Certutil Command: Syntax, Examples, and Hash Generation

The certutil command is a built-in Windows command-line utility used to dump and display Certification Authority (CA) configuration information, configure Certificate Services, and manage certificates. You can also use it to generate cryptographic file hashes, decode Base64 files, and verify certificate chains.

Whether you're troubleshooting trust anchor issues on an Active Directory domain, verifying the integrity of downloaded software via SHA256 hashes, or converting certificate formats, mastering the certutil command gives you granular control over Windows security infrastructure. IT administrators, penetration testers, and power users rely heavily on this command rather than navigating through the cumbersome Windows Certificate Manager GUI (certlm.msc).

This comprehensive guide covers certutil syntax, parameter usage, hash generation techniques, practical examples for administration, troubleshooting common errors, and a frequently asked questions section. By the end, you'll confidently manage file hashes and certificates directly from the Command Prompt.

What Is the Certutil Command?

Certutil (Certificate Utility) is a powerful, multi-purpose command-line tool included in modern Windows operating systems. Initially designed to configure and manage Active Directory Certificate Services (AD CS), it has evolved into a versatile security tool capable of computing file hashes (MD5, SHA1, SHA256), encoding/decoding Base64 data, and downloading files via HTTP. Because it interacts deeply with the Windows CryptoAPI, it is widely utilized for diagnosing certificate trust issues and managing the machine and user-level certificate stores.

Syntax

The basic syntax for the certutil command depends heavily on the specific "verb" or option invoked. Because it has dozens of subcommands, we will focus on the most commonly used syntax patterns.

certutil [Options] [-<Verb> [Args]]
certutil -hashfile InFile [HashAlgorithm]
certutil -encode InFile OutFile
certutil -decode InFile OutFile
certutil -addstore CertificateStoreName InFile

Parameter	Description
-hashfile	Generates and displays the cryptographic hash of a specified file.
-encode	Encodes a binary file into Base64 format.
-decode	Decodes a Base64-encoded file back into binary format.
-addstore	Adds a certificate to a specified certificate store (e.g., Root, TrustedPublisher).
-delstore	Deletes a certificate from a store using its thumbprint or serial number.
-verify	Verifies the validity and revocation status of a certificate.
-ping	Pings Active Directory Certificate Services to verify network connectivity.
-v	Enables verbose mode for detailed output.

Parameters / Options

Generating Hashes (-hashfile)

The -hashfile option is one of the most frequently used subcommands for everyday users. It calculates the checksum of a specific file to ensure it hasn't been tampered with. It supports algorithms like MD5, SHA1, SHA256, and SHA512.

Encoding and Decoding (-encode / -decode)

The -encode and -decode parameters allow administrators to easily convert between binary formats (like DER) and text formats (like PEM). This is often necessary when transferring certificates between Windows and Linux environments.

Certificate Store Management (-addstore / -delstore)

Using -addstore, you can install a root CA certificate or a client certificate programmatically. The -delstore parameter allows you to purge compromised or expired certificates, ensuring secure communications.

Examples

1. Generating a SHA256 File Hash

The most common use case for non-administrators is verifying downloaded files. By default, if no algorithm is specified, certutil uses SHA1, but SHA256 is the modern standard.

certutil -hashfile installer.exe SHA256

Output:

SHA256 hash of installer.exe:
9a5c8de5b... (hash continues)
CertUtil: -hashfile command completed successfully.

Explanation: This command calculates the SHA256 hash of installer.exe. You can compare this hash output with the hash provided by the software vendor to ensure file integrity and prevent supply chain attacks.

2. Encoding a File to Base64

If you need to send a binary file through a text-only medium or embed a certificate inside a JSON payload, you can Base64 encode it.

certutil -encode payload.bin payload.txt

Output:

Input Length = 2048
Output Length = 2800
CertUtil: -encode command completed successfully.

Explanation: This reads the binary payload.bin, converts it to Base64, and writes the output wrapping it with -----BEGIN CERTIFICATE----- style headers by default.

3. Installing a Root Certificate

Administrators deploying internal enterprise applications often need to install a custom root Certificate Authority so clients do not receive "Untrusted Connection" warnings.

certutil -addstore -f "Root" mycompany-ca.cer

Output:

Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "MyCompany Root CA" added to store.
CertUtil: -addstore command completed successfully.

Explanation: The -addstore option targets the "Root" store. The -f flag forces the addition, bypassing interactive prompts. This makes it ideal for deployment scripts.

4. Viewing Certificate Information

To view the properties of a downloaded .cer or .crt file without installing it, use the dump option.

certutil -dump server_cert.cer

Output:

X509 Certificate:
Version: 3
Serial Number: 1a2b3c...
Issuer: CN=MyCompany Root CA
Subject: CN=webserver.mycompany.local
Valid From: 1/1/2026
Valid To: 1/1/2027
...

Explanation: This dumps all ASN.1 metadata about the certificate, including usage constraints, validity periods, and public key algorithms.

5. Verifying a Certificate

You want to ensure a certificate chain is valid and that it hasn't been revoked via CRL or OCSP.

certutil -verify server_cert.cer

Explanation: Windows will trace the certificate chain back to the root, check the Certificate Revocation List (CRL), query the Online Certificate Status Protocol (OCSP) servers, and confirm whether the certificate is currently trustworthy.

6. Decoding a Base64 File

To convert a PEM file (Base64) back into a DER file (binary) or extract simple encoded data.

certutil -decode payload.txt payload.bin

Explanation: This strips the BEGIN/END headers from the text file and translates the Base64 strings back into raw binary format saved as payload.bin.

Common Use Cases

1. Software Integrity Verification: Users downloading applications off the internet use certutil -hashfile to confirm the program is not patched with malware.
2. Batch Certificate Deployment: System administrators embed certutil -addstore in logon scripts or deployment tools to silently push CA certificates to all domain joined computers.
3. Troubleshooting SSL/TLS Errors: Network engineers use certutil -verify to determine exactly why a web browser is throwing a certificate error (e.g., identifying blocked OCSP queries).
4. Data Exfiltration and Obfuscation Testing: Security professionals (and sometimes malicious actors) use certutil -encode to disguise payloads or exfiltrate data. (Note: Many modern EDRs monitor certutil closely for this reason).
5. Certificate Expiration Checks: Administrators can query the store to find certificates that are nearing their expiration date.
6. Converting Certificate Formats: Converting binary DER files to Base64 encoded PEM files, which is necessary when migrating secrets to Linux-based web servers like NGINX or Apache.
7. Purging Old/Compromised Hashes: Deleting unauthorized certificates from the Root store using the -delstore switch.
8. Testing Network Connectivity to CA: Using certutil -ping to ensure remote servers can contact the Active Directory Certificate Services infrastructure.

Tips and Best Practices

• Specify SHA256 or SHA512: By default, older versions of certutil use MD4 or SHA1 for hashing. Always specify SHA256 or SHA512 at the end of your -hashfile command, as MD5 and SHA1 are cryptographically broken.
• Run as Administrator: While hashing files can be done as a standard user, modifying certificate stores (Root, TrustedPublisher) requires an elevated Command Prompt.
• Beware of EDR Flags: Because certutil can download files over the internet (via the -urlcache flag) and decode Base64, many Antivirus and Endpoint Detection & Response (EDR) solutions will flag anomalous certutil usage. Only use it for legitimate administrative purposes.
• Use the -f Flag Carefully: The -f (force) flag allows bypassing confirmation prompts. Use this cautiously in scripts to avoid accidentally overwriting important certificates.
• Check Certificate Thumbprints: When deleting a certificate with -delstore, use the exact SHA1 thumbprint. Using the common name might accidentally delete multiple valid certificates sharing the same name.
• Combine with PowerShell: While certutil is powerful, PowerShell's Get-FileHash and the PKI module offer more structured, object-oriented output. Consider blending both depending on script requirements.
• Understand the Stores: Know the difference between the "My" (Personal) store, the "Root" store, and the "CA" (Intermediate) store. Putting a certificate in the wrong store will prevent proper validation.

Troubleshooting Common Issues

"CertUtil: -hashfile command failed: 0x80070002"

Problem: The system cannot find the file specified. Solution: Ensure you are in the correct directory, or provide the complete absolute path to the file. Double-check for typos or hidden file extensions (e.g., file.txt.txt).

"Access Denied" when importing a certificate

Problem: Certutil throws an access denied error when using -addstore. Solution: Modifying the Local Machine certificate stores requires administrative privileges. Close the Command Prompt, right-click it, and select "Run as Administrator," then try again.

"The revocation function was unable to check revocation"

Problem: The -verify command fails with generic revocation errors. Solution: The computer is unable to reach the CRL distribution point or OCSP responder over the network. Check your firewall settings to ensure HTTP (port 80) traffic to the CA is allowed.

"Incomplete certificate chain"

Problem: The -verify command fails because it cannot trace back to the root. Solution: Ensure the Intermediate CA certificates are properly installed in the "CA" store. If the intermediate is missing, Windows cannot build the chain from the server to the root.

Related Commands

Get-FileHash – PowerShell Hash Calculator

While certutil generates hashes via cmd, the PowerShell native Get-FileHash does the same thing but outputs objects, allowing for programmatic comparison and scripting.

cipher – Managing EFS Encrypted Files

While certutil manages asymmetric certificates for trust, the cipher command is used to manage file-level encryption on the NTFS file system via the Encrypting File System (EFS).

icacls – Advanced NTFS Permissions

Security involves more than just certificates. Once you verify an installer with certutil, you might use icacls to restrict exactly which local users have permission to execute that file.

Frequently Asked Questions

What does the certutil command do?

The certutil command manages Windows certificates, configure Certificate Services, and is widely used to verify the integrity of files by generating cryptographic hashes like SHA256.

How do I use certutil to get an MD5 hash?

To generate an MD5 hash on Windows, run certutil -hashfile filename MD5. Replace "filename" with the path to your file.

Is certutil safe to use?

Yes, certutil is a legitimate, built-in Windows administrative tool. However, because it can encode/decode data, cybercriminals sometimes use it for malicious purposes known as "Living off the Land" (LotL).

How do I decode a Base64 string with certutil?

Create a text file containing the Base64 string, then use the command certutil -decode input.txt output.bin. This will write the raw decoded binary back to output.bin.

How can I delete an expired certificate using certutil?

Use the command certutil -delstore My "SerialNumber" or replace the serial number with the exact SHA1 thumbprint. Ensure you run this from an administrative prompt.

Does certutil download files?

While certutil was historically used with the -urlcache -split -f parameters to pull files over HTTP, modern Windows Defender and EDR systems heavily restricted this behavior due to malware abuse.

What is the default hash algorithm for certutil?

If you omit the hash algorithm argument entirely (e.g., certutil -hashfile file.txt), Windows defaults to using SHA1. It is highly recommended to explicitly specify SHA256 instead.

Where does certutil store certificates?

Certutil manages certificates in the local Windows Certificate Stores, which are logically divided into "Local Machine" and "Current User," and further categorized into folders like Root, CA, and My.

Can certutil manipulate Active Directory?

Yes, certutil is heavily involved in Active Directory Certificate Services (AD CS). It can ping CAs, backup databases, display configuration, and publish CRLs to Active Directory.

How do I view all certificates in the Root store?

To view all Trusted Root Certification Authorities installed on the system, run certutil -store Root. This will dump the properties of every root certificate.

Quick Reference Card

Command	Purpose	Example
certutil -hashfile <file> SHA256	Generate SHA256 Hash	Verify software integrity
certutil -encode <in> <out>	Base64 Encoding	Encode binary to text
certutil -decode <in> <out>	Base64 Decoding	Convert text back to binary
certutil -addstore Root <cert>	Install CA Certificate	Trust an internal enterprise CA
certutil -verify <cert>	Validate Certificate	Troubleshoot untrusted connections

Summary

The certutil command is a highly versatile and underappreciated utility built into the Windows Command Prompt. From its roots in managing enterprise Active Directory Certificate Services, it has become the standard command-line tool for everyday tasks like generating file hashes and converting Base64 data.

In this guide, we covered the core syntax, essential parameters like -hashfile and -addstore, and looked at highly practical examples ranging from verifying downloads to troubleshooting broken certificate chains. We also reviewed common configuration errors and the best practices necessary to avoid them.

By mastering certutil, you add a powerful security and administration instrument to your IT toolkit. Practice utilizing certutil safely, ensuring you always explicitly ask for strong hashing algorithms like SHA256. For more advanced programmatic workflows, consider how certutil pairs nicely with native PowerShell commands.