Exploring the hidden switches of Certutil and Certreq

Reading Time : 5 minutes

Over the past 20 years, certutil.exe and certreq.exe have been two of the most dependable Windows toolkits. These tools have proved essential for handling cryptographic keys and certificates, especially in server contexts where security is critical. It’s no secret that the fundamental use of these tools exposes a plethora of incredibly helpful functionalities.

Beneath their surface, though, is a world of advanced capabilities and numerous switches designed exclusively for server admins, providing unmatched freedom and control over managing requests for and certificates issued. We’ll try to deep dive into the world of these little-known treasures, and try to explore the hidden switches.


Certutil, which stands for Certificate Utility, is a versatile command-line utility that enables a range of certificate-related activities in the Windows environment. It provides features to manage certificate stores, inspect certificates, and convert certificates between different formats. Essentially, it can be compared to a Swiss army knife for certificate management.

To visit the official documentation, follow the link: Certutil documentation

Exploring Certutil

Certutil.exe can be used to backup and restore CA components, display configuration information for Certification authorities (CAs), and setup Certificate Services. Additionally, the program verifies certificate chains, key pairs, and certificates.

 When certutil is used on a certification authority without any further parameters, the configuration of the certification authority is shown. Perform certutil with no extra parameters on a non-certification authority, and the command will perform certutil -dump by default.

certutil parameter switch

Certutil offers various useful switches. You can see the choices that your version of certutil provides by running certutil -? or certutil <parameter> -?

Add -v switch for a verbose output: certutil -v -?

Well, you might be thinking about what major difference could “-v” switch could make, so here is the output of a string compared between certutil -? And certutil -v -?

certutil command left right

The left side contains the output of the command “certutil -?” and the right side contains the command “Certutil -v -?”.

Exploring hidden switches of Certutil

Hidden switches of Certutil can be seen with the help of a parameter -uSAGE. The below screenshots represents the differences between the “certutil -uSAGE” command (on the left side) and the “certutil -?” command (on the right side). The differences are clear

Hidden Switches Of Certutil
Hidden Switches Of Certutil
Hidden Switches Of Certutil
Hidden Switches Of Certutil

These hidden switches contain: –

  • -encodehex:  Encode file in hexadecimal
  • -exportPFX: Import certificate and private key
  • -getconfig2: Get the default configuration string via ICertGetConfig
  • -getconfig3: Get configuration via ICertConfig
  • -SetCATemplates: Set templates for CA
  • -ds: Display DS DNs
  • -dsCert: Display DS Certificates
  • -dsCRL: Display DS CRLs
  • -dsDeltaCRL: Display DS Delta CRLs
  • -dsTemplate: Display DS Template Attributes
  • -dsAddTemplate: Add DS Templates

Several switches are really useful for carrying out tasks and troubleshooting. You may view the appearance of the Active Directory containers by using the –ds switch. To list a specific certificate template, use the –dstemplate switch.

It is possible to completely express the template and expand enrollment and private key flags by throwing a -v before -dstemplate. The computer’s Key Storage Providers and legacy Cryptographic Service Providers are listed and tested using the -csplist and -csptest switches. These are incredibly useful for listing the Cryptographic Algorithms that each provider has disclosed and for debugging HSMs or Smart Cards.


Certreq, short for Certificate Request, is another command-line tool integral to managing certificates in Windows environments. Its primary purpose is to generate certificate requests and submit them to a certification authority (CA).

To visit the official documentation, follow the link: Certreq documentation

Exploring Certreq

The certreq command can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.

Certreq command parameters

certreq command parameters

“Certreq -submit” and “certreq -retrieve” being the most used switches to submit a certificate request and retrieve the issued certificates from Certificate Authority via the command line.

Exploring hidden switches of Certreq

Similar to certutil, hidden switches of certreq can be seen with the help of the -uSAGE parameter. Same as in the case of Certutil, the below screenshots represent the differences between the “certreq -uSAGE” command (on the left side) and the “certreq -?” command (on the right side). The differences are clear

Hidden Switches Of Certreq
Hidden Switches Of Certreq
Hidden Switches Of Certreq

The hidden switches of certreq are:

  • -ImportPFX: to import certificate and private key.
  • -Autoenroll: Start Auto-Enroll U/I
  • -EnrollX: to enroll multiple certificates in one go
  • -Request: to create a custom request
  • -EOBO: start enroll on behalf of wizard

Among all the hidden switches two switches are the most interesting to look at -ImportPFX in certreq and -ExportPFX in certutil. Similarly, there is also an –importPFX in the public switches for certutil.exe which seem to be vastly different than certreq.exe but with the potential for similar outcome

certreq importpfx cmd
Figure represents output of Certreq  -ImportPFX command ran with “ -?” switch
certutil importPFX command
Figure represents output of Certutil  -importPFX command ran with “ -?” switch


Certutil and Certreq are powerful tools for managing certificates in Windows environments. Even though their fundamental functions are widely recognized, delving into their sophisticated features and hidden switches reveals a wealth of hidden capabilities.

These tools offer unmatched control over certificate management duties, from adjusting certificate requests to modifying certificate repositories. Server Admins can greatly improve security and efficiency by exploring the depths of Certutil and Certreq and implementing certificate management procedures.

How can Encryption Consulting help?

Efficient management of certificates within Active Directory ecosystems is critical for upholding robust security measures. Encryption Consulting offers specialized services crafted to streamline this process, pinpoint vulnerabilities, and mitigate risks through comprehensive PKI Services. Our expert guidance ensures smooth implementation and optimization, aligning strategies with industry-leading practices to fortify your security infrastructure.

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

PKI Blogs Footer Banner

About the Author

Akashdeep Kashyap is a cybersecurity enthusiast who views the field not just as a profession, but as a pathway to unlocking the true essence of technology. His journey in cybersecurity is driven by a profound belief that understanding and securing digital systems illuminates our understanding of the broader tech landscape. Akashdeep approaches cybersecurity as a means of enlightenment, constantly seeking to unravel the complexities of digital security while embracing the ever-evolving world of technology.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo