Command line reference for Active Directory Certificate Services

Enroll a certificate for the local machine by command line

certreq -enroll -machine -q TemplateName

Example

certreq -enroll -machine -q WS-RSA-Computer

Enroll a certificate remotely against an Issuing Enterprise Certificate Authority

CERTREQ.EXE -attrib "CertificateTemplate:TemplateName" -config "CAFQDN\CA FriendlyName" -submit "C:\path\to\certificate.csr" "C:\path\to\issued.cer" "C:\path\to\issued.p7b" "C:\path\to\issued.rsp"

Example

CERTREQ.EXE -attrib "CertificateTemplate:WS-RSA-Computer" -config "WSNOCCA10.lan.wolfspirit.net\WolfSpirit.Net RSA SHA256 Issuing CA 10" -submit "C:\path\to\certificate.csr" "C:\path\to\issued.cer" "C:\path\to\issued.p7b" "C:\path\to\issued.rsp"

Revoke a certificate remotely against an Issuing Enterprise Certificate Authority

CERTUTIL.EXE -config "CAFQDN\CA FriendlyName" -revoke serialnumber reason

Revocation reason codes
Note that all revocation operations are irreversible except when code 6 is utilized.

0: CRL_REASON_UNSPECIFIED               -- Unspecified (default)
1: CRL_REASON_KEY_COMPROMISE            -- Key Compromise
2: CRL_REASON_CA_COMPROMISE             -- CA Compromise
3: CRL_REASON_AFFILIATION_CHANGED       -- Affiliation Changed
4: CRL_REASON_SUPERSEDED                -- Superseded
5: CRL_REASON_CESSATION_OF_OPERATION    -- Cessation of Operation
6: CRL_REASON_CERTIFICATE_HOLD          -- Certificate Hold

Example

CERTUTIL.EXE -config "WSNOCCA10.lan.wolfspirit.net\WolfSpirit.Net RSA SHA256 Issuing CA 10" -revoke 4200000abcd123432330 4