-attrib attribString] [requestFile [certFile | chainFile] ] |
certreq -config HQ4\"Netsolvers Purchasing" |
You can also use a single hyphen in place of a server/CA name if you want to request a certificate from the default CA for your domain.
attrib "Hair color:blond\nEye color:blue" |
The Certutil tool is practically a Swiss Army knife—you know, the really big ones you see at camping stores. It has a total of 40 different modes; these modes perform tasks ranging from stopping the CA service to creating a backup of the CA's private keys to scanning a certificate file for particular ASCII characters that can confuse older certificate service implementations.