If you have a certificate and want to verify its validity, perform the following command:
certutil -f –urlfetch -verify [FilenameOfCertificate]
The command output will tell you if the certificate is verifiable and is valid.
Any dwErrorStatus unequal 0 is a real error.
For more information on the status see CERT_TRUST_STATUS (http://msdn2.microsoft.com/en-us/library/aa377590.aspx) on MSDN.
If you have a HTTP or LDAP URL and want to look at the CRL, use the following command:
certutil -URL [URL]
certutil -URL http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
The URL can be a HTTP or LDAP URL. The nice thing with the –URL verb is that it shows a user interface where also the retrieval timeout can be set. Thus, it might be, that a CRL can be retrieved with an extended retrieval timeout while certutil -verify fails because it uses the default timeout. To also extend the retrieval timeout for the -verify verb, use the -t option like this:
certutil –t 30 -f –urlfetch -verify [FilenameOfCertificate]
Sometimes, you not only want to look at the CRL but also want to download the CRL as a file. In this case, use the -split option like this:
certutil –split -URL http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
certutil –split -URL ldap://myLDAPserver/CN=MyCA,CN=CRL,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
The -split option creates a file named “BlobX_X_X.*” in your current working directory. If multiple CRLs are downloaded several Blob*.* files are created. As a global option, -split can also be used with other certutil verbs, for example:
certutil -f –split –urlfetch -verify [FilenameOfCertificate]
If the certificate is part of a multi-tier CA topology or delta CRLs are used, you will see a Blob*.* file for each CRL in the chain.
Once a CRL was downloaded, it is cached locally. To examine the URLs of CRLs that are in the local cache, perform the following command:
certutil –urlcache CRL