There are two ways to acquire a Windows 7 key: Purchase an original copy of Windows 7 professional (either on the internet or from a local dealer) and you will get a genuine key with it; Get a serial key from the free list of Windows 7 Pro product keys on this page; If you choose the first option, you will have to pay a fee. Windows 10 Product Key 2020 serial number or unlock key is available to the public, you can freely download the serial key. Please verify you're human: Important: With the verification you expressively agree with our Disclaimer. Jan 03, 2016 I bought Windows 10 Professional & completed a fresh-install (complete reinstallation) of Windows, only that it installed Windows 10 Home instead of Professional. I'm guessing this is due to the Windows 8 Standard Edition serial key preinstalled in the BIOS. Nov 30, 2020 Even if you have genuine windows, but you do not have a windows 8.1 product key, you won’t be able to run your Windows 8.1 on your PC. So windows 8.1 serial keys for both 32-64 bit are a very important parts of windows and you must obtain it to get going. In Windows 8 (& 8.1), 7 & Vista Operating Systems, you cannot load a driver or execute a program that hasn’t a Driver Signature. Driver Signing is a method to verify the identity of the software publisher or the hardware (driver) vendor in order to protect your system from been infected with malware rootkits, that are able to run on the lowest level of Operating System.
Summary :
Sometimes, you might encounter the USB driver error code 52: Windows cannot verify the digital signature for the drivers required for this device. Luckily, you can fix it by yourself. In this article, MiniTool Partition Wizard puts together some solutions to this issue and hope you can benefit from them.
Quick Navigation :
Windows Digital Signatures
Based on Microsoft public key infrastructure technology, the Windows digital signatures are implemented to verify the identity of the software publisher or the driver vendor. The digital signature can protect your Windows from potential threats and infections of some malicious programs.
According to the explanation from Microsoft, Windows uses a valid digital signature to verify some information, including:
- The file, or the collection of files (such as a driver package), is signed.
- The signer is trusted.
- The certification authority that authenticated the signer is trusted.
- The collection of files was not altered after it was published.
In order to be installed and run on the latest Windows operating system, the drivers and programs must be digitally signed. However, there are still some legitimate programs or drivers that are not signed, and you may encounter certain problems while installing them.
About Windows Cannot Verify the Digital Signature Code 52
Sometimes, your USB ports might fail to recognize any hardware connected to your device, and you will see the error code 52 in the properties of the USB driver. The USB driver code 52 is a typical error related to the digital signature. It commonly occurs after updating or upgrading Windows and comes up with the following error message:
Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
Besides, you might receive some other different error messages related to Windows digital signature, such as “Windows cannot verify the digital signature for this file. (0xc0000428)”, “Digital Signature not found”, and so on.
If you receive the digital signature error unluckily, take it easy. Some feasible solutions reported by the users are listed in the following contents, and you can work your way down the list until you fix the issue effectively.
7 Solutions to Windows Cannot Verify the Digital Signature
- Modify windows registry
- Update or uninstall the problematic driver
- Use System File Checker utility
- Scan for file system errors
- Disable integrity checks
- Disable driver signature enforcement
- Perform system restore
Fix 1: Modify Windows Registry
In most cases, this issue is caused by 2 registry entries named UpperFilters and LowerFilters, and some users have fixed the problem simply by deleting them. So, if you receive the “Windows cannot verify the digital signature for the drivers required for this device” error message, try deleting these registries at first. The steps are listed below.
Note: This is a risky solution as any improper operations for registries might bring unrecoverable damage for your system. Therefore, you had better back up your Windows registry in advance, so that you can restore the registry to the original status if this solution doesn’t work.
Step 1: Press Windows + R to invoke Run window. Type regedit and click OK to open Registry Editor.
Step 2: Navigate to the following path: ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{36fc9e60-c465-11cf-8056-444553540000}.
Step 3: Keep the {36fc9e60-c465-11cf-8056-444553540000} key selected, and find the UpperFilters and LowerFilters entries in the right pane. Right-click them and choose Delete.
Step 4: Click OK to confirm the operation. Restart your computer and check if the error code 52 disppears.
Fix 2: Update or Uninstall the Problematic Driver
If this is just related to a specific device driver, perhaps the problem lies on the driver itself. In this case, it should be helpful to update or uninstall the problematic driver. You can follow the instructions below:
Step 1: Right-click the Start button and choose Device Manager to open it.
Step 2: Double-click Universal Serial Bus controllers to expand the category.
Step 3: Locate the problematic USB driver. Commonly, the device driver which runs into the error code 52 will be displayed with a yellow exclamation mark in Device Manger, and it may be named as Unknown USB Device.
Step 4: Right-click the problematic driver and choose Update driver.
Step 5: Choose the Search automatically for updated driver software option to proceed. If there are any updates detected, install them according to the onscreen instructions and then reboot your computer.
Note: If there are more than one problematic driver, perform the operation for the left drivers to make sure all of them are of the latest version.
Alternatively, you can also choose to uninstall the driver, which has effectively removed the USB error code 52 for some users. Just right-click the driver, choose Uninstall device, and click Uninstall to confirm the operation. Then, restart your system, and the default driver will be reinstalled automatically.
Fix 3: Use System File Checker Utility
The corrupted or missing system files could also trigger the “Windows cannot verify the digital signature for this file/driver” error message. To resolve the problem, you can use the built-in System File Checker utility referring to the tutorial below.
Step 1: Open Run window.
Step 2: Input cmd and press Ctrl + Shift + Enter to run Command Prompt as administrator.
Step 3: Type the command sfc /scannow in the console and press Enter to execute it.
Then, this tool will start scanning your system files and automatically replace the problematic files with a fresh cached copy. All you need to do is to wait patiently until the process is 100% completed. After that, restart your device and check if the USB error code 52 is resolved.
Fix 4: Scan for File System Errors
It’s said that this issue might have something to do with the file system error. So, you can try scanning your drives for file system errors and fixing them.
To do that, you can use the CHKDSK tool. Just launch Command Prompt with administrative privileges, input the command chkdsk e: /f, and press Enter. Restart your computer after the process is completed.
Tip: You need to replace e: with the drive letter of the partition you want to scan for. If you execute the command chkdsk /f without a drive letter, this tool will automatically check and fix the current drive (the system drive in almost all cases), which will require a reboot.
Besides, you can also use a professional program to check and fix file system errors for your hard drive. Here, MiniTool Partition Wizard is recommended for you. It can help you recover lost data, back up Windows, and of course, deal with the file system issues within a few clicks. Just click the following button to download it to have a try.
Step 1: Download and install MiniTool Partition Wizard Free on your computer. Launch it to get the main interface.
Step 2: Select the drive you want to scan for and choose Check File System feature from the left action panel. You can also activate this feature by selecting Check File System from the context menu after right-clicking the drive.
Step 3: In the pop-up window, choose Check & fix detected errors option and click Start button.
Fix 5: Disable Integrity Checks
As mentioned before, the “Windows cannot verify the digital signature for the drivers required for this device” error message appears when your Windows is trying to verify the digital signature and integrity of the device. In theory, disabling this option may resolve the problem and enable you to install the driver of the device again.
To disable integrity checks, you need to:
Step 1: Run Command Prompt as administrator.
Step 2: Input the following command lines and press Enter key after each to execute them:
- bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS
- bcdedit -set TESTSIGNING ON
Step 3: Go to check if the USB error code 52 is fixed or not. If this doesn’t work, open the command console again and execute the following command lines this time:
- bcdedit /deletevalue loadoptions
- bcdedit -set TESTSIGNING OFF
Fix 6: Disable Driver Signature Enforcement
If the above methods fail to resolve the issue for you, perhaps you can disable driver signature enforcement. In this way, you will be able to install drivers for the problematic devices bypassing Windows checking for the signatures.
Here’s a simple guide.
Step 1: Press Windows + I to open Settings.
Step 2: Go to Update & Security > Recovery and click Restart now button under Advanced startup section in the right pane.
Step 3: When you enter Windows Recovery Environment, navigate to Troubleshoot > Advanced options > Startup Settings and then click Restart button.
Step 4: When you get the following interface, press 7 or F7 to choose the Disable driver signature enforcement option.
Then, your Windows will boot up automatically. You need to open Device Manager and try updating the problematic drivers referring to the steps mentioned above. Now, the USB error code 52 should be resolved.
For more information about driver signature enforcement and how to disable it, you can read this article: How to Disable Driver Signature Enforcement? Try These Methods.
Fix 7: Perform System Restore
Finally, you can perform system restore to bring your Windows back to a previous status, which may help you get rid of the “Windows cannot verify the digital signature for the drivers required for this device” issue.
Step 1: Open Run dialog, input sysdm.cpl and click OK to access System Properties.
Step 2: Switch to the System Protection tab and click System Restore.
Step 3: Click Next to skip the welcome page. Then, choose a restore point and click Next button.
Tip: You can click Scan for affected programs to check the applications or services to be removed during the process.
Step 4: Click Finish button to confirm the operation, and a restart will be required to apply the changes.
Hopefully, the Windows digital signature issue will be removed successfully.
Bottom Line
Have you resolved the “Windows cannot verify the digital signature for this file/driver” issue with the solutions introduced in this article? All we know about how to fix the issue is in this post. If you have better solutions, please leave a message in the comment zone below. We are desired to improve this article with your valuable suggestions.
If you want to explore more features of MiniTool Partition Wizard, you can check the user manual. For any questions, you can contact us via [email protected].
Windows Cannot Verify the Digital Signature FAQ
Can I install a driver without a digital signature?
To install a driver and make it work properly on your computer, the driver should be officially signed. But sometimes, you may want to install a drier without a digital signature. Yes, you can force an unsigned driver to install, but it may take some time. For the detailed information, you can check this guide.
If you encounter the invalid digital signature installation error, you can try the following solutions:
- Make sure the downloaded executable is unblocked.
- Install the certificates manually through the properties of the executable file.
- Consult your group policy admin to temporarily disable restriction for the authentication of certificates.
What is the difference between signed and unsigned drivers?
The signed driver with a correct digital signature indicates that it is not damaged, corrupted, manipulated, or changed, and it is safe to use. It can be installed and work properly on Windows. The unsigned driver will be considered as a potentially malicious item by the system and it cannot be installed properly.
A signed driver might also turn to unsigned if its signature becomes invalid due to any tampering or changing.
Dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, verify certificates, key pairs or certificate chains.
RequestId : Numeric Request Id of pending request.
AttributeString : Request Attribute name and value pairs.
Names and values are colon separated. Multiple name, value pairs are newline separated.
Example: 'CertificateTemplate:UsernEMail:[email protected]'
Each 'n' sequence is converted to a newline separator.
AttributeString : Request Attribute name and value pairs.
Names and values are colon separated. Multiple name, value pairs are newline separated.
Example: 'CertificateTemplate:UsernEMail:[email protected]'
Each 'n' sequence is converted to a newline separator.
RequestId : Numeric Request Id of a pending request.
ExtensionName : ObjectId string of the extension.
Flags : 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both.
If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date.
If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.
Anything else is taken as a String.
ExtensionName : ObjectId string of the extension.
Flags : 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both.
If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date.
If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.
Anything else is taken as a String.
InfoName : indicates the CA property to display. Use '*' for all properties.
Index : optional zero-based property index
ErrorCode : numeric error code [-f] [-split] [-config MachineCAName]
Index : optional zero-based property index
ErrorCode : numeric error code [-f] [-split] [-config MachineCAName]
Index : CRL index or key index (defaults to CRL for newest key)
delta : delta CRL (default is base CRL)
delta : delta CRL (default is base CRL)
Ext : Extension table
Attrib : Attribute table
CRL : CRL table
Defaults to Request and Certificate table.
Attrib : Attribute table
CRL : CRL table
Defaults to Request and Certificate table.
Queue : Request queue.
Log : Issued or revoked certificates, plus failed requests.
LogFail : Failed requests.
Revoked : Revoked certificates.
Ext : Extension table.
Attrib : Attribute table.
CRL : CRL table.
csv : Output as Comma Separated Values.
Log : Issued or revoked certificates, plus failed requests.
LogFail : Failed requests.
Revoked : Revoked certificates.
Ext : Extension table.
Attrib : Attribute table.
CRL : CRL table.
csv : Output as Comma Separated Values.
To display the StatusCode column for all entries: -out StatusCode
To display all columns for the last entry: -restrict 'RequestId$'
To display RequestId and Disposition for three requests:
-restrict 'RequestId>=37,RequestId<40' -out 'RequestId,Disposition'
To display Row Ids and CRL Numbers for all Base CRLs: -restrict 'CRLMinBase=0' -out 'CRLRowId,CRLNumber' CRL
To display Base CRL Number 3: -v -restrict 'CRLMinBase=0,CRLNumber=3' -out 'CRLRawCRL' CRL
To display the entire CRL table: CRL Use 'Date[+|-dd:hh]' for date restrictions Use 'now+dd:hh' for a date relative to the current time.
To display all columns for the last entry: -restrict 'RequestId$'
To display RequestId and Disposition for three requests:
-restrict 'RequestId>=37,RequestId<40' -out 'RequestId,Disposition'
To display Row Ids and CRL Numbers for all Base CRLs: -restrict 'CRLMinBase=0' -out 'CRLRowId,CRLNumber' CRL
To display Base CRL Number 3: -v -restrict 'CRLMinBase=0,CRLNumber=3' -out 'CRLRawCRL' CRL
To display the entire CRL table: CRL Use 'Date[+|-dd:hh]' for date restrictions Use 'now+dd:hh' for a date relative to the current time.
Request : Failed and pending requests (submission date)
Cert : Expired and revoked certificates (expiration date)
Ext : Extension table Attrib: Attribute table
CRL : CRL table (expiration date)
Cert : Expired and revoked certificates (expiration date)
Ext : Extension table Attrib: Attribute table
CRL : CRL table (expiration date)
To delete failed and pending requests submitted by January 22, 2001: 1/22/2001 Request
To delete all certificates that expired by January 22, 2001: 1/22/2001 Cert
To delete the certificate row, attributes and extensions for RequestId 37: 37
To delete CRLs that expired by January 22, 2001: 1/22/2001 CRL [-f] [-config MachineCAName]
To delete all certificates that expired by January 22, 2001: 1/22/2001 Cert
To delete the certificate row, attributes and extensions for RequestId 37: 37
To delete CRLs that expired by January 22, 2001: 1/22/2001 CRL [-f] [-config MachineCAName]
Verify Windows 7 Serial Key Free Download
BackupDirectory : directory to store backed up data
Incremental : perform incremental backup only (default is full backup)
KeepLog : preserve database log files (default is to truncate log files)
Incremental : perform incremental backup only (default is full backup)
KeepLog : preserve database log files (default is to truncate log files)
BackupDirectory : directory to store backed up data
Incremental : perform incremental backup only (default is full backup)
KeepLog : preserve database log files (default is to truncate log files)
Incremental : perform incremental backup only (default is full backup)
KeepLog : preserve database log files (default is to truncate log files)
BackupDirectory : directory to store backed up PFX file
BackupDirectory : directory containing data to be restored
BackupDirectory : directory containing database files to be restored
BackupDirectory : directory containing PFX file to be restored
PFXFile : PFX file to be restored
PFXFile : PFX file to be restored
CertificateStoreName : Certificate store name. See -store.
PFXFile : PFX file to be imported
Modifiers : Comma separated list of one or more of the following:
AT_SIGNATURE : Change the KeySpec to Signature
AT_KEYEXCHANGE : Change the KeySpec to Key Exchange
NoExport : Make the private key non-exportable
NoCert : Do not import the certificate
NoChain : Do not import the certificate chain
NoRoot : Do not import the root certificate
Protect : Protect keys with password
NoProtect : Do not password protect keys
Defaults to personal machine store.
PFXFile : PFX file to be imported
Modifiers : Comma separated list of one or more of the following:
AT_SIGNATURE : Change the KeySpec to Signature
AT_KEYEXCHANGE : Change the KeySpec to Key Exchange
NoExport : Make the private key non-exportable
NoCert : Do not import the certificate
NoChain : Do not import the certificate chain
NoRoot : Do not import the root certificate
Protect : Protect keys with password
NoProtect : Do not password protect keys
Defaults to personal machine store.
CertificateStoreName : Certificate store name.
CertId : Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (.0, .1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. These can result in multiple matches.
OutputFile : File to save matching cert.
CertId : Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (.0, .1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. These can result in multiple matches.
OutputFile : File to save matching cert.
Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.
CertificateStoreName : Certificate store name. See -store.
InFile : Certificate or CRL file to add to store.
InFile : Certificate or CRL file to add to store.
CertificateStoreName : Certificate store name. See -store.
CertId : Certificate or CRL match token. See -store.
CertId : Certificate or CRL match token. See -store.
CertificateStoreName : Certificate store name. See -store.
CertId : Certificate or CRL match token. See -store.
CertId : Certificate or CRL match token. See -store.
CertificateStoreName : Certificate store name. See -store.
CertIdList : comma separated list of Certificate or CRL match tokens. See -store CertId description.
PropertyInfFile : INF file containing external properties:
CertIdList : comma separated list of Certificate or CRL match tokens. See -store CertId description.
PropertyInfFile : INF file containing external properties:
CertificateStoreName : Certificate store name.
CertId : Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (.0, .1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. These can result in multiple matches.
OutputFile : file to save matching cert.
CertId : Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (.0, .1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. These can result in multiple matches.
OutputFile : file to save matching cert.
Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.
CertificateStoreName : Certificate store name.
CertId : Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (.0, .1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. These can result in multiple matches.
OutputFile : File to save matching cert.
CertId : Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, and so on), a numeric CRL index (.0, .1, and so on), a numeric CTL index (.0, .1, and so on), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. These can result in multiple matches.
OutputFile : File to save matching cert.
Use -user to access a user store instead of a machine store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.
Use -enterprise to access a machine enterprise store.
Use -service to access a machine service store.
Use -grouppolicy to access a machine group policy store.
CertFile : certificate file to publish
NTAuthCA : Publish cert to DS Enterprise store
RootCA : Publish cert to DS Trusted Root store
SubCA : Publish CA cert to DS CA object
CrossCA : Publish cross cert to DS CA object
KRA : Publish cert to DS Key Recovery Agent object
User : Publish cert to User DS object
Machine : Publish cert to Machine DS object
CRLFile : CRL file to publish
DSCDPContainer : DS CDP container CN, usually the CA machine name
DSCDPCN : DS CDP object CN, usually based on the sanitized CA short name and key index
Use -f to create DS object.
NTAuthCA : Publish cert to DS Enterprise store
RootCA : Publish cert to DS Trusted Root store
SubCA : Publish CA cert to DS CA object
CrossCA : Publish cross cert to DS CA object
KRA : Publish cert to DS Key Recovery Agent object
User : Publish cert to User DS object
Machine : Publish cert to Machine DS object
CRLFile : CRL file to publish
DSCDPContainer : DS CDP container CN, usually the CA machine name
DSCDPCN : DS CDP object CN, usually based on the sanitized CA short name and key index
Use -f to create DS object.
Use the -config option to target a single CA (Default is all CAs)
Sitename is allowed only when targeting a single CA
Use -f to override validation errors for the specified Sitename
Use -f to delete all CA site names
Sitename is allowed only when targeting a single CA
Use -f to override validation errors for the specified Sitename
Use -f to delete all CA site names
AuthenticationType: Specify one of the following client authentication methods while adding a URL:
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
Anonymous : Use anonymous SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
Anonymous : Use anonymous SSL credentials.
delete : Delete the specified URL associated with the CA
Priority : Defaults to '1' if not specified when adding a URL
Modifiers : Comma separated list of one or more of the following:
Priority : Defaults to '1' if not specified when adding a URL
Modifiers : Comma separated list of one or more of the following:
AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allow use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly Mode
AllowKeyBasedRenewal : Allow use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly Mode
URL : target URL. Use * to match all entries. Use https://machine* to match a URL prefix.
add : add a Credential Store entry. SSL credentials must also be specified.
delete : delete Credential Store entries
-f : use -f to overwrite an entry or to delete multiple entries.
add : add a Credential Store entry. SSL credentials must also be specified.
delete : delete Credential Store entries
-f : use -f to overwrite an entry or to delete multiple entries.
URL : Cached URL
CRL : Operate on all cached CRL URLs only
* : Operate on all cached URLs
delete : Delete relevant URLs from the current user's local cache
-f : Force fetch of a specific URL and update the cache.
-split : Dump the file to disk
-v : Will display the whole IE internet history and cache file locations (…Content.IE5…)
e.g.
certutil.exe -urlcache -split -f 'https://download.sysinternals.com/files/SysinternalsSuite.zip' pstools.zip
CRL : Operate on all cached CRL URLs only
* : Operate on all cached URLs
delete : Delete relevant URLs from the current user's local cache
-f : Force fetch of a specific URL and update the cache.
-split : Dump the file to disk
-v : Will display the whole IE internet history and cache file locations (…Content.IE5…)
e.g.
certutil.exe -urlcache -split -f 'https://download.sysinternals.com/files/SysinternalsSuite.zip' pstools.zip
Default is to display DC certs without verification.
CRYPT_DELETEKEYSET : Delete all keys on the smart card
KeyContainerName : Key container name of the key to verify. Defaults to machine keys. Use -user for user keys.
CACertFile : Signing or encryption certificate file
If no arguments are specified, each signing CA cert is verified against its private key.
This operation can only be performed against a local CA or local keys.
CACertFile : Signing or encryption certificate file
If no arguments are specified, each signing CA cert is verified against its private key.
This operation can only be performed against a local CA or local keys.
CertFile : Certificate to verify Application
PolicyList : Optional comma separated list of required Application Policy ObjectIds
IssuancePolicyList : Optional comma separated list of required Issuance Policy ObjectIds
CACertFile : Optional issuing CA certificate to verify against
CrossedCACertFile : optional certificate cross-certified by CertFile
CRLFile : CRL to verify IssuedCertFile: optional issued certificate covered by CRLFile
DeltaCRLFile : Optional delta CRL
If ApplicationPolicyList is specified, chain building is restricted to chains valid for
the specified Application Policies.
If IssuancePolicyList is specified, chain building is restricted to chains valid for the
specified Issuance Policies.
If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile.
If CACertFile is not specified, CertFile is used to build and verify a full chain.
If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile
are verified against CertFile.
If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile.
If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.
PolicyList : Optional comma separated list of required Application Policy ObjectIds
IssuancePolicyList : Optional comma separated list of required Issuance Policy ObjectIds
CACertFile : Optional issuing CA certificate to verify against
CrossedCACertFile : optional certificate cross-certified by CertFile
CRLFile : CRL to verify IssuedCertFile: optional issued certificate covered by CRLFile
DeltaCRLFile : Optional delta CRL
If ApplicationPolicyList is specified, chain building is restricted to chains valid for
the specified Application Policies.
If IssuancePolicyList is specified, chain building is restricted to chains valid for the
specified Issuance Policies.
If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile.
If CACertFile is not specified, CertFile is used to build and verify a full chain.
If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile
are verified against CertFile.
If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile.
If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.
CTLObject : Identifies the CTL to verify:
AuthRootWU : read AuthRoot CAB and matching certificates from the URL cache. Use -f to download from Windows Update instead.
DisallowedWU : read Disallowed Certificates CAB and disallowed certificate store file from the URL cache. Use -f to download from Windows Update instead.
AuthRoot : read registry cached AuthRoot CTL. Use with -f and a CertFile that is not already trusted to force updating the registry cached AuthRoot and Disallowed Certificate CTLs.
Disallowed : read registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.
CTLFileName : file or http: path to CTL or CAB
DisallowedWU : read Disallowed Certificates CAB and disallowed certificate store file from the URL cache. Use -f to download from Windows Update instead.
AuthRoot : read registry cached AuthRoot CTL. Use with -f and a CertFile that is not already trusted to force updating the registry cached AuthRoot and Disallowed Certificate CTLs.
Disallowed : read registry cached Disallowed Certificates CTL. -f has the same behavior as with AuthRoot.
CTLFileName : file or http: path to CTL or CAB
CertDir : folder containing certificates matching CTL entries. An http: folder path must end with a path separator. If a folder is not specified with AuthRoot or Disallowed, multiple locations will be searched for matching certificates: local certificate stores, crypt32.dll resources and the local URL cache. Use -f to download from Windows Update when necessary.
Otherwise defaults to the same folder or web site as the CTLObject.
CertFile : file containing certificate(s) to verify. Certificates will be matched against CTL entries,
and match results displayed. Suppresses most of the default output.
Otherwise defaults to the same folder or web site as the CTLObject.
CertFile : file containing certificate(s) to verify. Certificates will be matched against CTL entries,
and match results displayed. Suppresses most of the default output.
InFileList : comma separated list of Certificate or CRL files to modify and re-sign
SerialNumber : Serial number of certificate to create. Validity period and other options must not be present.
CRL : Create an empty CRL. Validity period and other options must not be present.
OutFileList : comma separated list of modified Certificate or CRL output files. The number of files must match InFileList.
StartDate+dd:hh : new validity period: optional date plus; optional days and hours validity period;
If both are specified, use a plus sign (+) separator.
Use 'now[+dd:hh]' to start at the current time. Use 'never' to have no expiration date (for CRLs only).
SerialNumberList : Comma separated serial number list to add or remove
ObjectIdList : Comma separated extension ObjectId list to remove
@ExtensionFile : INF file containing extensions to update or remove:
HashAlgorithm : Name of the hash algorithm preceded by a # sign: #MD2 #MD4 #MD5 #SHA1 #SHA256 #SHA384 or #SHA512
AlternateSignatureAlgorithm : alternate Signature algorithm specifier
A minus sign causes serial numbers and extensions to be removed. A plus sign causes serial numbers to be added to a CRL.
When removing items from a CRL, the list can contain both serial numbers and ObjectIds.
A minus sign before AlternateSignatureAlgorithm causes the legacy signature format to be used.
A plus sign before AlternateSignatureAlgorithm causes the alternature signature format to be used.
If AlternateSignatureAlgorithm is not specified then the signature format in the certificate or CRL is used.
SerialNumber : Serial number of certificate to create. Validity period and other options must not be present.
CRL : Create an empty CRL. Validity period and other options must not be present.
OutFileList : comma separated list of modified Certificate or CRL output files. The number of files must match InFileList.
StartDate+dd:hh : new validity period: optional date plus; optional days and hours validity period;
If both are specified, use a plus sign (+) separator.
Use 'now[+dd:hh]' to start at the current time. Use 'never' to have no expiration date (for CRLs only).
SerialNumberList : Comma separated serial number list to add or remove
ObjectIdList : Comma separated extension ObjectId list to remove
@ExtensionFile : INF file containing extensions to update or remove:
HashAlgorithm : Name of the hash algorithm preceded by a # sign: #MD2 #MD4 #MD5 #SHA1 #SHA256 #SHA384 or #SHA512
AlternateSignatureAlgorithm : alternate Signature algorithm specifier
A minus sign causes serial numbers and extensions to be removed. A plus sign causes serial numbers to be added to a CRL.
When removing items from a CRL, the list can contain both serial numbers and ObjectIds.
A minus sign before AlternateSignatureAlgorithm causes the legacy signature format to be used.
A plus sign before AlternateSignatureAlgorithm causes the alternature signature format to be used.
If AlternateSignatureAlgorithm is not specified then the signature format in the certificate or CRL is used.
Add an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not install binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.
Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials
AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allows use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly mode.
This command does not install binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.
Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials
AllowRenewalsOnly : Only renewal requests can be submitted to this CA via this URL
AllowKeyBasedRenewal : Allows use of a certificate that has no associated account in the AD.
This applies only with ClientCertificate and AllowRenewalsOnly mode.
Delete an Enrollment Server application and application pool if necessary, for the specified CA.
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.
Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Enrollment Server.
Kerberos : Use Kerberos SSL credentials
UserName : Use named account for SSL credentials
ClientCertificate : Use X.509 Certificate SSL credentials
Add a policy server application and application pool if necessary.
This command does not install binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Policy Server.
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : Only policies that contain KeyBasedRenewal templates are returned to the client.
This flag applies only for UserName and ClientCertificate authentication.
This command does not install binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Policy Server.
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : Only policies that contain KeyBasedRenewal templates are returned to the client.
This flag applies only for UserName and ClientCertificate authentication.
Andaz apna apna movie 720p. Delete a policy server application and application pool if necessary.
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Policy Server.
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : KeyBasedRenewal policy server.
This command does not remove binaries or packages.
One of the following authentication methods with which the client connects to a Certificate Policy Server.
Kerberos : Use Kerberos SSL credentials.
UserName : Use named account for SSL credentials.
ClientCertificate : Use X.509 Certificate SSL credentials.
KeyBasedRenewal : KeyBasedRenewal policy server.
ObjectId : ObjectId to display or to add display name
GroupId : Decimal GroupId number for ObjectIds to enumerate
AlgId : Hexadecimal AlgId for ObjectId to look up
AlgorithmName : Algorithm Name for ObjectId to look up
DisplayName : Display Name to store in DS
delete : Delete display name
LanguageId : Language Id (defaults to current: 1033)
Type : DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy
Use -f to create DS object.
GroupId : Decimal GroupId number for ObjectIds to enumerate
AlgId : Hexadecimal AlgId for ObjectId to look up
AlgorithmName : Algorithm Name for ObjectId to look up
DisplayName : Display Name to store in DS
delete : Delete display name
LanguageId : Language Id (defaults to current: 1033)
Type : DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy
Use -f to create DS object.
ca : Use CA's registry key
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit : Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : registry value name (use 'Name*' to prefix match)
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit : Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : registry value name (use 'Name*' to prefix match)
ca : Use CA's registry key
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit : Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : registry value name (use 'Name*' to prefix match)
Value : new numeric, string or date registry value or filename.
If a numeric value starts with '+' or '-', the bits specified in the new value are set or cleared in the existing registry value. If a string value
starts with '+' or '-', and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value.
To force creation of a REG_MULTI_SZ value, add a 'n' to the end of the string value. If the value starts with '@', the rest of the value is the name of the file containing the hexadecimal text representation of a binary value.
If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours.
If both are specified, use a plus sign (+) or minus sign (-) separator.
Use 'now+dd:hh' for a date relative to the current time.
Use 'chainChainCacheResyncFiletime @now' to effectively flush cached CRLs.
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit : Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : registry value name (use 'Name*' to prefix match)
Value : new numeric, string or date registry value or filename.
If a numeric value starts with '+' or '-', the bits specified in the new value are set or cleared in the existing registry value. If a string value
starts with '+' or '-', and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value.
To force creation of a REG_MULTI_SZ value, add a 'n' to the end of the string value. If the value starts with '@', the rest of the value is the name of the file containing the hexadecimal text representation of a binary value.
If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours.
If both are specified, use a plus sign (+) or minus sign (-) separator.
Use 'now+dd:hh' for a date relative to the current time.
Use 'chainChainCacheResyncFiletime @now' to effectively flush cached CRLs.
ca : Use CA's registry key
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit : Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : registry value name (use 'Name*' to prefix match)
restore : Use CA's restore registry key
policy : Use policy module's registry key
exit : Use first exit module's registry key
template : Use template registry key (use -user for user templates)
enroll : Use enrollment registry key (use -user for user context)
chain : Use chain configuration registry key
PolicyServers : Use Policy Servers registry key
ProgId : Use policy or exit module's ProgId (registry subkey name)
RegistryValueName : registry value name (use 'Name*' to prefix match)
UserKeyAndCertFile : Data file containing user private keys and certificates to be archived.
This can be any of the following:
Exchange Key Management Server (KMS) export file
PFX file
CertId : KMS export file decryption certificate match token. See -store.
Use -f to import certificates not issued by the CA.
This can be any of the following:
Exchange Key Management Server (KMS) export file
PFX file
CertId : KMS export file decryption certificate match token. See -store.
Use -f to import certificates not issued by the CA.
Use ExistingRow to import the certificate in place of a pending request for the same key.
Use -f to import certificates not issued by the CA. The CA might also need to be configured to support foreign certificate import: certutil -setreg caKRAFlags +KRAF_ENABLEFOREIGN
Use -f to import certificates not issued by the CA. The CA might also need to be configured to support foreign certificate import: certutil -setreg caKRAFlags +KRAF_ENABLEFOREIGN
script : generate a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if
the output file is not specified).
retrieve : retrieve one or more Key Recovery Blobs (default behavior if exactly one
matching recovery candidate is found, and if the output file is specified)
recover : retrieve and recover private keys in one step (requires Key Recovery Agent
certificates and private keys)
SearchToken : Used to select the keys and certificates to be recovered.
any of the following:
Certificate Common Name
Certificate Serial Number
Certificate SHA-1 hash (thumbprint)
Certificate KeyId SHA-1 hash (Subject Key Identifier)
Requester Name (domainuser)
UPN (user@domain)
RecoveryBlobOutFile : output file containing a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.
OutputScriptFile : output file containing a batch script to retrieve and recover private keys.
OutputFileBaseName : output file base name. For retrieve, any extension is truncated and a certificate-specific string and the .rec extension are appended for each key recovery blob. Each file contains a certificate chain and an associated private key, still encrypted to
one or more Key Recovery Agent certificates. For recover, any extension is truncated and the .p12 extension is appended.
Contains the recovered certificate chains and associated private keys, stored as a PFX file.
the output file is not specified).
retrieve : retrieve one or more Key Recovery Blobs (default behavior if exactly one
matching recovery candidate is found, and if the output file is specified)
recover : retrieve and recover private keys in one step (requires Key Recovery Agent
certificates and private keys)
SearchToken : Used to select the keys and certificates to be recovered.
any of the following:
Certificate Common Name
Certificate Serial Number
Certificate SHA-1 hash (thumbprint)
Certificate KeyId SHA-1 hash (Subject Key Identifier)
Requester Name (domainuser)
UPN (user@domain)
RecoveryBlobOutFile : output file containing a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates.
OutputScriptFile : output file containing a batch script to retrieve and recover private keys.
OutputFileBaseName : output file base name. For retrieve, any extension is truncated and a certificate-specific string and the .rec extension are appended for each key recovery blob. Each file contains a certificate chain and an associated private key, still encrypted to
one or more Key Recovery Agent certificates. For recover, any extension is truncated and the .p12 extension is appended.
Contains the recovered certificate chains and associated private keys, stored as a PFX file.
PFXInFileList : Comma separated PFX input file list
PFXOutFile : PFX output file
ExtendedProperties: Include extended properties
The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is '*', the user will be prompted for
the output file password.
PFXOutFile : PFX output file
ExtendedProperties: Include extended properties
The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is '*', the user will be prompted for
the output file password.
PFXInFileList : Comma separated PFX input file list
EPF : EPF output file
cast : Use CAST 64 encryption
cast- : Use CAST 64 encryption (export)
V3CACertId : V3 CA Certificate match token. See -store CertId description.
Salt: EPF output file salt string
The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is '*', the user will be prompted for
the output file password.
EPF : EPF output file
cast : Use CAST 64 encryption
cast- : Use CAST 64 encryption (export)
V3CACertId : V3 CA Certificate match token. See -store CertId description.
Salt: EPF output file salt string
The password specified on the command line is a comma separated password list.
If more than one password is specified, the last password is used for the output file.
If only one password is provided or if the last password is '*', the user will be prompted for
the output file password.
Certutil is sensitive to the order of command-line parameters.
Certutil replaces the File Checksum Integrity Verifier (FCIV) found in earlier versions of Windows.
There are a some documentation inconsistencies between the command-line help (Certutil -?) and the various MSDN help pages.
e.g. -encodehex is completely missing from the command-line help.
The -decode option might not always restore spaces - see forum thread.
e.g. -encodehex is completely missing from the command-line help.
The -decode option might not always restore spaces - see forum thread.
Examples
Display the SHA256 hash of a file:
certutil -hashfile c:demoanything.txt SHA256
Verify Windows 7 Serial Key Code
Dump (read config information) from a certificate file:
certutil -dump c:demosample.CER
Copy a certificate revocation list (CRL) to a file:
certutil -getcrl F:ss64.crl
Purge local policy cache (Certificate Enrollment Policy Web Services):
certutil -f -policyserver * -policycache delete
View the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store:
certutil -enterprise -viewstore Root
Check the browsers Trusted Certificate list against the WindowsUpdate servers:
Verify Windows 7 Serial Key Generator
certutil -f -verifyCTL AuthRootWU
Stop Certificate Services:
certutil -shutdown
Convert a hex-encoded file to a binary executable. This is primarily intended for converting X.509 certificates from a human-readable format (.asn) into a computer-readable format (.bin):
certutil -decodehex hex.dat ss64.exe
“And yet I do observe that audiences which used to be deeply affected by the inspiring sternness of the music of Livius and Naevius, now leap up and twist their necks and turn their eyes in time with our modern tunes” ~ Cicero (De Legibus II.39 c. 50 BCE) on the evils of modern music.
Related commands:
CertMgr.MSC - GUI for managing Certificates.
CERTREQ - Request certificate from a certification authority.
How Certificate Revocation Works - TechNet.
Equivalent PowerShell command: Get-FileHash - Compute the hash value for a file.
Equivalent bash command: cksum - Print CRC checksum and byte counts. / base64 - encode/decode and print to StdOut.
CERTREQ - Request certificate from a certification authority.
How Certificate Revocation Works - TechNet.
Equivalent PowerShell command: Get-FileHash - Compute the hash value for a file.
Equivalent bash command: cksum - Print CRC checksum and byte counts. / base64 - encode/decode and print to StdOut.
Copyright © 1999-2021 SS64.com
Some rights reserved
Some rights reserved