Microsoft "certutil -verify" - Validate Expired Certificate

Q

Can Microsoft "certutil" tool validates an expired certificates and reports the expired status?

✍: FYIcenter.com

A

Yes. If you validate an expired certificate with the Microsoft "certutil -verify file_name" command, you will see an expired certificate report as shown in this tutorial:

C:\fyicenter>\windows\system32\certutil -verify VeriSign.crt

Issuer:
    OU=Class 3 Public Primary Certification Authority
    O=VeriSign, Inc.
    C=US
Subject:
    OU=Class 3 Public Primary Certification Authority
    O=VeriSign, Inc.
    C=US
Cert Serial Number: e49efdf33ae80ecfa5113e19a4240232

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
--------CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=1
  Issuer: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  NotBefore: 1/28/1996 7:00 PM
  NotAfter: 1/7/2004 6:59 PM
  Subject: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  Serial: e49efdf33ae80ecfa5113e19a4240232
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[3] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
  Issuer: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  NotBefore: 1/28/1996 7:00 PM
  NotAfter: 1/7/2004 6:59 PM
  Subject: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  Serial: e49efdf33ae80ecfa5113e19a4240232
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
A required certificate is not within its validity period when verifying 
against the current system clock or the timestamp in the signed file. 
0x800b0101 (-2146762495)
------------------------------------
Expired certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

As you can see from the output, the command works successfully:

  • The specified certificate file contains an expired certificate. It was a self-signed root CA certificate expired on 1/7/2004.

2013-02-28, 4863👍, 0💬