Microsoft "certutil -verify first.crt" - Validate Certificate

Q

How to validate a certificate saved in a certificate file with Microsoft "certutil" tool?

✍: FYIcenter.com

A

If you want to validate a certificate from a certificate file, you can use the Microsoft "certutil -verify file_name" command as shown in this tutorial:

C:\fyicenter>\windows\system32\certutil -verify first.crt

Issuer:
    CN=GTE CyberTrust Global Root
    OU=GTE CyberTrust Solutions, Inc.
    O=GTE Corporation
    C=US
Subject:
    CN=Microsoft Internet Authority
Cert Serial Number: 07276202

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
--------CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Weeks, 2 Hours, 6 Minutes, 4 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Weeks, 2 Hours, 6 Minutes, 4 Seconds

CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=0
  Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", 
O=GTE Corporation, C=US
  NotBefore: 4/14/2010 1:12 PM
  NotAfter: 4/14/2018 1:12 PM
  Subject: CN=Microsoft Internet Authority
  Serial: 07276202
  e5 95 8d 48 fe 10 d7 34 03 11 e8 c0 3b b2 29 40 da ba 2d a3
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 0213:
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US
    2a 98 4c ec 59 ec 2f be 9b 8d eb 9c 0e 8c 63 f6 fa 01 ee 44
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", 
O=GTE Corporation, C=US
  NotBefore: 8/12/1998 7:29 PM
  NotAfter: 8/13/2018 6:59 PM
  Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", 
O=GTE Corporation, C=US
  Serial: 01a5
  97 81 79 50 d8 1c 96 70 cc 34 d8 09 cf 79 44 31 36 7e f4 74
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
  d3 94 64 a9 ca 95 17 61 c4 46 d8 df 96 c0 97 66 7c 06 f0 f5
Full chain:
  71 07 1b 40 df dc 36 61 8c 82 3a 0d 2e fd c4 50 79 39 64 ea
------------------------------------
Verified Issuance Policies: All
Verified Application Policies:
    1.3.6.1.5.5.7.3.4 Secure Email
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.3 Code Signing
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

As you can see from the output, the command works successfully:

  • The specified certificate file does contain a valid certificate. It was issued to "Microsoft Internet Authority" by "GTE CyberTrust Global Root" and valid until 8/13/2018.
  • The certificate validation chain involves one other valid certificate.
  • "-verify" option indicates the specified certificate to be verified.
  • "first.crt" option specifies the name of the certificate file.

2013-03-04, 3421👍, 0💬