Microsoft "certutil -verify first.crt"

Microsoft "certutil -verify first.crt" - Validate Certificate

Q

How to validate a certificate saved in a certificate file with Microsoft "certutil" tool?

✍: FYIcenter.com

A

If you want to validate a certificate from a certificate file, you can use the Microsoft "certutil -verify file_name" command as shown in this tutorial:

C:\fyicenter>\windows\system32\certutil -verify first.crt

Issuer:
    CN=GTE CyberTrust Global Root
    OU=GTE CyberTrust Solutions, Inc.
    O=GTE Corporation
    C=US
Subject:
    CN=Microsoft Internet Authority
Cert Serial Number: 07276202

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
--------CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Weeks, 2 Hours, 6 Minutes, 4 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Weeks, 2 Hours, 6 Minutes, 4 Seconds

CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=0
  Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US
  NotBefore: 4/14/2010 1:12 PM
  NotAfter: 4/14/2018 1:12 PM
  Subject: CN=Microsoft Internet Authority
  Serial: 07276202
  e5 95 8d 48 fe 10 d7 34 03 11 e8 c0 3b b2 29 40 da ba 2d a3
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 0213:
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US
    2a 98 4c ec 59 ec 2f be 9b 8d eb 9c 0e 8c 63 f6 fa 01 ee 44
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US
  NotBefore: 8/12/1998 7:29 PM
  NotAfter: 8/13/2018 6:59 PM
  Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US
  Serial: 01a5
  97 81 79 50 d8 1c 96 70 cc 34 d8 09 cf 79 44 31 36 7e f4 74
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
  d3 94 64 a9 ca 95 17 61 c4 46 d8 df 96 c0 97 66 7c 06 f0 f5
Full chain:
  71 07 1b 40 df dc 36 61 8c 82 3a 0d 2e fd c4 50 79 39 64 ea
------------------------------------
Verified Issuance Policies: All
Verified Application Policies:
    1.3.6.1.5.5.7.3.4 Secure Email
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.3 Code Signing
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

As you can see from the output, the command works successfully:

The specified certificate file does contain a valid certificate. It was issued to "Microsoft Internet Authority" by "GTE CyberTrust Global Root" and valid until 8/13/2018.
The certificate validation chain involves one other valid certificate.
"-verify" option indicates the specified certificate to be verified.
"first.crt" option specifies the name of the certificate file.

⇒ Microsoft "certutil -verify" - Validate Expired Certificate

⇐ Microsoft "certutil -verify" Command Options

⇑ Other Microsoft "certutil" Commands

⇑⇑ Microsoft "certutil" - Certificate Management Tool

2013-03-04, 10471👍, 0💬

💬 2016-08-01 Tom: Meaningful comment.

Microsoft "certutil -verify" Command Options
How can I use Microsoft "certutil -verify" command? What are command options supported by "certutil -verify"? The document says "Verify certificate, CRL or chain". Microsoft "certutil -verify" command can be used to verify (validate) certificate saved in a certificate file. Here are options supporte... 2013-03-04, 38637👍, 0💬

Microsoft "certutil -store" - Search Certificate by Serial Number
How to search and export a certificate from a certificate store into a certificate file with Microsoft "certutil" tool using the certificate's serial number? If you know the serial number of a certificate and in which certificate store, you can use the Microsoft "certutil -store storename serial_num... 2013-02-27, 32406👍, 0💬

Microsoft "certutil -addstore -f -user publisher ..." - Create a Store
How to import a certificate from a certificate file into a new certificate store with Microsoft "certutil" tool? If you want to import a certificate from a certificate file into a new certificate store, you can use the Microsoft "certutil -addstore -f storename file_name" command as shown in this tu... 2013-03-05, 27337👍, 0💬

Microsoft "certutil -addstore -user my ..." - Import Certificate
How to import a certificate from a certificate file into a certificate store with Microsoft "certutil" tool? If you want to import a certificate from a certificate file into a certificate store, you can use the Microsoft "certutil -addstore storename file_name" command as shown in this tutorial: C:\... 2013-03-01, 17532👍, 0💬

Microsoft "certutil -store CA 0 first.crt" - Export Certificate
How to export a certificate from a certificate store into a certificate file with Microsoft "certutil" tool? If you want to export a certificate from a certificate store into a certificate file, you can use the Microsoft "certutil -store storename certificate_index file_name" command as shown in thi... 2013-02-27, 15290👍, 0💬

Microsoft "certutil -verify" - Validate Expired Certificate
Can Microsoft "certutil" tool validates an expired certificates and reports the expired status? Yes. If you validate an expired certificate with the Microsoft "certutil -verify file_name" command, you will see an expired certificate report as shown in this tutorial: C:\fyicenter>\windows\s yst... 2013-02-28, 14921👍, 0💬

Microsoft "certutil -addstore" Command Options
How can I use Microsoft "certutil -addstore" command? What are command options supported by "certutil -addstore"? The document says "Add certificate to store". Microsoft "certutil -addstore" command can be used to add, or import, certificate from a specified certificate file to a certificate store o... 2013-03-01, 14574👍, 0💬

Download facebook.com Certificate for Microsoft "certutil" Test
How to download the server certificate from Facebook.com Web site? I want to have a new certificate to play with Microsoft "certutil" commands. The easiest way to download the server certificate from Web site is to visit the Web site with Firefox and use Firefox function to view and save the server ... 2017-04-05, 12900👍, 1💬

💬 2014-05-14 prosper: thank you

Microsoft "certutil -store" Command Default Options
What is the default behavior of the "certutil -store" command? The default behavior of the "certutil -store" command is to dump all certificates from the default certificate store "CA" at the local machine location: "HKEY_LOCAL_MACHINE\Software\M icrosoft\SystemCertificates\CA ".Here is an example of... 2013-02-26, 12500👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.