Microsoft "certutil -verify" - Validate Expired Certificate

Q

Can Microsoft "certutil" tool validates an expired certificates and reports the expired status?

✍: FYIcenter.com

A

Yes. If you validate an expired certificate with the Microsoft "certutil -verify file_name" command, you will see an expired certificate report as shown in this tutorial:

C:\fyicenter>\windows\system32\certutil -verify VeriSign.crt

Issuer:
    OU=Class 3 Public Primary Certification Authority
    O=VeriSign, Inc.
    C=US
Subject:
    OU=Class 3 Public Primary Certification Authority
    O=VeriSign, Inc.
    C=US
Cert Serial Number: e49efdf33ae80ecfa5113e19a4240232

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
--------CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=1
  Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
  NotBefore: 1/28/1996 7:00 PM
  NotAfter: 1/7/2004 6:59 PM
  Subject: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
  Serial: e49efdf33ae80ecfa5113e19a4240232
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[3] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
  Issuer: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
  NotBefore: 1/28/1996 7:00 PM
  NotAfter: 1/7/2004 6:59 PM
  Subject: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
  Serial: e49efdf33ae80ecfa5113e19a4240232
  4f 65 56 63 36 db 65 98 58 1d 58 4a 59 6c 87 93 4d 5f 2a b4
A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.
0x800b0101 (-2146762495)
------------------------------------
Expired certificate
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

As you can see from the output, the command works successfully:

The specified certificate file contains an expired certificate. It was a self-signed root CA certificate expired on 1/7/2004.

⇒ Microsoft "certutil -encode" Command Options

⇐ Microsoft "certutil -verify first.crt" - Validate Certificate

⇑ Other Microsoft "certutil" Commands

⇑⇑ Microsoft "certutil" - Certificate Management Tool

2013-02-28, 15499👍, 0💬

Microsoft "certutil -store" - Search Certificate by Serial Number
How to search and export a certificate from a certificate store into a certificate file with Microsoft "certutil" tool using the certificate's serial number? If you know the serial number of a certificate and in which certificate store, you can use the Microsoft "certutil -store storename serial_num... 2013-02-27, 33778👍, 0💬

Microsoft "certutil -delstore" Command Options
How can I use Microsoft "certutil -delstore" command? What are command options supported by "certutil -delstore"? The document says "Delete certificate from store". Microsoft "certutil -delstore" command can be used to delete a certificate from a certificate store on the local computer. Here are opt... 2013-03-05, 30365👍, 0💬

Microsoft "certutil -addstore -f -user publisher ..." - Create a Store
How to import a certificate from a certificate file into a new certificate store with Microsoft "certutil" tool? If you want to import a certificate from a certificate file into a new certificate store, you can use the Microsoft "certutil -addstore -f storename file_name" command as shown in this tu... 2013-03-05, 28054👍, 0💬

Microsoft "certutil -addstore -user my ..." - Import Certificate
How to import a certificate from a certificate file into a certificate store with Microsoft "certutil" tool? If you want to import a certificate from a certificate file into a certificate store, you can use the Microsoft "certutil -addstore storename file_name" command as shown in this tutorial: C:\... 2013-03-01, 17992👍, 0💬

Microsoft "certutil -store CA 0 first.crt" - Export Certificate
How to export a certificate from a certificate store into a certificate file with Microsoft "certutil" tool? If you want to export a certificate from a certificate store into a certificate file, you can use the Microsoft "certutil -store storename certificate_index file_name" command as shown in thi... 2013-02-27, 15574👍, 0💬

Microsoft "certutil -verify" - Validate Expired Certificate
Can Microsoft "certutil" tool validates an expired certificates and reports the expired status? Yes. If you validate an expired certificate with the Microsoft "certutil -verify file_name" command, you will see an expired certificate report as shown in this tutorial: C:\fyicenter>\windows\s yst... 2013-02-28, 15500👍, 0💬

Microsoft "certutil -addstore" Command Options
How can I use Microsoft "certutil -addstore" command? What are command options supported by "certutil -addstore"? The document says "Add certificate to store". Microsoft "certutil -addstore" command can be used to add, or import, certificate from a specified certificate file to a certificate store o... 2013-03-01, 14847👍, 0💬

Download facebook.com Certificate for Microsoft "certutil" Test
How to download the server certificate from Facebook.com Web site? I want to have a new certificate to play with Microsoft "certutil" commands. The easiest way to download the server certificate from Web site is to visit the Web site with Firefox and use Firefox function to view and save the server ... 2017-04-05, 13050👍, 1💬

💬 2014-05-14 prosper: thank you

Microsoft "certutil -store" Command Default Options
What is the default behavior of the "certutil -store" command? The default behavior of the "certutil -store" command is to dump all certificates from the default certificate store "CA" at the local machine location: "HKEY_LOCAL_MACHINE\Software\M icrosoft\SystemCertificates\CA ".Here is an example of... 2013-02-26, 12942👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.