MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEL!  &@r*@$.rsrc0&@@p0Hp 8kPh(@Xp !"0#H$`%x&'()*+, -8.P/h01234567(8@9X:p;<=>?@ ~ 0 H ` x  8 P h  ( @ X p  0 H ` x  8 P h (@X p             0 @ P ` p             0 @ P ` p             0 @ P ` p             0 @ P ` p             0 @ P ` p             0 @ P ` p             0 @ P `x%0&$' ,.|2H4B;6 F` $T$HW[^bR0ijlquTxzbL|~~ <\Dh |l 0P<ܼ|.Trf0<T44(xPl"n4 r jz0X #8L&`(+  .1rh9+d'n tTȖX  lXRL̺T 4",:hT bPf PX v   .l"L*$-b/p081MUIx˩y$ DB,{Nʀ MUIen-US@0MS Shell DlgPmsctls_progress32P!Please wait for this operation to finish.PAȀZURL Retrieval ToolMS Shell DlgP2ExitPLV SysListView32List1P2 Select...P_\FRetrieve PjL Certs (from AIA) PvL CRLs (from CDP) PL OCSP (from AIA)P 2 RetrieveP b,Timeout (sec) P;b P^e)Note: CRLs or certificates being downloaded are not exhaustively verified. A CRL or cert may still be inconsistent or may not have the proper extensions to allow for correct verification.P x P : P4Url to DownloadP@ P yF Sign LDAP TrafficPAȀ !CA Certificate RequestMS Shell DlgPSelect an online CA to send the requestP6Computer &Name:PAP&#&Parent CA:!PA&P2Br&owse...P@*replaced by IDS_REQUEST_HELPTEXT 2 3 4Pv2OKPv2CancelPKCS #7 (*.p7b)|*.p7b|X.509 Certificate (*.cer;*.crt)|*.cer;*.crt|Personal Information Exchange (*.p12, *.pfx)|*.pfx|All Files (*.*)|*.*||'Select file to complete CA installationUnknown provider namenCannot find the certificate for %1 to build a certificate chain. Do you wish to install this certificate now?OCannot verify certificate chain. Do you wish to ignore the error and continue?>An error occurred retrieving the pending certificate from %1: Get Server CA Name Select CASave certificate and KeysRetrieve CertificateFinish Suspended Setup(The certificate is not a CA certificate.Setup completeRetrieve Pending Certificate Key IndexLoad Old CertificateClone Root Certificate Build RequestPARenew CA -- reuse keysInstall CA CertificateRenew CA -- new keysBuild CA CertificateSave Chain and KeysqIf you want to send the request to an offline CA, click Cancel and send the request file at %1 to your parent CA.Create DS CDP object$Create DS enrollment services objectCreate DS Root TrustPublish CA in DSSubmit RequestAn error occurred when creating the new key container "%1". Please make sure the CSP is installed correctly or select another CSP. :The Certification Authority certificate has a bad length: The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect. The most recently generated request file should be used to obtain the new certificate: %1|The root certificate is untrusted. Do you wish to trust the root certificate on this machine and complete the installation?MCannot add the Certification Authority certificate to the certificate store: PASCannot create a certificate context using the Certification Authority certificate: Unreferenced INF sections Set SecurityCannot create file %1: lThe existing private key "%1" cannot be deleted. Either reuse this key, or use a different name for the CA. Cannot encode key attributes: Cannot encode certificate: 2The %SystemRoot% environment variable is not set. This key storage device is full and the new key "%1" could not be added. Go back and pick an existing key, or use a different key storage device. An error occurred when generating key "%1" for the Active Directory Certificate Services service. Either the CSP configuration is not complete or the key length is not supported. Please make sure the CSP is installed correctly or select another CSP. $Cannot determine the computer name: An error occurred when setting the security access on the private key "%1", or the CSP selected does not support setting security access on private keys. Please make sure the CSP is installed correctly or select another CSP. 8Cannot decode Certification Authority name information: The parent CA has denied your request because you are not a domain administrator. (%1) To obtain the certificate for your CA, you must request the certificate as a domain administrator. You can install the certificate using the Certification Authority snap-in.KThe new certificate subject Common Name does not match the active CA name: Generate KeysPAAn error was detected while configuring Active Directory Certificate Services. The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration. lThe parent CA has denied your request for a CA certificate. Please contact the parent CA administrator. (%1)|An error occurred when the parent CA processed this CA certificate request. Please contact the parent CA administrator. (%1)^This CA certificate request did not complete. Please contact the parent CA administrator. (%1)eThis CA certificate will be issued administratively. Please contact the parent CA administrator. (%1)eThis CA certificate request is in the pending state. Please contact the parent CA administrator. (%1)bThis CA certificate was revoked by the parent CA. Please contact the parent CA administrator. (%1)ECannot set the key provider information for the certificate context: Cannot submit the certificate request to the specified CA. Please ensure that the CA information is correct and that the CA is online. Note: only CAs running the Microsoft Active Directory Certificate Services are supported. Cannot submit the certificate request to the specified CA. (%1) To obtain the certificate for your CA, you can install the certificate using the Certification Authority snap-in.The new certificate subject name does not exactly match the active CA name. Renew with a new key to allow minor subject name changes: The new certificate public key does not match the current outstanding request. The wrong request may have been used to generate the new certificate: Find certificate for %1CCannot write the Certification Authority certificate to file "%1": Cannot write to file %1: INF file errorSet Key Security Parent CA = Request ID = /Microsoft Active Directory Certificate ServicesSet Directory SecurityAn error occurred when creating the new key container "%1". You do not have write access permission to the key container. Please use a different CA name. 'Dump configuration information or files Get default configuration string3Get default configuration string via ICertGetConfig CA VersionDecode hexadecimal-encoded fileDecode Base64-encoded fileEncode file to Base64Deny pending requestResubmit pending requestRevoke Certificate%Publish new CRLs [or delta CRLs only]Get CRL'Display current certificate disposition"Set attributes for pending request!Set extension for pending requestRetrieve the CA's certificate#Retrieve the CA's certificate chainUserKeyAndCertFile [CertId]GImport user keys and certificates into server database for key archivalDump Raw DatabaseVerify public/private key set Verify certificate, CRL or chain+Check certificate for 0x7f length encodingsDisplay this usage messageVerbose operation+Use IDispatch instead of COM native methodsReverse Log and Queue columnsOptions:Unrecognized ReasonInFile OutFileO Column Name Localized Name Type MaxLengthO ---------------------------- ---------------------------- ------ --------- RequestId RequestIdSerialNumber [Reason][%3 | %1] [%2]OutFile [Index] [%1]SerialNumber | CertHashRequestId AttributeString>RequestId ExtensionName Flags {Long | Date | String | @InFile}OutCACertFile [Index]OutCACertChainFile [Index][KeyContainerName CACertFile]CertFile [ApplicationPolicyList | - [IssuancePolicyList]] CertFile [CACertFile [CrossedCACertFile]] CRLFile CACertFile [IssuedCertFile] CRLFile CACertFile [DeltaCRLFile]CertFile Out of memoryMissing %ws argUnknown arg: %wsMultiple verb args: %wsMissing argumentToo many argumentsInternal verb table errorUnexpected "-%ws" optionUsage:OptionsVerbs:ObjectId -- ObjectId to display or to add display name GroupId -- decimal GroupId number for ObjectIds to enumerate AlgId -- hexadecimal AlgId for ObjectId to look up AlgorithmName -- Algorithm Name for ObjectId to look up DisplayName -- Display Name to store in DS %1 -- delete display name LanguageId -- Language Id (defaults to current: %2) Type -- DS object type to create: 1 for Template (default), 2 for Issuance Policy, 3 for Application Policy Use %3 to create DS object. -- IndexedInput Length = %dNo Key Authority serial numberOutput Length = %dDecodeFile returned %wsEncodeToFile returned %wsIssuerSubject<ERROR: CA Issuer name does not match Key Authority name (%x))CA Issuer name matches Key Authority namePANo Key Authority name8ERROR: Issuer serial number does not match Key Authority*Issuer serial number matches Key Authority Issuer NameKeyAuthority NameKeyId:Key Authority SerialNumber:CA Serial Number:Process:[DomainDN | -]LoadKeys returned %wsLoadCert returned %ws:ERROR: Certificate public key does NOT match stored keysetContainer Public Key:Certificate Public Key::Key "%ws" verifies as the public key for Certificate "%ws"PAAKey "%ws" does NOT verify as the public key for Certificate "%ws"'Leaf certificate is REVOKED (Reason=%x)@ERROR: Verifying leaf certificate revocation status returned %ws/Cannot check leaf certificate revocation status(Leaf certificate revocation check passedLoadCert(Cert) returned %wsLoadCert(CA) returned %wsCertIssuing CA CertCert Serial Number:Issuing CA Cert Serial Number:<Issuing CA is not a root: Subject name does not match Issuer9ERROR: Issuing CA Subject name does not match Cert Issuer+Issuing CA Subject name matches Cert Issuer3CertVerifySubjectCertificateContext Flags = %x --> )ERROR: Certificate validation failure: %xPA;ERROR: CA did not issue Certificate: Signature check failedERROR: Certificate has expiredCertificate is current3Contains CRL_DIST_POINTS revocation-check extension;Contains NETSCAPE_REVOCATION_URL revocation-check extension-Certificate has no revocation-check extension%ws verifies as issued by %ws#%ws does NOT verify (issued by %ws) -- Revocation check skipped. -- Revocation check passed. -- Revocation check: REVOKED. -- Revocation check FAILED.Signature matches Public Key CRL Entries:Cert:???PASuspect length in : field=%ws , oid=%ws*Extension %d: oid="%hs" fcrit=%u length=%x'Signature does not match Public key: %xCannot decode object: %wsAlgorithm ObjectIdAlgorithm Parameters:NULLPublic Key: UnusedBits = %uChallengeString: "%ws"Config String: "%ws"#ICertGetConfig Config String: "%ws"-Certificate request is pending: RequestId: %uCertificate issued.7Certificate has not been issued: Disposition: %d -- %ws,Certificate disposition for "%ws" is invalid*Certificate disposition for "%ws" is valid2Certificate disposition for "%ws" is revoked (%ws)DateLongStringBinarySchema:Row %u:Opening Database %wsEMPTY error = %ws, Any FormatPKCS10 KeyGen TagPKCS7Unknown Force TeletexRenewalCriticalDisabledPolicyFlags=%xRequestPolicyAdminServerUNKNOWN Origin=%ws???=%x!Get configuration via ICertConfigRequest Properties:PACertificate Properties: Command LineSanitized Name:%ws: Flags = %x%ws, Length = %x&Expected at least %u args, received %u*Expected no more than %u args, received %u.No active Certification Authorities found: %ws%ws: -%ws command FAILED: %ws???NoneOtherIssuer IssuerRDNIssuerRDNAttributeIssuerRDNStringSubjectPA SubjectRDNSubjectRDNAttributeSubjectRDNString ExtensionsExtensionArray ExtensionExtensionValueExtensionValueRawNo key provider informationDump Certificate View%ws added to DS store.<Ping Active Directory Certificate Services Request interface:Ping Active Directory Certificate Services Admin interfaceName:Organizational Unit: Organization:PA Locality:State:Country/region:Config:Exchange Certificate:Signature Certificate: Description:Server: Authority:EntryCertificate Extensions:Request Attributes:.Shutdown Active Directory Certificate ServicesCommand StatusDump Certificate SchemaCommand SucceededPasswordX509 Certificate:!X509 Certificate Revocation List:PKCS10 Certificate Request:KeyGen Certificate Request: Version: %uSerial Number:Signature Algorithm:Public Key Algorithm:Issuer Unique Id:Subject Unique Id: NotBefore: NotAfter: ThisUpdate: NextUpdate:Revocation Date: Extensions:CRL Extensions:PKCS7 Message:PPossible Root Certificate: Subject matches Issuer, but Signature check fails: %xNon-root Certificate(Root Certificate: Subject matches Issuer3Non-root Certificate uses same Public Key as IssuerRevoking "%ws"Enter PFX password:Unknown Extension type Private Key:LengthDisplay times as GMTGMTBackupDirectoryHBackup Active Directory Certificate Services certificate and private keyBackupDirectory | PFXFileIRestore Active Directory Certificate Services certificate and private key,[CertificateStoreName [CertId [OutputFile]]]Dump certificate storeProviderType = %xKey Container = %wsProvider = %ws KeySpec = %xFlags4Restored keys and certificates for %ws\%ws from %ws.3Backed up keys and certificates for %ws\%ws to %ws. [CACertFile]+Install Certification Authority certificatePKCS7 Message Content:Authenticated AttributesSigning Certificate Index8================ Begin Nesting Level %d ================8---------------- End Nesting Level %d ----------------%ws: Lang %08x (%u.%u) File %u.%u:%u.%u Product %u.%u:%u.%u No SignerNo PKCS7 Message ContentNo CertificatesNo CRLs Certificates:CRLs:Renewal Certificate:Encrypted Hash: %d attributes: Attribute Value[%d][%d], Length = %xPABackupDirectory [%1] [%2]5Backup Active Directory Certificate Services databaseBackupDirectory6Restore Active Directory Certificate Services databaseReason: UnspecifiedReason: Key CompromiseReason: CA CompromiseReason: Affiliation ChangedReason: SupersededReason: Cessation of OperationReason: Certificate HoldReason: Remove From CRL#List CSPs installed on this machine#Test CSPs installed on this machine [Algorithm](Use silent flag to acquire crypt contextG%1 -- Request queue %2 -- Issued or revoked certificates, plus failed requests %3 -- Failed requests %4 -- Revoked certificates %5 -- Extension table %6 -- Attribute table %7 -- CRL table %8 -- Output as Comma Separated Values To display the StatusCode column for all entries: -out StatusCode To display all columns for the last entry: -restrict "RequestId==$" To display RequestId and Disposition for three requests: -restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition" To display Row Ids and CRL Numbers for all Base CRLs: -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" %7 To display Base CRL Number 3: -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" %7 To display the entire CRL table: %7 Use "Date[+|-%10]" for date restrictions Use "%9+%10" for a date relative to the current time![ObjectId | %1 | %2 [CommonName]]ActivePendingIssuedRevokedErrorDenied Renewal Cert[Stop and Start Active Directory Certificate Services to complete database restore from %ws.'Server ICertAdmin%ws interface is alive@Cannot open Active Directory Certificate Services database: %ws.OThe Certification Authority service must be stopped for direct database access.(Local)9%ws: No local Certification Authority; use -config optionReason: UnrevokejThis might be caused by: Inaccessible server No permissions on server Server not in the expected state 3Server "%ws" ICertRequest%ws interface is alive %wsConnecting to %ws .../Use HKEY_CURRENT_USER keys or certificate store0================ Certificate %d ================Enter new password:Confirm new password:$Password differs -- please try againMissing stored keysetBackupDirectory [%1] [%2],Backup Active Directory Certificate ServicesBackupDirectory-Restore Active Directory Certificate ServicesCertificateStoreName InFileAdd certificate to storeCertificateStoreName CertIdDelete certificate from storeCertificateStoreName [CertId]Verify certificate in storeDeleting Certificate %d: %wsVerifies against UNTRUSTED rootIncomplete certificate chainCertificate is valid IncompleteErrorDeniedIssuedIssued Out of BandPendingRevoked(Certificate request for "%ws" is pending3Cannot add a non-root certificate to the root storeForce overwrite>Certificate or key exists. Use the "%ws" option to overwrite.$Incremental database backup for %ws.Full database backup for %ws.Backed up database to %ws.Database logs were preserved.%Database logs successfully truncated.Restoring database for %ws.Unknown Attribute typeXObjectId [DisplayName | %1 [LanguageId [Type]]] GroupId AlgId | AlgorithmName [GroupId]$Display ObjectId or set display nameUnknown ObjectId Certfile [%1]+Import a certificate file into the database,Imported Certificate, Assigned RequestId %i.*Revocation check skipped -- server offline?Revocation check skipped -- no revocation information availableDisplay dynamic file List4[{%1|%2|%3|%4|%5|%6|%7|%8}\[%9\]][RegistryValueName]Display registry value8[{%1|%2|%3|%4|%5|%6|%7|%8}\[%9\]]RegistryValueName ValueSet registry value Old Value: New Value:AltName: %u entries:AltNameDisplay database locations)Not a valid backup target directory: %ws."Not a valid backup directory: %ws.(Backup content verification failed: %ws.%Incremental database restore for %ws.PAFull database restore for %ws. Imported CertERROR: Cert is not yet validERROR: Cert has expired.ERROR: Cert Valid before issuing CA Cert Valid1ERROR: Cert Expires after issuing CA Cert Expires=Decoded extra Extension Array encoding layer (Teletex string) ErrorCodeDisplay error code message text/Create/delete web virtual roots and file sharesWeb Virtual Root %wsFile Share %wsCreatedDeletedAlready Exists Not Found Create Error Delete ErrorNot Supported. The virtual directory cannot be created because the "IIS 6 Metabase Compatibility" role service is not installed. Install the "IIS 6 Metabase Compatibility" role service and run the command again.[%1]Backing up Database filesBacking up Log filesTruncating LogsRestoring Database filesRestoring Log filesMaximum Row IndexCA Cert CA Cert Chain Characters OVERFLOW:Repeated "-%ws" option)Config string must include Authority namePA"CertFile -- certificate file to publish %1 -- Publish cert to DS Enterprise store %2 -- Publish cert to DS Trusted Root store %3 -- Publish CA cert to DS CA object %4 -- Publish cross cert to DS CA object %5 -- Publish cert to DS Key Recovery Agent object %6 -- Publish cert to User DS object %7 -- Publish cert to Machine DS object CRLFile -- CRL file to publish DSCDPContainer -- DS CDP container CN, usually the CA machine name DSCDPCN -- DS CDP object CN, usually based on the sanitized CA short name and key index Use %8 to create DS object.3Ensure the server is correctly installed and retry.)Connecting to data source %hs as user %hs,Failed to connect to data source 0x%08x (%d)Converted %u rows2Skipped %u rows that already exist in new Database:Skipped %u rows not issued by this Certification AuthorityConverting Row %u/Row %u -- Skipping duplicate Serial Number: %wsHRow %u -- Skipping entry not issued by this Certification Authority: %ws)Converting source row %u to target row %u#Begin names table entries for %u.%u!End names table entries for %u.%u Get SMTP info LogonName Set SMTP infoPA%u RowsRow PropertiesRequest AttributesCertificate Extensions Total Fields6%4u %ws, Total Size = %u, Max Size = %u, Ave Size = %uPrivate key is NOT exportableEnterprise Root CAEnterprise Subordinate CAStand-alone Root CAStand-alone Subordinate CAUnknown CA Type: %u[%1] [Machine\ParentCAName])Renew Certification Authority certificateCert Hash(%ws):Error message text: %wsPA(================ CRL %d ================Deleting CRL %d: %ws CA Certs: %uKeys:Values:Load(CRL) returned %wsCRLERROR: CRL is not yet validERROR: CRL has expired-ERROR: CRL Valid before issuing CA Cert Valid0ERROR: CRL Expires after issuing CA Cert Expires8ERROR: Issuing CA Subject name does not match CRL Issuer*Issuing CA Subject name matches CRL Issuer3ERROR: CA did not issue CRL: Signature check failedCRL signature is validCA Key Id matches Key Id&ERROR: CA Key Id does not match Key Id No Key Id Incomplete UnavailableError: No CRL for this CertRevokedValidExpiredUnder SubmissionUnknown[KeyContainerName | -]List key containersKeyContainerNameDelete named key containerCertificate is REVOKEDCA cert verify statusPAFlags:8ERROR: Certificate public key does NOT match private keySignature test passedSignature test FAILEDDisplay DS Certificates[FullDSDN] | [CertId [OutFile]]Display DS CRLs![FullDSDN] | [CRLIndex [OutFile]][CN]Display DS DNsCN Delete DS DNsDeleting[InfoName [Index | ErrorCode]]Display CA InformationInfoName argument syntax: ErrorCode[Index] Force UTF-8Signature: UnusedBits=%u Short Name:Sanitized Short Name:SMIME Capabilities: Request File:PKCS7 Attribute No SignatureCertificate Sequence:Cannot find certificate:Valid Encrypted Key Hash[%1 | %2 | %3]'[%1 | %2 | %3 | %4 | %5 | %6 | %7] [%8]![FullDSDN] | [CRLIndex [OutFile]]PADisplay DS Delta CRLs+Display times with seconds and milliseconds2ERROR: CA Cert has no Basic Constraints2 Extension9ERROR: Cannot decode CA Cert Basic Constraints2 Extension+ERROR: CA Cert is an End Entity certificateCert is a CA certificate!Cert is an End Entity certificate Element %u:CMCCertificate is NOT valid: %wsEncryption test passedEncryption test FAILEDUse V1 interfaces File versionProduct versionExit module countPAExit module descriptionPolicy module descriptionCA nameSanitized CA name Shared folderCA type Parent CA CA cert countCA cert CA cert chainCA exchange cert countCA exchange certCA exchange cert chainBase CRL Delta CRLCA certCRLCA info$Display CA Property Type Information!Use ICertAdmin2 for CA PropertiesMaximum CA PropId(Select a certificate from a selection UICertificate ListList certificatesList certificates for ObjectId3List Enrollment Registration Authority certificates$List Key Recovery Agent certificatesKey Id Hash(%ws):CMS Certificate Request: CMS Response:Tagged Attributes:Tagged Content Info:Tagged Requests:Tagged Other Messages:UNKNOWN Request Choice Body Part Id:Cannot load key: %wsExpired certificateUnauthenticated Attributes Content TypeData ReferenceCert ReferenceValueUNKNOWN Tagged Attribute Signer Count Signer InfoHash Algorithm:Encrypted Hash Algorithm:Stored Hash%ws:Computed Hash%ws: CMC Attribute%Exchange Authority Information AccessExchange VersionInFile [HashAlgorithm]3Generate and display cryptographic hash over a file%ws hash of file %ws:CA Key Exchange CertificatePass No RecipientRecipient CountRecipient InfoDNS NamehSearchToken [RecoveryBlobOutFile] SearchToken %1 OutputScriptFile SearchToken %2 | %3 OutputFileBaseNamegRetrieve archived private key recovery blob, generate a recovery script, or recover archived keysPA0RecoveryBlobInFile [PFXOutFile [RecipientIndex]]Recover archived private key FileDecrypted PKCS7 Message ContentCannot decrypt message content.LKey recovery requires one of the following certificates and its private key:User Certificate:Algorithm ClassAlgorithm TypeAlgorithm Sub-idCMC Status InfoBody Part Id Reference Status StringOther Info Choice Fail Info Pend Token: Pend TimeNCertFile [%1 | %2 | %3 | %4 | %5 | %6 | %7] CRLFile [DSCDPContainer [DSCDPCN]].Publish certificate or CRL to Active Directory1Could not load Certificate or CRL from file (%ws)UserAuthenticated SessionSmartcard Logon Basic EFS AdministratorEFS Recovery Agent Code SigningTrust List SigningComputerDomain Controller Web ServerKDCRoot Certification Authority#Subordinate Certification AuthorityEnrollment AgentSmartcard UserUser Signature OnlydThe value for the following key is incorrect in the INF file. It should be a non-zero numeric value.IPSecmThe value for RenewalValidityPeriodUnits is incorrect in CAPolicy.inf. It should be a non-zero numeric value.IPSec (Offline request)The value for RenewalValidityPeriod is incorrect in CAPolicy.inf. It should be one of the following: Years, Months, Weeks or Days (in English).Router (Offline request)reqOpen Request FileRequest Files (*.req; *.txt; *.cmc; *.der)|*.req;*.txt;*.cmc;*.der|Certificate Files(*.cer; *.crt; *.der)|*.cer;*.crt;*.der|All Files (*.*)|*.*||Please enter a computer name.7Please make sure there is a running CA on the computer.There is no matched CA on the computer. This might be caused by the computer being offline. Please contact the system administrator or select a different CA.@Cannot ping the selected CA. Please make sure the CA is running.+Exchange Enrollment Agent (Offline request) Exchange UserExchange Signature OnlyeThere are no published CAs available. Please contact the system administrator or select a CA by name.Enrollment Agent (Computer)Save Request FileCEP Encryption Built PolicyPolicy ElementPolicy Statement Extension!Policy inf missing section or keyOpened Policy infCannot open Policy infBeginEnd Manage CAIssue and Manage CertificatesManage Audit LogsBackup and RestoreReadRequest CertificatesPAClosed Policy inf Message BoxThe value for RenewalValidityPeriod is incorrect in unattended answer file. It should be one of the following: Years, Months, Weeks or Days (in English).Key Recovery Agent CA Exchange Cross Certification Authority Domain Controller AuthenticationDirectory Email Replication/ You have configured this Web client to forward requests to an enterprise CA. If the CA is using the enterprise default policy module, this computer must have delegation enabled and use Kerberos authentication. To enable delegation, see 'Allow computer accounts to be trusted for delegation' help topic.KThe Web client cannot be configured to forward requests to the selected CA.sThe value for the following key is incorrect in the INF file. It should be a boolean value (Yes/No/True/False/0/1).Workstation AuthenticationRAS and IAS Server Low AssuranceMedium AssuranceHigh AssuranceOCSP Response SigningKerberos AuthenticationPAKey recovery agentDirectory e-mail replication'Cross-certified certification authorityCertification authority (CA)ComputerUserUnknownActive Directory KRAActive Directory AIALogged on user Local systemusername/password certificatewindows integrated anonymousunknowncredential is privatePABytes%ws already in DS store. CertificateSubject Key Id (%ws): precomputedCannot open Cert store.NCannot open existing Cert store. Use %ws option to force Cert store creation.JCertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]RRepair key association or update certificate properties or key security descriptor %d bit keyDelete registry value Cannot verify detached signature1[CertificateStoreName] CertId PFXFile [Modifiers]"Export certificate and private key*[CertificateStoreName] PFXFile [Modifiers]"Import certificate and private keyPA [Template]Display DS Template AttributesTemplateInfFileAdd DS TemplatesCreated DS TemplateUpdated DS Template)%ws: -%ws command completed successfully.DThe %ws service may need to be restarted for changes to take effect. [Template]#Display Enrollment Policy templatesTemplateDisplay CAs for template [Template]Display templates for CADisplay user templatesDisplay machine templatesTemplate Extensions:'Enter new password for output file %ws:Enter password for %ws:!Encode text without CR charactersInFile OutFile [type]Encode file in hexadecimalEmbedded ASN.1 Element:0Split embedded ASN.1 elements, and save to files7Use local machine Enterprise registry certificate storeNo root certificates found.Invalidity Date Querying %wsRole SeparationVerified Issuance PoliciesVerified Application Policies[URL | %1 | %2 [%3]]#Display or delete URL cache entriesKRA cert countKRA cert used countKRA certInvalid ObjectId or AlgorithmPKCS7/CMS Message:No display names Type mismatchLocalized nameCSP Provider InfoInFileList|SerialNumber|%1 OutFileList [StartDate+%9] [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile] InFileList|SerialNumber|%1 OutFileList [#HashAlgorithm] [+%6 | -%6]Re-sign CRL or certificateSigning certificate Subject%RowId | Date [%1 | %2 | %3 | %4 | %5]Delete server database rowRows deleted: %uPAPOne of the following tables must be specified when deleting rows older than %ws:(The date specified is in the future: %wsCRL Hash(%ws): Include CRLs Full ResponseCA cert chain with CRLs CA exchange cert chain with CRLsPulse autoenrollment eventsDomainName\MachineName$3Display Active Directory machine object information%Machine object missing %ws attribute.Group Memberships:[Domain] [%1 | %2 | %3]%Display domain controller informationEnterprise Root store: %wsKDC certificates: %wsPADC UNAVAILABLE: %ws*** Testing DC[%u]: %ws*** Enterprise Root Certificates for DC %ws** KDC Certificates for DC %wsUnknown PropertyTemplatePublic Key Length: %u bitsAdvanced ServerCRL Publish StatusDelta CRL Publish Status TemplatesParameter = %xParameter Flags = %x Archived!DomainName\MachineName$Display enterprise informationDisplay CA informationDSS Key Length: %u bits(================ CTL %d ================ Client Id:User:Machine:Certificate Trust List:List Identifier:Sequence Number:Subject Algorithm: CTL Entries:Usage Entries:Subject Identifier%ws:View Certificate StoreSelect CertificateSelect Certificate to DeletePASaved certificate %wsDeleted certificate %wsEnroll-on-Behalf-of[ReaderName [%1]]Display smart card informationService is paused.Service is stopped.Service is in an unknown state.5The Microsoft Smart Card Resource Manager is running.9The Microsoft Smart Card Resource Manager is not running.0Found AT_SIGNATURE key but no AT_KEYEXCHANGE key Server could not be reached: %wsSelect Decryption Certificate Foreign CertKRA CertUPN:PASubject Unmodified Publish ErrorNULL signature verifiesSource Url Name:Local File Name: Use Count: %d Hit Rate: %d File Size: %dLast Modified Time: Expire Time:Last Access Time:Last Sync Time:6Error: Check machine name. Should be domain\computer$#%ws is missing trailing $, correct?Issuer Domain Policy = Subject Domain Policy = PAMap[%u]:Cert Type not DC: %wsCert Usage missing %wsDeleted KDC certificate!+CertDeleteCertificateFromStore failed! - %x%u KDC certificates for %wsNo KDC Certificate in MY store)No certificates in Enterprise Root store!-CertOpenStore on remote My store failed! - %x%Error Getting Archived Prop bit! - %x++ Archived Certificate +++No Autoenrolled Certificates in MY store!!!,CertOpenStore on remote ent store failed! %xNo Autoenrollment Objects!!! No Access!*Retrieve and verify AIA Certs and CDP CRLsPAfDefaults to Request and Certificate table %1 -- Extension table %2 -- Attribute table %3 -- CRL table $CA Registry Validity Period: %ws %ws Supported Certificate Templates:$No supported Certificate Templates::$CA Name property fetching failed! %x CA Name: %ws%DNS Name property fetching failed! %xMachine Name: %wsDS Location: %ws$Cert DN property fetching failed! %x Cert DN: %ws$Sig Alg property fetching failed! %xSupported signature algs: %ws %No signature algs on DS! <Unexpected> No Certificate types for this CA2No certificate type returned, although one exists!PANo CA's listed in the domain. The configuration might be stored in the root domain. Use the -dc option to target your root domain controller for the information.Cannot access DFS shareDFS Data is accessible No entries found in Ping Search! No DSPath for Policy [non-fatal]!RegQueryValue (DSPATH) failed! %x%No FileSysPath for Policy [non-fatal]Done. ldap search (%ws) found 0 items!2=========== Root Certs in policy =================Certificate %u:.No Root Certificates in Policy on this machine#Check event log for UserEnv errors!)==== Policies Processed for MACHINE ===)==== Policies Processed for USER ===?Possibly No Policies applied. See Event Log for Userenv errors!#Target a specific Domain ControllerDCName Display Name:Computer Name: %wsUser Name: %ws bad option ++++++++ MACHINE: %ws ++++++++### Key: GPO Name: %ws$Signature matches request Public Key ColumnListComma separated Column ListRestrictionList Comma separated Restriction ListMachine\CANameCA and Machine name stringPA"Display a verb list (command list)$Display help text for the "%ws" verb#Display all help text for all verbsImported foreign certificateImported certificateCertificate already importedArchived key updated Archived keyKey already archivedIgnored signing certificateUsersIgnored signature certificatesCertificates with keysForeign certificates importedCertificates already importedCertificates importedCertificates not importedKeysKeys already archived Keys updated Keys archivedKeys not archivedMerge PFX filesPFXInFileList PFXOutFile [%9]OnlineOFFLINEPrevious CA Cert HashMessage DigestArchived Key Cert HashIssued Cert HashEncrypted Key Hash CRL NumberMinimum Base CRL NumberVirtual Base CRL NumberCRL Next Publish Signing Time Delta CRL CDP CRL Self CDPApplication PoliciesApplication Policy MappingsApplication Policy ConstraintsPolicy MappingsPolicy ConstraintsCounter Signature%%u Machine certificates (%u archived)for %wsV1 Autoenrollment Objects:Skipping CSP at index %uProvider Name:Provider Type:Private key verifiesProcessing KMS exports from:User:Encrypted key:Decrypted key:Failed to import symmetric key5Lock box opened, symmetric key successfully decrypted(Moved AT_SIGNATURE key to AT_KEYEXCHANGEValidated Cert Types Cert Type==== %u CAs on %ws Domain ====)CACountCAs inconsistent with CAEnumNextCACached LDAP DCCurrent reader/card status:PA,SCardEstablishContext failed for user scope.2A list of smart card readers cannot be determined.-SCardListReaders failed for SCARD_ALL_READERS.No smart card readers are currently available.5A list of smart card readers could not be determined.Readers: --- Reader: --- Status:No card.+The card is unrecognized or not responding..Card is in use exclusively by another process.&The card is being shared by a process.The card is available for use.Card/Reader not responding. --- Card: Unknown Card.*Performing %ws public key matching test...$%ws succeeded but returned zero size&Public key from KeyProvInfo container:Public key from Cert:"Public key matching test succeededChain on smart card is invalidChain validatesNo %ws key for reader:#Cannot open the %ws key for reader:!No %ws cert retrieved for reader:%Performing cert chain verification...Displayed %ws cert for reader:Analyzing card in reader:%Cannot retrieve Provider Name for %ws%1 -- Failed and pending requests (submission date) %2 -- Expired and revoked certificates (expiration date) %3 -- Extension table %4 -- Attribute table %5 -- CRL table (expiration date) To delete failed and pending requests submitted by January 22, 2001: 1/22/2001 %1 To delete all certificates that expired by January 22, 2001: 1/22/2001 %2 To delete the certificate row, attributes and extensions for RequestId 37: 37 To delete CRLs that expired by January 22, 2001: 1/22/2001 %5AllPANoneSelect Certificate or CRL/Certificate Files|*.cer;*.crt|CRL Files|*.crl||cerConvert PFX files to EPF file6PFXInFileList EPFOutFile [%1 | %2] [V3CACertId][,Salt]FERROR: Could not find a matching user or computer in Active Directory.KMS CA Certificate ListSelect KMS CA certificateRequestId -- numeric Request Id of a pending request ExtensionName -- ObjectId string of the extension Flags -- 0 is recommended. 1 makes the extension critical, 2 disables it, 3 does both. If the last parameter is numeric, it is taken as a Long. If it can be parsed as a date, it is taken as a Date. If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump. Anything else is taken as a String.4InFileList -- comma separated list of Certificate or CRL files to modify and re-sign SerialNumber -- Serial number of certificate to create Validity period and other options must not be present %1 -- Create an empty CRL Validity period and other options must not be present OutFileList -- comma separated list of modified Certificate or CRL output files. The number of files must match InFileList. StartDate+%9 -- new validity period: optional date plus optional days and hours validity period If both are specified, use a plus sign (+) separator Use "%7[+%9]" to start at the current time Use "%8" to have no expiration date (for CRLs only) SerialNumberList -- comma separated serial number list to add or remove ObjectIdList -- comma separated extension ObjectId list to remove @ExtensionFile -- INF file containing extensions to update or remove: %2 %3 Remove CRL Distribution Points extension %4 Update Key Usage extension %5 HashAlgorithm -- Name of the hash algorithm preceded by a # sign %6 -- alternate Signature algorithm specifier A minus sign causes serial numbers and extensions to be removed. A plus sign causes serial numbers to be added to a CRL. When removing items from a CRL, the list may contain both serial numbers and ObjectIds. A minus sign before %6 causes the legacy signature format to be used. A plus sign before %6 causes the alternature signature format to be used. If %6 is not specifed then the signature format in the certificate or CRL is used. InfoName -- indicates the CA property to display (see below) Use "*" for all properties Index -- optional zero-based property index ErrorCode -- numeric error code%1 -- Use CA's registry key %2 -- Use CA's restore registry key %3 -- Use policy module's registry key %4 -- Use first exit module's registry key %5 -- Use template registry key (use -user for user templates) %6 -- Use enrollment registry key (use -user for user context) %7 -- Use chain configuration registry key %8 -- Use Policy Servers registry key %9 -- Use policy or exit module's ProgId (registry subkey name) RegistryValueName -- registry value name (use "Name*" to prefix match) Value -- new numeric, string or date registry value or filename. If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value. If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value. If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][%11] -- an optional date plus or minus optional days and hours. If both are specified, use a plus sign (+) or minus sign (-) separator. Use "%10+%11" for a date relative to the current time. Use "%13" as a suffix to create a REG_QWORD value. Use "%7\%12 @%10" to effectively flush cached CRLs.%3 -- new CRL validity period in days and hours %1 -- republish most recent CRLs %2 -- delta CRLs only (default is base and delta CRLs)fIndex -- CRL index or key index (defaults to CRL for newest key) %1 -- delta CRL (default is base CRL)CertFile -- Certificate to verify ApplicationPolicyList -- optional comma separated list of required Application Policy ObjectIds IssuancePolicyList -- optional comma separated list of required Issuance Policy ObjectIds CACertFile -- optional issuing CA certificate to verify against CrossedCACertFile -- optional certificate cross-certified by CertFile CRLFile -- CRL to verify IssuedCertFile -- optional issued certificate covered by CRLFile DeltaCRLFile -- optional delta CRL If ApplicationPolicyList is specified, chain building is restricted to chains valid for the specified Application Policies. If IssuancePolicyList is specified, chain building is restricted to chains valid for the specified Issuance Policies. If CACertFile is specified, fields in CACertFile are verified against CertFile or CRLFile. If CACertFile is not specified, CertFile is used to build and verify a full chain. If CACertFile and CrossedCACertFile are both specified, fields in CACertFile and CrossedCACertFile are verified against CertFile. If IssuedCertFile is specified, fields in IssuedCertFile are verified against CRLFile. If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against CRLFile.PASKeyContainerName -- key container name of the key to verify Defaults to machine keys. Use -user for user keys CACertFile -- signing or encryption certificate file If no arguments are specified, each signing CA cert is verified against its private key. This operation can only be performed against a local CA or local keys.CertificateStoreName -- Certificate store name. Examples: "%1", "%2" (default), "%3", "%10" (View Root Certificates) "%11" (Modify Root Certificates) "%12" (View CRLs) "%13" (Enterprise CA Certificates) %16 (AD machine object certificates) %5 %16 (AD user object certificates) CertId -- Certificate or CRL match token. This can be a serial number, an SHA-1 certificate, CRL, CTL or public key hash, a numeric cert index (0, 1, etc.), a numeric CRL index (.0, .1, etc.), a numeric CTL index (..0, ..1, etc.), a public key, signature or extension ObjectId, a certificate subject Common Name, an e-mail address, UPN or DNS name, a key container name or CSP name, a template name or ObjectId, an EKU or Application Policies ObjectId, or a CRL issuer Common Name. Many of the above may result in multiple matches. OutputFile -- file to save matching cert Use %5 to access a user store instead of a machine store. Use %4 to access a machine enterprise store. Use %14 to access a machine service store. Use %15 to access a machine group policy store. Examples: %6 %7 %8 %9oCertificateStoreName -- Certificate store name. See -store. InFile -- Certificate or CRL file to add to store.sCertificateStoreName -- Certificate store name. See -store. CertId -- Certificate or CRL match token. See -store.BackupDirectory -- directory to store backed up data %1 -- perform incremental backup only (default is full backup) %2 -- preserve database log files (default is to truncate log files)BackupDirectory -- directory to store backed up database files %1 -- perform incremental backup only (default is full backup) %2 -- preserve database log files (default is to truncate log files)8BackupDirectory -- directory to store backed up PFX file;BackupDirectory -- directory containing data to be restoredEBackupDirectory -- directory containing database files to be restoredbBackupDirectory -- directory containing PFX file to be restored PFXFile -- PFX file to be restoredCertificateStoreName -- Certificate store name. See -store. CertId -- Certificate or CRL match token. See -store. PFXFile -- exported PFX data output file Modifiers -- Comma separated list of one or more of the following: %5 -- Do not export the certificate chain %6 -- Do not export the root certificate %9 -- Include extended properties Defaults to personal machine store.:CertificateStoreName -- Certificate store name. See -store. PFXFile -- PFX file to be imported Modifiers -- Comma separated list of one or more of the following: %1 -- Change the KeySpec to Signature %2 -- Change the KeySpec to Key Exchange %3 -- Make the private key non-exportable %4 -- Do not import the certificate %5 -- Do not import the certificate chain %6 -- Do not import the root certificate %7 -- Protect keys with password %8 -- Do not password protect keys Defaults to personal machine store.IUserKeyAndCertFile -- Data file containing user private keys and certificates to be archived. This can be any of the following: Exchange Key Management Server (KMS) export file PFX file CertId -- KMS export file decryption certificate match token. See -store. Use %1 to import certificates not issued by the CA.PFXInFileList -- Comma separated PFX input file list PFXOutFile -- PFX output file %9 -- Include extended properties The password specified on the command line is a comma separated password list. If more than one password is specified, the last password is used for the output file. If only one password is provided or if the last password is "*", the user will be prompted for the output file password. PFXInFileList -- Comma separated PFX input file list EPF -- EPF output file %1 -- Use CAST 64 encryption %2 -- Use CAST 64 encryption (export) V3CACertId -- V3 CA Certificate match token. See -store CertId description. Salt -- EPF output file salt string The password specified on the command line is a comma separated password list. If more than one password is specified, the last password is used for the output file. If only one password is provided or if the last password is "*", the user will be prompted for the output file password.WRequestId -- numeric Request Id of pending request AttributeString -- Request Attribute name and value pairs Names and values are colon separated. Multiple name, value pairs are newline separated. Example: "CertificateTemplate:User\nEMail:User@Domain.com" Each "\n" sequence is converted to a newline separator.PASerialNumber -- Comma separated list of certificate serial numbers to revoke Reason -- numeric or symbolic revocation reason: 0: %1 -- Unspecified (default) 1: %2 -- Key Compromise 2: %3 -- CA Compromise 3: %4 -- Affiliation Changed 4: %5 -- Superseded 5: %6 -- Cessation of Operation 6: %7 -- Certificate Hold 8: %8 -- Remove From CRL -1: %9 -- UnrevokeUse %1 to import the certificate in place of a pending request for the same key. Use %2 to import certificates not issued by the CA. The CA may also need to be configured to support foreign certificate import: %3\OutCACertFile -- output file Index -- CA certificate renewal index (defaults to most recent)aOutCACertChainFile -- output file Index -- CA certificate renewal index (defaults to most recent)LUse %2 to ignore an outstanding renewal request, and generate a new request.Verify Certificate or CRL URLs InFile | URL#Certificate "%ws" already in store.!Certificate "%ws" added to store.CRL "%ws" already in store.CRL "%ws" added to store.CTL %ws already in store.CTL %ws added to store.KMS V1 CA Certificate ListSelect KMS V1 CA certificateError message textPA!Error message text and error code RetrievingSuccessFailed VerifyingVerify FailureNo URLsErrorExpired Wrong IssuerRevokedRevocation Check FailedNo CRLOKCDPAIABase CRL Delta CRL CertificateNoneStatusTypeUrlRetrieval Time GetObjectUrlCertificate SubjectBase CRL IssuerDelta CRL Issuer No SelectionNo Certificate Selected%Error Opening Certificate or CRL FileSelect Certificate or CRLError InformationError retrieving URL: %wsNo URLs found: %wsoCannot find KMS CA certificate required to construct the EPF file. Enroll a client in the same KMS and use Outlook to save the user keys to an EPF file. Take the EPF file to the current machine and use certutil to dump the EPF file. This will import the needed KMS CA certificates into the local machine cert store, making them available to construct new EPF files.a%1 -- generate a script to retrieve and recover keys (default behavior if multiple matching recovery candidates are found, or if the output file is not specified). %2 -- retrieve one or more Key Recovery Blobs (default behavior if exactly one matching recovery candidate is found, and if the output file is specified) %3 -- retrieve and recover private keys in one step (requires Key Recovery Agent certificates and private keys) SearchToken -- Used to select the keys and certificates to be recovered. Can be any of the following: Certificate Common Name Certificate Serial Number Certificate SHA-1 hash (thumbprint) Certificate KeyId SHA-1 hash (Subject Key Identifier) Requester Name (domain\user) UPN (user@domain) RecoveryBlobOutFile -- output file containing a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates. OutputScriptFile -- output file containing a batch script to retrieve and recover private keys. OutputFileBaseName -- output file base name. For %2, any extension is truncated and a certificate-specific string and the %4 extension are appended for each key recovery blob. Each file contains a certificate chain and an associated private key, still encrypted to one or more Key Recovery Agent certificates. For %3, any extension is truncated and the %5 extension is appended. Contains the recovered certificate chains and associated private keys, stored as a PFX file.%ws deleted from DS store.Forward cross certBackward cross certForward cross certBackward cross certKRA cert Not foundInvalid UntrustedPA Not loaded CA cross certSystem default Language Id:!Version %u certificates and keys:Use old PFX encryptionCertificate signature is validKey usage countDisabled Not supportedCA cert version!Enabled Active Server Pages (ASP))Active Server Pages (ASP) already enabled(Error enabling Active Server Pages (ASP)MISSING!!Sanitized CA short name (DS name)!WinINet Cache entries deleted: %uWinINet Cache entries: %u PermittedExcluded IP AddressMaskURL -- cached URL %1 -- operate on all cached CRL URLs only %2 -- operate on all cached URLs %3 -- delete relevant URLs from the current user's local cache Use %4 to force fetching a specific URL and updating the cache.SubtreeRelated Certificates: Related CRLs: Exact match:Protect keys with passwordSet templates for CA[+ | -]TemplateListAddingRemovingAlready present Not present"KMS export file signature verifiesAutoEnroll Property RequestId Authority Friendly Name Token matchBad Asn length encodingAsn encoding: %x extra bytes$%ws key verifies against certificate"%ws key does not match certificateExpected Public key:Cert Public key: certificatesSigningPAExchange LoadCert(CACrossed) returned %wsCrossed CA CertCrossed CA Cert Serial Number:,Crossed CA Subject name matches Cert Subject:ERROR: Crossed CA Subject name does not match Cert Subject&Crossed CA public key matches Cert key5ERROR: Certificate public key does NOT match Cert key5Crossed CA Subject Key Id matches Cert Subject Key Id.ERROR: Crossed CA Key Id does not match Key IdCA Cert canonicalized#A required CRL extension is missingVerifiedBad CA Cert SubjectBad Cert Issuer Old Base CRLBad Authority Key IdNo IDP Intersection,ERROR: CRL Issuer does not match Cert IssuerCRL Issuer matches Cert IssuerProvider0ERROR: CRL IDP extension does not match Cert CDP1ERROR: CRL Issuer does not match Delta CRL Issuer#CRL Issuer matches Delta CRL Issuer6WARNING: CRL CA Version does not match Cert CA Version;WARNING: CRL CA Version does not match Delta CRL CA Version2ERROR: CRL Number less than Delta CRL Minimum BaseERROR: CRL is not a Base CRLERROR: CRL is not a Delta CRLVerifying Issued Certificate:Verifying Delta CRL:!WinHttp Cache entries deleted: %uWinHttp Cache entries: %uMeta File Name:WinINet Cache entry:WinHttp Cache entry:CAName MachineNameTime:Certificate AIACertificate CDP Base CRL CDP!URL fetch timeout in millisecondsTimeoutCannot export public key%Display password and private key dataOCSP Decode Error Unsuccessful Unsupported No SignerInvalid Signature OCSP Request:OCSP Response: Produced AtOCSP Response Entries:OCSP Response InfoOCSP Request Entries:OCSP Request InfoIssuer Name Hash(%ws):Issuer Key Hash(%ws):Serial Number Not FoundUnknownInvalid Signer EKUSigner Expired Revoked As OfCertificate OCSPParse ASN.1 file File [type] DECODE ERROR!Unique container nameTo be backed upExpected Base CRLExpected Delta CRLDefault ContainerEnd Of Content4Install a Certification Authority on current machine#Manage smart card root certificatesRoot Certificate ProvisioningPAt%1 [%5][InputRootFile] [ReaderName] %2 %6OutputRootFile [ReaderName] %3 [InputRootFile | ReaderName] %4 [ReaderName]Use hash of data as signatureSimple container nameCipher AlgorithmsHash Algorithms Asymmetric Encryption AlgorithmsSecret Agreement AlgorithmsSignature AlgorithmsRNG Algorithms Display COM registry information [ClassId | ProgId | DllName | *]YesNoAllowDenyCA AdministratorPACertificate ManagerReadEnroll Auto-Enroll Full ControlWriteAdministrator permissions are needed to use the selected options. Use an administrator command prompt to complete these tasks.The restored CA certificate has expired. Before restarting Active Directory Certificate Services you must renew the CA certificate.2Create/delete web virtual roots for OCSP web proxy[%1]"The OCSP Web Proxy already exists.RName of Symmetric Key Algorithm with optional key length, example: AES,128 or 3DES!SymmetricKeyAlgorithm[,KeyLength]1This verb has been restricted by Common Criteria.rThe certification propagation service could not be contacted. Your root certificates may not be available for use.Content Encryption Algorithm:$Encode text without CR-LF characters"Write redirected output in UnicodeEnumerate certificate stores[\\MachineName]#MachineName -- remote machine name.Use service certificate store"Use Group Policy certificate store%Install default certificate templatesCertificateStoreName -- Certificate store name. See -store. CertIdList -- comma separated list of Certificate or CRL match tokens. See -store's CertId description. PropertyInfFile -- INF file containing external properties: %1 %2 Add archived property, OR: %3 Remove archived property %4 "%5Friendly Name" ; Add friendly name property %6 Add custom hexadecimal property %7 %8 %9 Add Key Provider Information property %10Container Name%11 %12 %13 %14 %15 %16 Add Enhanced Key Usage property %17 %18 Dump smart card file information [ReaderName]Cannot read fileSuccessfully uncompressedCannot uncompress fileFailed to authenticate to card"Successfully authenticated to cardPAReading directory Enter PIN: Each restriction consists of a column name, a relational operator and a constant integer, string or date. One column name may be preceded by a plus or minus sign to indicate the sort order. Examples: %1 %2 %3Provider Aliases:Provider Module:Display CNG ConfigurationDisplay Enrollment Policy CAs[CAName | TemplateName]Manage Site Names for CAs [%1] [SiteName] %2 [SiteName] %3 Out of dateSuccessfully updated Update errorAsymmetric AlgorithmsAll AlgorithmsEnrollment Policy Server ListPASelect Policy ServerDefault --- ATR:Display AD templates [Template]Display AD CAs[CAName]Display Enrollment PolicyPolicy Server URL or IdURLOrIdDistinguishedName,type -- numeric CRYPT_STRING_* decoding type,type -- numeric CRYPT_STRING_* encoding typeBERROR: Could not verify certificate public key against private keyEnrollment Policy UrlEnrollment Policy IdPAFlagsEnrollment Server Url Request IdAuthentication Url Flags$Add an Enrollment Server application%1 | %3 | %5 [%10] [%11]jAdd an Enrollment Server application and application pool if necessary, for the specified CA. This command does not install binaries or packages One of the following authentication methods with which the client connects to a Certificate Enrollment Server %1 -- %2 %3 -- %4 %5 -- %6 %10 -- Only renewal requests can be submitted to this CA via this URL %11 -- Allows use of a certificate that has no associated account in the AD. This applies only with ClientCertificate and AllowRenewalsOnly mode.'Delete an Enrollment Server application %1 | %3 | %54Delete an Enrollment Server application and application pool if necessary, for the specified CA. This command does not remove binaries or packages One of the following authentication methods with which the client connects to a Certificate Enrollment Server %1 -- %2 %3 -- %4 %5 -- %6.$Install succeeded with warnings: %ws&UnInstall succeeded with warnings: %wsSmart Card Serial Number:ObjectId ObjectIds Extension ExtensionsTemplate TemplatesCACAsUse anonymous SSL credentialsUse Kerberos SSL credentials%Use X.509 Certificate SSL credentials ClientCertId%Use named account for SSL credentialsUserNameConflicting SSL credentialsCertificate List(Select client authentication certificateCA locale namePABDisplay, add or delete enrollment server URLs associated with a CA6[URL AuthenticationType [Priority] [Modifiers]] URL %9xAuthenticationType -- Specify one of the following client authentication methods while adding a URL %1 -- %2 %3 -- %4 %5 -- %6 %7 -- %8. %9 -- deletes the specified URL associated with the CA. Priority -- defaults to '1' if not specified when adding a URL. Modifiers -- Comma separated list of one or more of the following: %10 -- Only renewal requests can be submitted to this CA via this URL %11 -- Allows use of a certificate that has no associated account in the AD. This applies only with ClientCertificate and AllowRenewalsOnly Mode.Priority1Display or delete Enrollment Policy Cache entries[%1]R%1 -- delete Policy Server cache entries %2 -- use %2 to delete all cache entries. NextUpdate LastUpdateUrlIdDefaultPathAuthenticationAllowUntrustedCAPriorityPACache file existsDeleting cache entry! No cache file"Url does NOT match cache file nameCache DirectoryOrphaned Cache file/Display, add or delete Credential Store entries[URL] URL %3 URL %1URL -- target URL. Use %4 to match all entries Use %5 to match a URL prefix %3 -- add a Credential Store entry SSL credentials must also be specified %1 -- delete Credential Store entries %2 -- use %2 to overwrite an entry or to delete multiple entries. Enforce UTF-8Name Friendly NameUrlIdPassword Credential CredentialsEnrollment CertificateEnrollment Username/PasswordSchemaId PropertiesDeletingSettingIndefinite Length'%1 -- Delete all keys on the smart card(================ Url %d ================"ERROR: Container name inconsistentBFor selection U/I, use %3%1 %3 For all Policy Servers, use %3%1 %2For selection U/I, use %2%1 %2For selection U/I, use %2%1 %2@WARNING: CA certificate expires before registry validity period.AddedPA AnonymousKerberos CertificateUsernameUnknownWeb Enrollment Servers:MatchesYou must install the Certificate Enrollment Web Service using Server Manager or ServerManagerCmd.exe before adding an enrollment server application.(To import a foreign certificate, see %ws Enrollment Server AuthenticationAdd a Policy Server application%1 | %3 | %5 [%10] Add a Policy Server application and application pool if necessary. This command does not install binaries or packages One of the following authentication methods with which the client connects to a Certificate Policy Server %1 -- %2 %3 -- %4 %5 -- %6 %10 -- Only policies that contain KeyBasedRenewal templates are returned to the client. This flag applies only for UserName and ClientCertificate authentication."Delete a Policy Server application%1 | %3 | %5 [%10]BDelete a Policy Server application and application pool if necessary. This command does not remove binaries or packages One of the following authentication methods with which the client connects to a Certificate Policy Server %1 -- %2 %3 -- %4 %5 -- %6 %10 -- KeyBasedRenewal policy server.You must install the Certificate Enrollment Policy Web Service using Server Manager or ServerManagerCmd.exe before adding a policy server application.*ERROR: Signed signature algorithm conflict*ERROR: Signed signature parameter conflictAllowRenewalsOnlyAllowKeyBasedRenewalWrite output file in UnicodeSubject Template OIDsERROR: The password you specified is incorrect. However, you have permission to access the PFX without a password. Re-run the command without specifying a password.PFX protected password: "%ws" IThe PFX protected password is incorrectly stored in the PFX file. It is: PFX protected to: ANDORSuccessfully deletedAlready deletedSet, Verify or Delete CA site names Use the %4 option to target a single CA (Default is all CAs) SiteName is allowed only when targeting a single CA Use %5 to override validation errors for the specified SiteName Use %5 to delete all CA site names*Specified and Detected site names conflictExistingDetectedSKIPPED"[MaxSecondsToWait | CAMachineList]CAMachineList -- Comma-separated CA machine name list For a single machine, use a terminating comma Displays the site cost for each CA machine'ERROR: missing key association propertyName Hash(%ws):Signature Hash:Cached Key Identifier:No container name matchERROR: wrong KeyId!Found exact matchNo KeyId match"WARNING: different container name!!Comma separated SAM Name/SID ListSAMNameAndSIDListCAs DecryptedFull query results Full Results Key QueryKey Recovery ErrorsKey Blob Key Handle Key StateKRA certNoNo archived key to recover.Recovery RetrievalendPAstartQueries Query matches RecoveredRecovered CertificatesRecovered key filesRecovery blobs retrievedRecovery CandidatesRecovery ErrorsRecovery ResultRetrieved key filesRetrieved KeysRetrieved, but not RecoveredRows Rows (no key) Script filePAState Token Query Total QueriesYesSmart Card PINMissing output script filename.Missing output file base name.Use %ws to delete all entries.Error saving key dataTOne of the following Key Recovery Agent certificates is required to recover the key:File(Private key is NOT plain text exportableRecovery blob file.Verify AuthRoot or Disallowed Certificates CTLCTLObject [CertDir] [CertFile]8CTLObject -- Identifies the CTL to verify: %1 -- read AuthRoot CAB and matching certificates from the URL cache. Use %5 to download from Windows Update instead. %2 -- read Disallowed Certificates CAB and disallowed certificate store file from the URL cache. Use %5 to download from Windows Update instead. %3 -- read registry cached AuthRoot CTL. Use with %5 and a CertFile that is not already trusted to force updating the registry cached AuthRoot and Disallowed Certificate CTLs. %4 -- read registry cached Disallowed Certificates CTL. %5 has the same behavior as with %3. CTLFileName -- file or %6 path to CTL or CAB CertDir -- folder containing certificates matching CTL entries An %6 folder path must end with a path separator. If a folder is not specified with %3 or %4, multiple locations will be searched for matching certificates: local certificate stores, crypt32.dll resources and the local URL cache. Use %5 to download from Windows Update when necessary. Otherwise defaults to the same folder or web site as the CTLObject. CertFile -- file containing certificate(s) to verify. Certificates will be matched against CTL entries, and match results displayed. Suppresses most of the default output.<ERROR: Signature chain certificate not present in image: %ws6ERROR: Extra signature chain certificate in image: %ws$ERROR: Extra application policy: %ws&ERROR: Missing application policy: %ws%Result: Certificate exact match foundResult: Certificate match found#Result: Certificate match NOT found(Result: Certificate public key collision OCSP URLsAIA URLsCDP URLs7Certificates that do not belong to the targeted CTL: %u:Default is to display DC certificates without verification%ws failed with error:LoadingCert[%u]: references:PACTL[%u]: matches: Less than %ws+Strong Signature verification not supportedStrong Signature error:Legacy Signature error:Counter Signed!:Authenticated attribute!:Critical Extension%u of %u entries presentCertificates to match:Legacy signatures:Strong signatures:#Missing Enhanced Key Usage propertyPINSigning certificateCertIdPASync with Windows UpdateDestinationDirDestinationDir -- folder to copy to. The following files are downloaded from Windows Update: %1 - contains CTL of Third Party Roots. %2 - contains CTL of Disallowed Certificates. %3 - Disallowed Certificates. <thumbprint>.crt - Third Party Roots. Generate SST from Windows UpdateSSTFileSSTFile -- %1 file to be created. The generated %1 file contains the Third Party Roots downloaded from Windows Update.Updating2"%ws" exists. Use "%ws" option to force overwrite.;Warning! Encountered the following no longer trusted roots:Use "%ws" options to force the delete of the above "%ws" files. Was "%ws" updated? If yes, consider deferring the delete until all clients have been updated.$Enabling temporary auto root update.&Restoring disable of auto root update.ZCannot enable auto root update in the registry. Are you running as elevated administrator? No Updates!"Added %d files. Updated %d files.Updated SST file.+Display Trusted Platform Module InformationCA Exchange Cert HashVerify Key Attestation Request RequestFile)Manufacturer Endorsement Key Certificates"Other Endorsement Key CertificatesChallenge PendingChallenge Satisfied Trust On UseTrust Endorsement CertificateTrust Endorsement Key Nonce digestAttestation successful.SecretDecrypted EKInfo EK Public Key ActivationDecrypted SecretActivation successful.WritingCannot fetch EK public keyEK KeyId(%ws):%1 Numeric SIDT %2 -- Local System %3 -- Network Service %4 -- Local ServiceHash algorithms:,No Manufacturer Endorsement Key Certificates%No Other Endorsement Key CertificatesPA5Certificate Enrollment - Username/Password Credential/Certificate Enrollment - Certificate CredentialSelect Certification Authority5Select a Certification Authority to send the request.PA4VS_VERSION_INFO@%@%?StringFileInfo040904B0LCompanyNameMicrosoft CorporationB FileDescriptionCertUtil.exer)FileVersion6.3.9600.16384 (winblue_rtm.130821-1623): InternalNameCertUtil.exe.LegalCopyright Microsoft Corporation. All rights reserved.JOriginalFilenameCertUtil.exe.muij%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.16384DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING