PKI Extensions

PKI Extensions

Time by time I see questions on where people ask “How to do view/decode/validate certificate in Windows?”. And answers often include OpenSSL examples for no reason. OpenSSL is not built-in into Windows box, it is a 3rd party dependency and such responses force users to download the tool to perform basic stuff. Sounds like, there is no other way to do that otherwise. Yes, OpenSSL can do these tasks, but why do people ignore native tools which are built in Windows box? I’m going to write several blog posts to promote a built-in certutil.exe tool.

Ok, what Windows can offer us? There are two main command-line cryptographic utilities called certutil.exe and certreq.exe.

Certutil is used for various cryptographic operations which include:

  • dealing with cryptographic objects
  • validating cryptographic objects
  • managing Windows Certificate Store (view/add/delete/export/import)
  • managing Active Directory Certificate Services components (including Certification Authority, OCSP server, Enrollment Web Services)

Certreq is used for certificate enrollment operations, which include:

  • certificate request generation
  • certificate request submission to ADCS server and issued certificate retrieval and installation

These tools cover most of cryptographic operations you may encounter when managing Windows box.

In this post, I will talk about parsing and decoding cryptographic objects with certutil.

Read more →