Commands related to certificate and PKI operations
This package provides procedures for managing and operating on digital certificates.
This page describes the commands related to the Win32 CryptoAPI which deal with X.509 certificates and ancillary services.
For documentation on other cryptographic operations, see the CryptoAPI and SSPI pages.
This documentation expects the reader is familiar with digital certificates. Otherwise the reader may wish to refer to the Windows SDK CryptoAPI documentation for detailed guides and reference documentation.
The CryptoAPI interface provides functions for handling and storage of X.509 digital certificates. A certificate store is a container for certificates. The container may be a physical store, for example on disk, or a logical store which is a collection of physical stores presented to the application as a single store. Certificate stores may also be created as in-memory temporary stores which are not persisted.
Certain certificate stores, called system stores are predefined by Windows. These include the stores MY, ROOT, Trust and CA. Most applications should store certificates in either the MY store, or in their own custom store.
Note that the system stores are relative to a system store location which must be specified when opening the store. To enumerate the locations of the system stores, use cert_system_store_locations. Optionally, the following predefined values may be used to specify a system store location:
user | Certificates associated with the current user account. |
users | Certificates shared among all user accounts on the system. |
service | Certificates associated with the current service account. |
services | Certificates shared among all services on the system. |
localmachine | Certificates associated with the system. |
localmachineenterprise | Certificates downloaded from the global enterprise directory. |
localmachinegrouppolicy | Certificates associated with the group policy for the system. |
usergrouppolicy | Certificates associated with the group policy for the current user. |
To enumerate system stores at a location, use the cert_system_stores.
Most certificate store operations require the store to be first opened or created. Persistent stores are opened or created using the one of the commands cert_system_store_open, cert_physical_store_open or cert_file_store_open as appropriate. Non-persistent stores are created using cert_temporary_store which includes various options for populating the store, for example with the contents of PFX/PKCS #12 or PKCS #7 packets.
The handle returned from these commands must be passed to any commands that operate on stores and released by calling cert_store_release when no longer required.
The returned handle from these commands refers to a cached copy of the store. Any changes made via this handle are made to the cached copy and must be explicitly saved if they need to persist. This can be done either via the -commitenable option when the store is opened, or by calling cert_store_commit.
Commands cert_store_export_pfx, cert_store_export_pkcs12, cert_store_export_pkcs7, cert_store_export_pem, and cert_store_serialize can be used to export certificate stores in various formats.
Existing certificate stores can be deleted using the commands cert_system_store_delete, cert_physical_store_delete and cert_file_store_delete. A in-memory certificate store is deleted when its handle is closed.
When a certificate is placed in a store, it is associated with additional properties that are not part of the certificate itself, for example a private key associated with the certificate. These properties can be enumerated with cert_enum_properties and manipulated with the cert_property, cert_property_set and cert_property_delete commands.
Operating on a certificate requires a certificate context which encapsulates all information about the certificate. Most often, the certificate of interest is an existing certificate that is located in a certificate store. The commands for finding certificates in a store return a handle to a suitable certificate context. Similarly, commands that create new certificates or add certificates to a store return handles to certificate contexts as well.
When no longer needed, certificate contexts must be freed by calling cert_release.
The cert_info command returns the fields in a certificate context. The cert_extension command retrieves specific extensions. Two extensions, Intended Key Usage and Enhanced Key Usage, can be also be retrieved with the cert_key_usage and cert_enhkey_usage command. These look up certificate context properties in addition to multiple related extensions in the certificate itself.
The encoded certificate associated with a certificate context can be retrieved with the cert_export command. This can be written to a file or otherwise distributed.
set fd [open MyCert.cer w] chan configure $fd -translation binary puts -nonewline $fd [cert_export $hcert] close $fd
The cert_locate_private_key command locates the private key corresponding to the public key in a certificate.
An existing certificate in a store can be retrieved in one of two ways:
Both these commands return a handle to a certificate context that can be used for further operations on the certificate.
New certificates can be created by commands such as cert_create_self_signed, cert_create_signed_from_crypt_context and cert_create. These return handles to certificate contexts that are not associated with any store. The certificates must be explicitly placed in a certificate store if desired.
Creating a new certificate involves several steps. As always, first a cryptographic context is needed that defines the algorithms, keys etc. that will be used to create the certificate.
set crypt [crypt_acquire -keycontainer twapi_test_container -csp {Microsoft Strong Cryptographic Provider} -csptype prov_rsa_full -create 1]
This assumes a key container called twapi_test_container does not exist. All the options specified above happen to be the defaults if unspecified.
The key container is created without any keys so we need to generate public/private key pairs. As we will use the certificate for both signing only, we specify signature for the second parameter.
crypt_key_free [crypt_key_generate $crypt signature -exportable 1]
Note we immediately release the key handles as they are not needed. This does not destroy the underlying keys. We have marked the keys as exportable because we want to later save them to a file for pedagogic purposes. In a real application, signature keys should not and need be exportable.
Next, we create a self signed certificate from the cryptographic context we created. This will use the keys we just added.
set cert [cert_create_self_signed_from_crypt_context "CN=TwapiTestCA" $crypt]
We now have a certificate context for a new self signed certificate. In most cases, we will want to either store it in a certificate store for future use or export it to a file. This is illustrated in succeeding sections of this document.
The cryptographic context is not needed any more and can be released.
crypt_free $crypt
Certificates that are not self-signed are created through cert_create. The private key for the signing certificate must be accessible to the application. The data for the new certificate, such as the subject name, the certificate public key, extensions etc. may be provided by the application itself but more often come from a certificate signing request which is generated elsewhere, possibly even on a different system. The command cert_request_parse can be used to parse such a request and the extracted fields passed to cert_create. The request itself can be created by cert_request_create.
On the requester's side, assuming the key container for the requestor has been already created as in the example above,
set crypt [crypt_acquire -keycontainer twapi_requestor_container -csp {Microsoft Strong Cryptographic Provider} -csptype prov_rsa_full] set req [cert_request_create "CN=My Subject Name" $crypt keyexchange -keyusage {key_agreement key_encipherment} -enhkeyusage client_auth] crypt_free $crypt
The above will create a binary which can be sent to the remote signing authority where the certificate request contents can be retrieved:
set parsed_req [cert_request_parse $req]
After verifying the validity of the request (how this is done is entirely up to the application), a certificate for the requestor can be created:
# Assume cissuer is certificate context of signing certificate set subject [dict get $parsed_req subject] set pubkey [dict get $parsed_req pubkey] set opts {} foreach optname {-basicconstraints -keyusage -enhkeyusage} { if {[dict exists $parsed_req extensions $optname]} { lappend opts $optname [dict get $parsed_req extensions $optname] } } set reqcert [cert_create $subject $pubkey $cissuer {*}$opts]
The encoded new certificate returned can be sent back to the requesting client.
Certificates can be added and deleted from certificate stores with the commands cert_store_add_certificate and cert_store_delete_certificate respectively. These commands take a certificate context. A certificate that is in encoded form can be added to a store with cert_store_add_encoded_certificate.
Note that adding a certificate to a store creates a copy of the certificate. The original certificate (context) is unmodified.
The sample code below adds the certificate we created in the previous section to a temporary in-memory store. First we create the memory store.
set store [cert_temporary_open]
Then we add the certificate to it.
set mcert [cert_store_add_certificate $store $cert]
This creates a copy of the certificate we created earlier. Since we no longer need the original, we need to free it.
cert_release $cert
There is now one crucial additional step. The association between a certificate and its private key is maintained by the store and is not part of the certificate. We therefore have to explicitly make the association between the CSP key container and the new certificate context for the temporary store.
cert_set_key_prov $mcert twapi_test_container signature -csp {Microsoft Strong Cryptographic Provider} -csptype prov_rsa_full
Notice we have specified exactly the key container we had created earlier.
The certificate is now stored in the temporary store and will be available as long as the volatile temporary store is not closed. As a final step we will export the certificate and the private keys to a file. This step is only necessary if we want to move the certificate elsewhere. (Note if we only wanted to export the certificate without private keys, we would follow the procedure in Getting certificate contents.
set fd [open MyCert.pfx w] chan configure $fd -translation binary puts -nonewline $fd [cert_store_export_pfx $store [password] -exportprivate] close $fd
Note that because we are exporting private keys, a password is required to protect the exported file.
Finally, assuming we have no need to hold on to the certificate, we can free up the resources.
cert_release $mcert cert_store_release $store
There are several aspects to validating a certificate. At the very least, the following must be checked:
The command cert_verify verifies certificates as above. In addition, the commands cert_chain_build, cert_ancestors, cert_chain_simple_chain, cert_chain_trust_errors, cert_chain_trust_info provide more granular access to the certificate chain used to verify the certificate.
The X.509 certificate extensions allow for a list of alternative names to be specified for both the certificate subject and issuer. When passed to commands, this list is formatted as a list of alternating name format and name value elements. The allowed name formats and corresponding values are specified in the following table:
other | The value is a pair of elements, the first being an OID and the second a binary. |
The value is a RFC 822 email address string. | |
dns | The value is a DNS name string. |
directory | The value is directory name in binary format. |
url | The value is a URL string. |
ip | The value is a binary octet string containing an IP address. |
registered | The value is a registered OID in string format. |
-format FORMAT | Specifies how the output is to be formatted. FORMAT must be one of x500 (default), oid or simple. |
-noplus BOOLEAN | If true, the plus sign in names is replaced with a single space. Default is false. |
-noquote BOOLEAN | If true, quoting of special characters in RDN names is disabled. Default is false. |
-reverse BOOLEAN | If true, order of RDN components is reversed. Default is false. |
-separator SEPARATOR | Specifies the separator to use between RDN components. SEPARATOR must be one of comma (default), semicolon or newline. |
-cacheendcert BOOLEAN | If BOOLEAN is true, the end (leaf) certificate is cached. Default is false. |
-disableauthrootautoupdate BOOLEAN | If BOOLEAN is true, auto-update of third party roots from the Windows update server is disabled. Default is false. |
-engine ENGINE | Specifies the chain engine to be used for verification. ENGINE must be user (default) or machine. The engine indicates the namespace and cache to be used for building the verification chain. |
-hstore HSTORE | Allows specification of another certificate store to be searched for supporting certificates. HSTORE is a handle to a certificate store as returned by commands like cert_system_store_open. |
-revocationcheck REVOCATIONSPEC | Specifies which certificates in the chain are checked for revocation. REVOCATIONSPEC must be one of all (default) indicating all certificates are to be checked, leaf indicating only the leaf certificate is to be checked, none which disables revocation checks, and excluderoot which indicates all certificates other than the root are to be checked. |
-revocationcheckcacheonly BOOLEAN | If BOOLEAN is true, only cached revocation lists are checked when verifying revocation. Default is false. |
-urlretrievalcacheonly BOOLEAN | If BOOLEAN is true, only cached URLs are used in building the certificate chain without searching the network. Default is false. |
-usageall USAGELIST | Specifies that the certificate enhanced key usage field must include all the values for USAGELIST. USAGELIST is a list containing OID's or the following values: server_auth, client_auth, code_signing, email_protection, ipsec_end_system, ipsec_tunnel, ipsec_user, timestamp_signing or ipsec_ike_intermediate. |
-usageany USAGELIST | Specifies that the certificate enhanced key usage field must include any of the values for USAGELIST. USAGELIST is as described for the -usageall option above. |
chain | A list whose elements correspond to each certificate in the simple chain. This is detailed below. |
status | Contains ok if no verification errors are present in this simple chain, else fail. |
trust_errors | A list containing the verification errors for the simple chain. The elements of the list are from the same set of values described in cert_chain_trust_errors which covers the entire certificate chain. |
trust_info | A list containing informational codes for the simple chain. The elements of the list are from the same set of values described in cert_chain_trust_info which covers the entire certificate chain. |
application_usage | A list of enhanced key usage identifiers. This dictionary element may not be present if the corresponding certificate fields were not present. |
issuance_usage | A list of issuance policy identifiers. This dictionary element may not be present if the corresponding certificate fields were not present. |
hcert | Handle to the certificate context. *This must be freed by calling cert_release.* |
status | Contains ok if no verification errors are present in this certificate, else fail. |
trust_errors | A list containing the verification errors for the certificate. The elements of the list are from the same set of values described in cert_chain_trust_errors which covers the entire certificate chain. |
trust_info | A list containing informational codes for this certificate. The elements of the list are from the same set of values described in cert_chain_trust_info which covers the entire certificate chain. |
-altnames ALTNAMES | Specifies X.509 Alternative Name values to include in the certificate. ALTNAMES is a pair of one or two elements. The first is a list of pairs containing the name type and name value as described in X.509 alternative names. The second element, which is optional and defaults to false, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. | ||||||
-basicconstraints BASICCONSTRAINTS | Specifies a basic constraints extension to be included in the certificate. BASICCONSTRAINTS is a pair of one or two elements. The first is a triplet consisting of a boolean which should be true if the certificate is to be used for a certificate authority, a boolean that indicates whether the path length value is to be enforced, and a non-negative integer which is the path length value itself. These last are only relevant if the first is true. The second element of BASICCONSTRAINTS, which is optional and defaults to true, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. This element cannot be specified if the -purpose option is specified and contains the value ca. | ||||||
-capathlen CAPATHLENGTH | Specifies the limit on the certificate chain path length during verification. Ignored unless the -purpose option includes ca. | ||||||
-end ENDTIME | Specifies the end of the certificate validity period. ENDTIME must be of the form Year-Month-Day Hour:Minutes:Seconds. Defaults to one year beyond the start time. | ||||||
-enhkeyusage ENHKEYUSAGE | Specifies values to use for the X.509 enhanced key usage extension. ENHKEYUSAGE is a pair of one or two elements, the first of which is a list containing one or more values from client_auth, code_signing, email_protection, ipsec_endsystem, ipsec_tunnel, ipsec_user, server_auth, ocsp_signing, timestamp_signing or a valid OID. The second element, which is optional and defaults to false, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. | ||||||
-encoding ENCODING | Specifies the encoding in which the encoded certificate is returned. ENCODING may be der or pem (default) for DER- and PEM-encoding respectively. | ||||||
-keyusage KEYUSAGE | Specifies values to use for the X.509 key usage extension. KEYUSAGE is a pair of one or two elements, the first of which is a list containing one or more values from crl_sign, data_encipherment, decipher_only digital_signature, encipher_only, key_agreement, key_cert_sign, key_encipherment and non_repudiation. The second element, which is optional and defaults to false, is a boolean indicating whether the corresponding certificate extension should be marked critical or not. | ||||||
-purpose PURPOSELIST | Specifies the purposes for which the certificate is
to be used. This is a more convenient method of specifying common
extensions. Use of this adds appropriate extensions but does not
preclude caller from specifying other extension-based options.
PURPOSELIST must be a list containing zero or
more items from the following:
|
||||||
-signaturealgorithm SIGLAGORITHM | Specifies the signature algorithm to use for signing the certificate. | ||||||
-start STARTTIME | Specifies the start of the certificate validity period. STARTTIME must be of the form Year-Month-Day Hour:Minutes:Seconds. Defaults to the current time. |
-altnames ALTNAMES | See cert_create |
-capathlen CAPATHLENGTH | See cert_create |
-csp CSP | Specifies the name of the CSP to be used. If unspecified, the default Microsoft CSP for the system is used. |
-csptype CSPTYPE | Indicates the type of CSP. Defaults to prov_rsa_full. See Cryptographic Service Providers for all possible types. |
-end ENDTIME | See cert_create |
-enhkeyusage ENHKEYUSAGE | See cert_create |
-keysettype KEYSETTYPE | KEYSETTYPE type must be user (default) or machine depending on whether the key container is user-specific or not. |
-keyusage KEYUSAGE | See cert_create |
-purpose PURPOSELIST | See cert_create |
-silent BOOLEAN | Normally, the CSP may prompt the user for any information that may be required to retrieve the keys. If this option is specified as true, the user is never prompted. Instead the command will raise an error if a user prompt would have been required. |
-signaturealgorithm SIGLAGORITHM | Specifies the signature algorithm to use for signing the certificate. SIGLAGORITHM is the OID (see ASN.1 Object Identifiers) corresponding to a signature algorithm. Defaults to the SHA1RSA algorithm if unspecified. |
-start STARTTIME | See cert_create |
-altnames ALTNAMES | See cert_create |
-capathlen CAPATHLENGTH | See cert_create |
-end ENDTIME | See cert_create |
-enhkeyusage ENHKEYUSAGE | See cert_create |
-keyusage KEYUSAGE | See cert_create |
-purpose PURPOSES | See cert_create |
-silent BOOLEAN | See cert_create_self_signed. |
-signaturealgorithm SIGLAGORITHM | See cert_create_self_signed. |
-start STARTTIME | See cert_create |
-backupprivilege BOOLEAN | If true, specifies that the thread's SE_BACKUP_NAME and SE_RESTORE_NAME privileges must be used to open the store. Default is false. |
-commitenable BOOLEAN | If true, any changes made to the store are persisted to PATH when the store is closed. Default is false. |
-create BOOLEAN | If true, a new store is opened only if it did not exist. An error is raised if the store already existed. Default is false so no error is raised in the latter case. |
-deferclose BOOLEAN | Normally changes to any certificate contexts made after the associated store is closed are not persisted. Setting this option to true will defer the closing of the store until all associated certificate contexts have been released. Default is false. |
-existing BOOLEAN | If true, when PATH does not already exist, it is not created. An exception is raised instead. Default is false. |
-includearchived BOOLEAN | By default, enumeration of certificates in a store will not include any that are marked as archived. Setting this option to true will cause those certificates to be included. Default is false. |
-maxpermissions BOOLEAN | If true, the store is opened with the maximum set of access permissions possible. Default is false. |
-readonly BOOLEAN | If true, the underlying file is opened in read-only mode. However, changes can still be made to the in-memory cache. Default is false. |
-end | The end of the certificate's validity period in the format Year-Month-Day Hour:Minutes:Seconds |
-extensions | A list of extensions in the certificate. Each element is a triplet containing the OID of the extension, a boolean indicating whether the extension is marked critical or not, and the extension value. |
-issuer | The name of the certificate issuer. |
-issuerid | A binary containing unique id for the certificate issuer. This is generally not used and should not be relied on. |
-publickey | The public key of the subject. This is a pair consisting of the algorithm identifier (in the same format as -signaturealgorithm) and a binary containing the public key. |
-serialnumber | A binary containing the serial number of the certificate. |
-signaturealgorithm | A pair consisting of the OID for the algorithm used to sign the certificate and a binary containing any associated parameters. |
-start | The start of the certificate's validity period in the format Year-Month-Day Hour:Minutes:Seconds. |
-subject | The name of the certificate subject. |
-subjectid | A binary containing unique id for the certificate subject. This is generally not used and should not be relied on. |
-version | The X.509 version of the certificate. Note this is 0-based on V3 certificates will have a value of 2. |
-keysettype any|user|machine | Specifies which key sets are to be searched for the private key. If user or machine, the search is restricted to the containers for the current user or the machine respectively. If any (default), both user and machine containers are searched. |
-silent BOOLEAN | Normally, the CSP may prompt the user for any information that may be required to access key containers. If this option is specified as true, the user is never prompted. Instead the command will return 0 indicating no key could be found. |
-format FORMAT | Specifies how NAME is formatted. FORMAT must be one of x500 (default), oid or simple. |
-noplus BOOLEAN | If true, the plus sign in NAME is not treated as a value separator. Default is false. |
-noquote BOOLEAN | If true, quoting is not supported in NAME. Default is false. |
-reverse BOOLEAN | If true, order of RDN components in NAME is reversed before encoding. Default is false. |
-separator SEPARATOR | If unspecified, commans and semicolons are parsed as separators. If specified, only SEPARATOR is treated as a separator. SEPARATOR must be one of comma (default), semicolon or newline. In the case of newline, carriage return and linefeed characters are treated as separators. |
access_state | A non-0 integer if write operations to the certificate context are persisted and 0 if they are not. |
archived | If this property exists, the certificate is an archived certificate. |
auto_enroll | The certificate type for which this certificate has been auto-enrolled. |
date_stamp | The date and time that the certificate was added to the store. |
description | The description associated with the certificate for display purposes. |
enhkey_usage | A list of enhanced key usage OID's. |
extended_error_info | Any extended error information for the certificate context. |
friendly_name | The display name for the certificate. |
issuer_public_key_md5_hash | The MD5 hash of the issuer's public key used to sign the certificate. |
issuer_serial_number_md5_hash | The MD5 hash of the issuer name and serial number. |
key_context | A list of two elements containing a handle to the cryptographic context for the certificate and the key type. |
key_identifier | A binary containing the Subject Key Identifier value if it exists else the SHA1 hash on the certificate Subject Public Key. |
key_prov_handle | A handle to the associated cryptographic context. |
key_prov_info | A list containing the following elements: the name of the key container, the name of the CSP, the CSP type, attributes, key container parameters and the key type. |
key_spec | Specifies the private key. |
md5_hash | Binary containing the MD5 hash of the certificate. |
pvk_file | File path of the private key file corresponding to the certificate's public key. |
sha1_hash | Binary containing the SHA1 hash of the certificate. This can also be retrieved as a hexadecimal string with cert_thumbprint. |
signature_hash | Signature hash. |
subject_name_md5_hash | Binary containing the MD5 hash of the encoded subject name. |
subject_public_key_md5_hash | Binary containing the MD5 hash of the certificate public key. |
-altnames ALTNAMES | See cert_create |
-capathlen CAPATHLENGTH | See cert_create |
-encoding ENCODING | Specifies the encoding of the returned CSR. ENCODING may be der or pem (default) for DER- and PEM-encoding respectively. |
-enhkeyusage ENHKEYUSAGE | See cert_create |
-keyusage KEYUSAGE | See cert_create |
-purpose PURPOSES | See cert_create |
attributes | The attribute field in the CSR. This is a list each element of which is a pair consisting of an OID and a list of corresponding values. |
extensions | A subset of the attributes key, formatted for easier processing. See the discussion below. This key may be absent if the attributes do not contain any extensions. |
pubkey | The public key of the requestor. This should be passed to cert_create as the public key argument. |
subject | The subject name of the requestor. This should be passed to cert_create as the subject argument. |
version | The CSR format version number. |
-csp CSP | Specifies the name of the CSP for the container. If unspecified, the default Microsoft CSP for the system is used. |
-csptype CSPTYPE | Indicates the type of CSP. Defaults to prov_rsa_full. See Cryptographic Service Providers for all possible types. |
-keysettype KEYSETTYPE | KEYSETTYPE must be user (default) or machine. |
-silent BOOLEAN | Normally, the CSP may prompt the user for any information that may be required to create the context. If this option is specified as true, the user is never prompted. Instead the command will raise an error if a user prompt was required. |
duplicate | Creates the new certificate while keeping the existing one. This will create duplicates in the store. |
overwrite | Overwrites the existing certificate with the new one. |
preserve | (default) If a matching certificate exists, it is preserved and a error raised. Otherwise, the new certificate is added. |
update | The new certificate is added if there is no matching certificate or the matching certificate's validity period start time is less than that of the new certificate. Otherwise an error is raised. |
-disposition DISPOSITION | Controls what happens if a matching certificate
already exists in the store. DISPOSITION may
take one of the following values:
|
||||||||
-encoding ENCODING | Specifies the encoding of ENCODEDCERT. ENCODING should be der or pem depending on whether ENCODEDCERT uses DER- or PEM-encoding. If unspecified or the empty string, the command will attempt to make the determination itself. |
-exportprivatekeys BOOLEAN | If true, any private keys associated with the exported certificates are included in the returned binary. Default is false. |
-failonmissingkey BOOLEAN | If true, the command raises an error if any certificate claims to have an associated private key but does actually have one. Default is false. |
-failonunexportablekey BOOLEAN | If true, the command raises an error if any certificate claims to have an associated private key but does actually have one that is exportable. Default is false. |
any | Returns every certificate in the store. SEARCHTERM is ignored. |
certificate | Returns certificates that exactly match the certificate context whose handle is specified as SEARCHTERM. |
issuer_name | Returns certificates whose issuer exactly matches SEARCHTERM. SEARCHTERM is a X.509 name in encoded form as returned by cert_name_to_blob. |
issuer_substring | Returns certificates whose issuer contains the string SEARCHTERM. Note SEARCHTERM is a string, not in X.509 encoded form. |
key_identifier | Returns certificates with a matching value for the subject key identifier (OID 2.5.29.14) extension. |
md5_hash | Returns certificates that have a MD5 hash which matches the binary SEARCHTERM. |
property | Returns certificates that have a property with id SEARCHTERM (see cert_property). |
pubkey_md5_hash | Returns certificates whose MD5-hashed public key matches the binary SEARCHTERM. The hash should be calculated over the public key in the format returned by crypt_key_export. |
public_key | Returns certificates containing the specified public key SEARCHTERM. This is a pair consisting of the algorithm identifier (in the same format as -signaturealgorithm) and a binary containing the public key. This binary should be in the format returned by crypt_key_export. |
sha1_hash | Returns certificates that have a SHA1 hash which matches the binary SEARCHTERM. |
signature_hash | Returns certificates that have a signature hash which matches the binary SEARCHTERM. |
subject_name | Returns certificates whose subject exactly matches SEARCHTERM. SEARCHTERM is a X.509 name in encoded form as returned by cert_name_to_blob. |
subject_substring | Returns certificates whose subject contains the string SEARCHTERM. Note SEARCHTERM is a string, not in X.509 encoded form. |
dns | Returns the DNSName choice in the Alternative Name extension if there is one, or the the CN OID 2.5.4.3 from the Subject Name field. If neither is found returns an empty string. |
Returns the first rfc822Name choice in the Alternative Name extension. If not found, returns the name field for the Email OID. Otherwise returns an empty string. | |
friendlydisplay | Returns the CERT_FRIENDLY_NAME_PROP_ID property if there is one. Otherwise behaves as simpledisplay. |
simpledisplay | Returns the first attribute suitable for display purposes from Name or Alternative Name extension. |
oid_common_name | Returns the Common Name (Default). |
rdn | Returns the Subject Name RDN if there is one. If not found, returns the first Directory Name choice from the Alternative Name extension if there is one. Otherwise returns an empty string. The format for this option can be further controlled as described later. |
upn | Returns the UPN from the OID 1.3.6.1.4.1.311.20.2.3 in the OtherName choices from the Alternative Name extension and an empty string if not found. |
url | Returns the URL choice in the Alternative Name extension if there is one. If not found, returns an empty string. |
-format FORMAT | Specifies how the output is to be formatted. FORMAT must be one of x500 (default), oid or simple. |
-noplus BOOLEAN | If true, the plus sign in names is replaced with a single space. Default is false. |
-noquote BOOLEAN | If true, quoting of special characters in RDN names is disabled. Default is false. |
-reverse BOOLEAN | If true, order of RDN components is reversed. Default is false. |
-separator SEPARATOR | Specifies the separator to use between RDN components. SEPARATOR must be one of comma (default), semicolon or newline. |
-backupprivilege BOOLEAN | If true, specifies that the thread's SE_BACKUP_NAME and SE_RESTORE_NAME privileges must be used to open the store. Default is false. |
-create BOOLEAN | If true, a new store is opened only if it did not exist. An error is raised if the store already existed. Default is false so no error is raised in the latter case. |
-deferclose BOOLEAN | Normally changes to any certificate contexts made after the associated store is closed are not persisted. Setting this option to true will defer the closing of the store until all associated certificate contexts have been released. Default is false. |
-existing BOOLEAN | If true, when PATH does not already exist, it is not created. An exception is raised instead. Default is false. |
-includearchived BOOLEAN | By default, enumeration of certificates in a store will not include any that are marked as archived. Setting this option to true will cause those certificates to be included. Default is false. |
-maxpermissions BOOLEAN | If true, the store is opened with the maximum set of access permissions possible. Default is false. |
-readonly BOOLEAN | If true, the store is opened in read-only mode. Depending on the provider, the effect may be to either disallow all changes to the store, or to allow changes to the in-memory cache but not persisting them. Default is false. |
-pfx PFXBLOB | Initializes the temporary store with certificates
imported from a PFX (also known as PKCS #12) formatted packet. In
addition to the certificates, any private keys present are also
imported into the system. Unlike the store itself, these keys are
persisted. The following additional options may be used with
-pfx and -pkcs12:
|
||||||||
-pkcs12 PKCS12BLOB | This an alias for the -pfx option. | ||||||||
-pkcs7 PKCS7BLOB | PKCS7BLOB is a PKCS #7 packet containing certificates. The additional option "-encoding ENCODING" may be used with -pkcs7 where ENCODING may be der, or pem to indicate the packet is DER- or PEM-encoded. If unspecified, the command will attempt to guess the encoding. | ||||||||
-serialized SERIALIZEDBLOB | SERIALIZEDBLOB is a serialized certificate store, such as returned from cert_store_serialize. |
authenticode | Verifies the certificate for Authenticode use. |
authenticodets | Verifies the certificate for Authenticode Time Stamp policy. |
base | Implementes the base chain policy verification checks. |
basicconstraints | Checks the basic constraints policy. This relates to whether certificates are constrained to be end entity certificates or certificate authority certificates. |
extendedvalidation | Does extended validation of certificates. Requires Windows 7 or later. |
microsoftroot | Checks if the root element is a Microsoft root public key. |
ntauth | Verifies the Windows NT authentication policy. |
tls | Verifies the certificate for use in SSL/TLS connections. |
-cacheendcert BOOLEAN | See cert_chain_build. |
-disableauthrootautoupdate BOOLEAN | See cert_chain_build. |
-engine ENGINE | See cert_chain_build. |
-hstore HSTORE | See cert_chain_build. |
-ignoreerrors ERRORLIST | Specifies that certain errors in verification are to be ignored. See description later. |
-revocationcheck REVOCATIONSPEC | See cert_chain_build. |
-revocationcheckcacheonly BOOLEAN | See cert_chain_build. |
-trustedroots HCERTLIST | Windows requires the root of the certificate verification chain belong to one the Windows' trusted stores. Under some circumstances, such as use of a private certificate authority whose root certificate is not in the Windows trusted store list, the command will return a status of untrustedroot. Instead of ignoring this error through the -ignoreerrors unknownca option, the caller can provide a list of certificate contexts HCERTLIST that are acceptable as trusted root certificates in addition to those in the Windows trusted store. |
-urlretrievalcacheonly BOOLEAN | See cert_chain_build. |
-usageall USAGELIST | See cert_chain_build. |
-usageany USAGELIST | See cert_chain_build. |
basicconstraints | Ignore errors in basic constraints. |
criticalextensions | Ignore errors pertaining to extensions marked as critical that are not understood by CryptoAPI. |
name | Ignore errors in name validation. |
policy | Ignore invalid policy errors. |
revocation | Ignore errors related to certificate revocation. |
time | Ignore errors in validity period checks. |
unknownca | Allow the root certificate to not be in the trusted roots list. |
usage | Ignore errors related to the -usageall and -usageany options. |
signature | Signature verification failed. |
revoked | Certificate has been revoked. |
untrustedroot | The root certificate is not a trusted root. |
partialchain | The certificate chain does not end in a self-signed certificate. |
wrongusage | Certificate usage extension did not match specified usage. |
time | Certificate has expired or the validity time is in the future. |
name | Name does not match. |
policy | Certificate did not match policy conditions. |
basicconstraints | Basic constraints check failed. |
criticalextension | Certificate includes an unsupported extension marked as critical. |
validityperiodnesting | Time periods for certificates in the chain are not nested. |
norevocationcheck | Revocation status of one of the certificates in the chain is unknown. |
revocationoffline | Revocation checks could not be done because the revocation server was offline. |
cnmatch | Common name does not match -server option. |
purpose | The specified purpose is different from the one specified by the issuing CA. |
carole | The certificate that can be marked for use as a CA is being used as a leaf or vice-versa. |
Copyright © 2007-2021 Ashok P. Nadkarni