Microsoft "certutil -verify" - Validate Expired Certificate

Q

Can Microsoft "certutil" tool validates an expired certificates and reports the expired status?

✍: FYIcenter.com

A

Yes. If you validate an expired certificate with the Microsoft "certutil -verify file_name" command, you will see an expired certificate report as shown in this tutorial: 

C:\fyicenter>\windows\system32\certutil -verify VeriSign.crt

Issuer:
    OU=Class 3 Public Primary Certification Authority
    O=VeriSign, Inc.
    C=US
Subject:
    OU=Class 3 Public Primary Certification Authority
    O=VeriSign, Inc.
    C=US
Cert Serial Number: e49efdf33ae80ecfa5113e19a4240232

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
--------CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=1
  Issuer: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  NotBefore: 1/28/1996 7:00 PM
  NotAfter: 1/7/2004 6:59 PM
  Subject: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  Serial: e49efdf33ae80ecfa5113e19a4240232
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[3] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
  Issuer: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  NotBefore: 1/28/1996 7:00 PM
  NotAfter: 1/7/2004 6:59 PM
  Subject: OU=Class 3 Public Primary Certification Authority, 
O="VeriSign, Inc.", C=US
  Serial: e49efdf33ae80ecfa5113e19a4240232
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
A required certificate is not within its validity period when verifying 
against the current system clock or the timestamp in the signed file. 
0x800b0101 (-2146762495)
------------------------------------
Expired certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

As you can see from the output, the command works successfully:

  • The specified certificate file contains an expired certificate. It was a self-signed root CA certificate expired on 1/7/2004.

2013-02-28, 4863👍, 0💬

Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Public Private Key Publishers Revoked Certificates Root CA Tools Tutorial What Is Windows