????
Your IP : 216.73.216.152

Current Path : C:/Windows/System32/en-US/
Current File : C:/Windows/System32/en-US/certutil.exe.mui
MZ����@���	�!�L�!This program cannot be run in DOS mode.

$��<߱�R���R���R�U�����R�U�P���R�Rich��R�PEL�!�

�P�@ P�8.rdata�@@.rsrc� �@@��&
T88��&$��8.rdata8x.rdata$zzzdbg .rsrc$01=`�.rsrc$02 ��=�1�B�B�r�� j}*{s�㎩
��&��0�H�p��0��H��`��x������������� �8�P�h��������������(� @�!X�"p�#��$��%��&��'��(�)�*0�+H�,`�-x�.��/��0��1��2��3	�4 	�58	�6P	�7h	�8�	�9�	�:�	�;�	�<�	�=�	�>
�?(
�@@
�~X
�p
���
���
���
���
���
������0��H��`��x������������������� ��8��P��h��������������������
��(
��@
��X
��p
���
���
���
���
���
������0��H��`��x������������������� ��8��P��h����������������������(��@��X��p���������������������0��H��`��x����
���
���
���
��"�) �*8��P��h�������!��*��1��2�A(�a@�X�	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	��<���=���>���C��$F���I���KB�S6�D^`
��k"��n���r��Xv�tzR�Ȁj�4��<���8�T�������b��~�d���$� �D�<���l��������h����
�$�������P�x�����P�(��������������$�.�T�����r�p�f����������<��������������(��������D�����	P�"�0n������0��������P"r��$j�0(���*���.z�L3X��8��0;8�h>"��@��,C
�8F�� Jr��Qx,�~�*���
�ȲT��X�t���4��@�l���R������L� �T�t������(�"�L���������:��������	�@b����X�pf���	��X��#���'v�d)��`+�|:.��>��TA���I���L��Ol	�4Yh��Y��\_��(aD�le��8n���s���x��y��z��$�*�P���(�8�`���������Ȑ��l�������������H�ȞH���$�`���r���V	�P��p�H���H��@�@������������
������l�0��������j�L�V���"�����MUI�����^;,�0�Fv�Z�jCꬱ%N�0�U����MUIen-US��@���0MS Shell DlgP��msctls_progress32P!�����Please wait for this operation to finish.PA���ȀZ�URL Retrieval ToolMS Shell DlgP��2���Exit�PLV�SysListView32List1P��2����Select...P�_\F�������Retrieve	PjL
����Certs (from AIA)	PvL
����CRLs (from CDP)	P�L
����OCSP (from AIA)P
�2����RetrievePb,�������Timeout (sec) �P;b����P^e�)�������Note: CRLs or certificates being downloaded are not exhaustively verified.  A CRL or cert may still be inconsistent or may not have the proper extensions to allow for correct verification.��P	�x����P
�:����P�4�������Url to Download��P@�����P
yF
����Sign LDAP TrafficPA���Ȁ	!�CA Certificate RequestMS Shell DlgP������Select an online CA to send the requestP6�����Computer &Name:��PA�����P&#�����&Parent CA:!PA&�����P�2����Br&owse...P@*����replaced by IDS_REQUEST_HELPTEXT
2
3
4P�v2���OKP�v2���Cancel�PKCS #7 (*.p7b)|*.p7b|X.509 Certificate (*.cer;*.crt)|*.cer;*.crt|Personal Information Exchange (*.p12, *.pfx)|*.pfx|All Files (*.*)|*.*||'Select file to complete CA installationUnknown provider namenCannot find the certificate for %1 to build a certificate chain.  Do you wish to install this certificate now?OCannot verify certificate chain.  Do you wish to ignore the error and continue?>An error occurred retrieving the pending certificate
from %1: Get Server CA Name	Select CASave certificate and KeysRetrieve CertificateFinish Suspended Setup(The certificate is not a CA certificate.Setup completeRetrieve Pending Certificate	Key IndexLoad Old CertificateClone Root Certificate
Build RequestPARenew CA -- reuse keysInstall CA CertificateRenew CA -- new keysBuild CA CertificateSave Chain and KeysqIf you want to send the request to an offline CA, click Cancel and send the request file at %1 to your parent CA.Create DS CDP object$Create DS enrollment services objectCreate DS Root TrustPublish CA in DSSubmit Request�An error occurred when creating the new key container "%1". Please make sure the CSP is installed correctly or select another CSP.
:The Certification Authority certificate has a bad length: �The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect.  The most recently generated request file should be used to obtain the new certificate: %1|The root certificate is untrusted.  Do you wish to trust the root certificate on this machine and complete the installation?MCannot add the Certification Authority certificate to the certificate store: PASCannot create a certificate context using the Certification Authority certificate: Unreferenced INF sectionsSet SecurityCannot create file %1: lThe existing private key "%1" cannot be deleted. Either reuse this key, or use a different name for the CA.
Cannot encode key attributes: Cannot encode certificate: 2The %SystemRoot% environment variable is not set. �This key storage device is full and the new key "%1" could not be added. Go back and pick an existing key, or use a different key storage device.
�An error occurred when generating key "%1" for the Active Directory Certificate Services service. Either the CSP configuration is not complete or the key length is not supported. Please make sure the CSP is installed correctly or select another CSP.
$Cannot determine the computer name: �An error occurred when setting the security access on the private key "%1", or the CSP selected does not support setting security access on private keys. Please make sure the CSP is installed correctly or select another CSP.
8Cannot decode Certification Authority name information: The parent CA has denied your request because you are not a domain administrator. (%1)
To obtain the certificate for your CA, you must request the certificate as a domain administrator. You can install the certificate using the Certification Authority snap-in.KThe new certificate subject Common Name does not match the active CA name: 
Generate KeysPA�An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
lThe parent CA has denied your request for a CA certificate. Please contact the parent CA administrator.
(%1)|An error occurred when the parent CA processed this CA certificate request. Please contact the parent CA administrator.
(%1)^This CA certificate request did not complete. Please contact the parent CA administrator.
(%1)eThis CA certificate will be issued administratively. Please contact the parent CA administrator.
(%1)eThis CA certificate request is in the pending state. Please contact the parent CA administrator.
(%1)bThis CA certificate was revoked by the parent CA. Please contact the parent CA administrator.
(%1)ECannot set the key provider information for the certificate context: �Cannot submit the certificate request to the specified CA. Please ensure that the CA information is correct and that the CA is online. Note: only CAs running the Microsoft Active Directory Certificate Services are supported.
�Cannot submit the certificate request to the specified CA. (%1)
To obtain the certificate for your CA, you can install the certificate using the Certification Authority snap-in.�The new certificate subject name does not exactly match the active CA name.
Renew with a new key to allow minor subject name changes: �The new certificate public key does not match the current outstanding request.
The wrong request may have been used to generate the new certificate: Find certificate for %1CCannot write the Certification Authority certificate to file "%1": Cannot write to file %1: INF file errorSet Key SecurityParent CA = 
Request ID = /Microsoft Active Directory Certificate ServicesSet Directory Security�An error occurred when creating the new key container "%1". You do not have write access permission to the key container. Please use a different CA name.
&Dump configuration information or file Get default configuration string3Get default configuration string via ICertGetConfigPA
CA VersionDecode hexadecimal-encoded fileDecode Base64-encoded fileEncode file to Base64Deny pending requestResubmit pending requestRevoke Certificate%Publish new CRLs [or delta CRLs only]Get CRL'Display current certificate disposition"Set attributes for pending request!Set extension for pending requestRetrieve the CA's certificate#Retrieve the CA's certificate chainUserKeyAndCertFile [CertId]GImport user keys and certificates into server database for key archivalDump Raw DatabaseVerify public/private key set Verify certificate, CRL or chain+Check certificate for 0x7f length encodingsDisplay this usage messageVerbose operation+Use IDispatch instead of COM native methodsReverse Log and Queue columnsOptions:Unrecognized ReasonInFile OutFileO  Column Name                   Localized Name                Type    MaxLengthO  ----------------------------  ----------------------------  ------  ---------	RequestId	RequestIdSerialNumber [Reason][%3 | %1] [%2]OutFile [Index] [%1]SerialNumber | CertHashRequestId AttributeString>RequestId ExtensionName Flags {Long | Date | String | @InFile}OutCACertFile [Index]OutCACertChainFile [Index][KeyContainerName CACertFile]�CertFile [ApplicationPolicyList | - [IssuancePolicyList]] [Modifiers]
CertFile [CACertFile [CrossedCACertFile]]
CRLFile CACertFile [IssuedCertFile]
CRLFile CACertFile [DeltaCRLFile]CertFile
Out of memoryMissing %ws argUnknown arg: %wsMultiple verb args: %wsMissing argumentToo many argumentsInternal verb table errorUnexpected "-%ws" optionUsage:OptionsVerbs:�ObjectId -- ObjectId to display or to add display name
GroupId -- decimal GroupId number for ObjectIds to enumerate
AlgId -- hexadecimal AlgId for ObjectId to look up
AlgorithmName -- Algorithm Name for ObjectId to look up
DisplayName -- Display Name to store in DS
%1 -- delete display name
LanguageId -- Language Id (defaults to current: %2)
Type -- DS object type to create: 1 for Template (default),
        2 for Issuance Policy, 3 for Application Policy
Use %3 to create DS object. -- IndexedInput Length = %dNo Key Authority serial numberOutput Length = %dDecodeFile returned %wsEncodeToFile returned %wsIssuerSubject<ERROR: CA Issuer name does not match Key Authority name (%x))CA Issuer name matches Key Authority namePANo Key Authority name8ERROR: Issuer serial number does not match Key Authority*Issuer serial number matches Key AuthorityIssuer NameKeyAuthority NameKeyId:Key Authority SerialNumber:CA Serial Number:Process:[DomainDN | -]LoadKeys returned %wsLoadCert returned %ws:ERROR: Certificate public key does NOT match stored keysetContainer Public Key:Certificate Public Key::Key "%ws" verifies as the public key for Certificate "%ws"PAAKey "%ws" does NOT verify as the public key for Certificate "%ws"'Leaf certificate is REVOKED (Reason=%x)@ERROR: Verifying leaf certificate revocation status returned %ws/Cannot check leaf certificate revocation status(Leaf certificate revocation check passedLoadCert(Cert) returned %wsLoadCert(CA) returned %wsCertIssuing CA CertCert Serial Number:Issuing CA Cert Serial Number:<Issuing CA is not a root: Subject name does not match Issuer9ERROR: Issuing CA Subject name does not match Cert Issuer+Issuing CA Subject name matches Cert Issuer3CertVerifySubjectCertificateContext Flags = %x --> )ERROR: Certificate validation failure: %xPA;ERROR: CA did not issue Certificate: Signature check failedERROR: Certificate has expiredCertificate is current3Contains CRL_DIST_POINTS revocation-check extension;Contains NETSCAPE_REVOCATION_URL revocation-check extension-Certificate has no revocation-check extension%ws verifies as issued by %ws#%ws does NOT verify (issued by %ws) -- Revocation check skipped. -- Revocation check passed. -- Revocation check: REVOKED. -- Revocation check FAILED.Signature matches Public KeyCRL Entries:Cert:???PASuspect length in : field=%ws	, oid=%ws*Extension %d: oid="%hs" fcrit=%u length=%x'Signature does not match Public key: %xCannot decode object: %wsAlgorithm ObjectIdAlgorithm Parameters:NULLPublic Key: UnusedBits = %uChallengeString: "%ws"Config String: "%ws"#ICertGetConfig Config String: "%ws"-Certificate request is pending: RequestId: %uCertificate issued.7Certificate has not been issued: Disposition: %d -- %ws,Certificate disposition for "%ws" is invalid*Certificate disposition for "%ws" is valid2Certificate disposition for "%ws" is revoked (%ws)DateLongStringBinarySchema:Row %u:Opening Database %wsEMPTYerror = %ws, 
Any FormatPKCS10
KeyGen TagPKCS7Unknown
Force TeletexRenewalCriticalDisabledPolicyFlags=%xRequestPolicyAdminServerUNKNOWN
Origin=%ws???=%x!Get configuration via ICertConfigRequest Properties:PACertificate Properties:Command LineSanitized Name:%ws: Flags = %x%ws, Length = %x&Expected at least %u args, received %u*Expected no more than %u args, received %u.No active Certification Authorities found: %ws%ws: -%ws command FAILED: %ws???NoneOtherIssuer	IssuerRDNIssuerRDNAttributeIssuerRDNStringSubjectPA
SubjectRDNSubjectRDNAttributeSubjectRDNString
ExtensionsExtensionArray	ExtensionExtensionValueExtensionValueRawNo key provider informationDump Certificate View%ws added to DS store.<Ping Active Directory Certificate Services Request interface:Ping Active Directory Certificate Services Admin interfaceName:Organizational Unit:
Organization:PA	Locality:State:Country/region:Config:Exchange Certificate:Signature Certificate:Description:Server:
Authority:EntryCertificate Extensions:Request Attributes:.Shutdown Active Directory Certificate ServicesCommand StatusDump Certificate SchemaCommand SucceededPasswordX509 Certificate:!X509 Certificate Revocation List:PKCS10 Certificate Request:KeyGen Certificate Request:Version: %uSerial Number:Signature Algorithm:Public Key Algorithm:Issuer Unique Id:Subject Unique Id:
NotBefore:	NotAfter:ThisUpdate:NextUpdate:Revocation Date:Extensions:CRL Extensions:PKCS7 Message:PPossible Root Certificate: Subject matches Issuer, but Signature check fails: %xNon-root Certificate(Root Certificate: Subject matches Issuer3Non-root Certificate uses same Public Key as IssuerRevoking "%ws"Enter PFX password:No built-in formatting supportPrivate Key:LengthDisplay times as GMTGMTBackupDirectoryHBackup Active Directory Certificate Services certificate and private keyBackupDirectory | PFXFileIRestore Active Directory Certificate Services certificate and private key,[CertificateStoreName [CertId [OutputFile]]]Dump certificate storeProviderType = %xKey Container = %wsProvider = %wsKeySpec = %xFlags4Restored keys and certificates for %ws\%ws from %ws.3Backed up keys and certificates for %ws\%ws to %ws.[CACertFile]+Install Certification Authority certificatePKCS7 Message Content:Authenticated AttributesSigning Certificate Index8================ Begin Nesting Level %d ================8----------------  End Nesting Level %d  ----------------%ws: Lang %08x (%u.%u)  File %u.%u:%u.%u  Product %u.%u:%u.%u
	No SignerNo PKCS7 Message ContentNo CertificatesNo CRLs
Certificates:CRLs:Renewal Certificate:Encrypted Hash:  %d attributes:	Attribute    Value[%d][%d], Length = %xPABackupDirectory [%1] [%2]5Backup Active Directory Certificate Services databaseBackupDirectory6Restore Active Directory Certificate Services databaseReason: UnspecifiedReason: Key CompromiseReason: CA CompromiseReason: Affiliation ChangedReason: SupersededReason: Cessation of OperationReason: Certificate HoldReason: Remove From CRL#List CSPs installed on this machine#Test CSPs installed on this machine[Algorithm](Use silent flag to acquire crypt contextG%1 -- Request queue
%2 -- Issued or revoked certificates, plus failed requests
%3 -- Failed requests
%4 -- Revoked certificates
%5 -- Extension table
%6 -- Attribute table
%7 -- CRL table
%8 -- Output as Comma Separated Values

To display the StatusCode column for all entries:
    -out StatusCode
To display all columns for the last entry:
    -restrict "RequestId==$"
To display RequestId and Disposition for three requests:
    -restrict "RequestId>=37,RequestId<40" -out "RequestId,Disposition"

To display Row Ids and CRL Numbers for all Base CRLs:
    -restrict "CRLMinBase=0" -out "CRLRowId,CRLNumber" %7
To display Base CRL Number 3:
    -v -restrict "CRLMinBase=0,CRLNumber=3" -out "CRLRawCRL" %7
To display the entire CRL table:
    %7
Use "Date[+|-%10]" for date restrictions
Use "%9+%10" for a date relative to the current time![ObjectId | %1 | %2 [CommonName]]ActivePendingIssuedRevokedErrorDeniedRenewal Cert[Stop and Start Active Directory Certificate Services to complete database restore from %ws.'Server ICertAdmin%ws interface is alive@Cannot open Active Directory Certificate Services database: %ws.OThe Certification Authority service must be stopped for direct database access.(Local)9%ws: No local Certification Authority; use -config optionReason: UnrevokejThis might be caused by:
	Inaccessible server
	No permissions on server
	Server not in the expected state
Dump PFX structure3Server "%ws" ICertRequest%ws interface is alive %wsConnecting to %ws .../Use HKEY_CURRENT_USER keys or certificate store0================ Certificate %d ================Enter new password:Confirm new password:$Password differs -- please try againMissing stored keysetBackupDirectory [%1] [%2],Backup Active Directory Certificate ServicesBackupDirectory-Restore Active Directory Certificate ServicesCertificateStoreName InFileAdd certificate to storeCertificateStoreName CertIdDelete certificate from storeCertificateStoreName [CertId]Verify certificate in storeDeleting Certificate %d: %wsVerifies against UNTRUSTED rootIncomplete certificate chainCertificate is valid
IncompleteErrorDeniedIssuedIssued Out of BandPendingRevoked(Certificate request for "%ws" is pending3Cannot add a non-root certificate to the root storeForce overwrite>Certificate or key exists.  Use the "%ws" option to overwrite.$Incremental database backup for %ws.Full database backup for %ws.Backed up database to %ws.Database logs were preserved.%Database logs successfully truncated.Restoring database for %ws.FileXObjectId [DisplayName | %1 [LanguageId [Type]]]
GroupId 
AlgId | AlgorithmName [GroupId]$Display ObjectId or set display nameUnknown ObjectId
Certfile [%1]+Import a certificate file into the database,Imported Certificate, Assigned RequestId %i.*Revocation check skipped -- server offline?Revocation check skipped -- no revocation information availableDisplay dynamic file List4[{%1|%2|%3|%4|%5|%6|%7|%8}\[%9\]][RegistryValueName]Display registry value8[{%1|%2|%3|%4|%5|%6|%7|%8}\[%9\]]RegistryValueName ValueSet registry value
Old Value:
New Value:AltName: %u entries:AltNameDisplay database locations)Not a valid backup target directory: %ws."Not a valid backup directory: %ws.(Backup content verification failed: %ws.%Incremental database restore for %ws.PAFull database restore for %ws.
Imported CertERROR: Cert is not yet validERROR: Cert has expired.ERROR: Cert Valid before issuing CA Cert Valid1ERROR: Cert Expires after issuing CA Cert Expires=Decoded extra Extension Array encoding layer (Teletex string)	ErrorCodeDisplay error code message text/Create/delete web virtual roots and file sharesWeb Virtual Root %wsFile Share %wsCreatedDeletedAlready Exists	Not FoundCreate ErrorDelete Error�Not Supported. The virtual directory cannot be created because the "IIS 6 Metabase Compatibility" role service is not installed. Install the "IIS 6 Metabase Compatibility" role service and run the command again.[%1]Backing up Database filesBacking up Log filesTruncating LogsRestoring Database filesRestoring Log filesMaximum Row IndexCA Cert
CA Cert Chain
Characters	OVERFLOW:Repeated "-%ws" option)Config string must include Authority namePA"CertFile -- certificate file to publish
%1 -- Publish cert to DS Enterprise store
%2 -- Publish cert to DS Trusted Root store
%3 -- Publish CA cert to DS CA object
%4 -- Publish cross cert to DS CA object
%5 -- Publish cert to DS Key Recovery Agent object
%6 -- Publish cert to User DS object
%7 -- Publish cert to Machine DS object
CRLFile -- CRL file to publish
DSCDPContainer -- DS CDP container CN, usually the CA machine name
DSCDPCN -- DS CDP object CN, usually based on the sanitized CA short name and key index
Use %8 to create DS object.3Ensure the server is correctly installed and retry.)Connecting to data source %hs as user %hs,Failed to connect to data source 0x%08x (%d)Converted %u rows2Skipped %u rows that already exist in new Database:Skipped %u rows not issued by this Certification AuthorityConverting Row %u/Row %u -- Skipping duplicate Serial Number: %wsHRow %u -- Skipping entry not issued by this Certification Authority: %ws)Converting source row %u to target row %u#Begin names table entries for %u.%u!End names table entries for %u.%u
Get SMTP info	LogonName
Set SMTP infoPA%u RowsRow PropertiesRequest AttributesCertificate ExtensionsTotal Fields6%4u %ws, Total Size = %u, Max Size = %u, Ave Size = %uPrivate key is NOT exportableEnterprise Root CAEnterprise Subordinate CAStand-alone Root CAStand-alone Subordinate CAUnknown CA Type: %u[%1] [Machine\ParentCAName])Renew Certification Authority certificateCert Hash(%ws):Error message text: %wsPA(================ CRL %d ================Deleting CRL %d: %wsCA Certs: %uKeys:Values:Load(CRL) returned %wsCRLERROR: CRL is not yet validERROR: CRL has expired-ERROR: CRL Valid before issuing CA Cert Valid0ERROR: CRL Expires after issuing CA Cert Expires8ERROR: Issuing CA Subject name does not match CRL Issuer*Issuing CA Subject name matches CRL Issuer3ERROR: CA did not issue CRL: Signature check failedCRL signature is validCA Key Id matches Key Id&ERROR: CA Key Id does not match Key Id	No Key Id
IncompleteUnavailableError: No CRL for this CertRevokedValidExpiredUnder SubmissionUnknown[KeyContainerName | -]List key containersKeyContainerNameDelete named key containerCertificate is REVOKEDCA cert verify statusPAFlags:8ERROR: Certificate public key does NOT match private keySignature test passedSignature test FAILEDDisplay DS Certificates[FullDSDN] | [CertId [OutFile]]Display DS CRLs![FullDSDN] | [CRLIndex [OutFile]][CN]Display DS DNsCN
Delete DS DNsDeleting[InfoName [Index | ErrorCode]]Display CA InformationInfoName argument syntax:	ErrorCode[Index]Force UTF-8Signature: UnusedBits=%uShort Name:Sanitized Short Name:SMIME Capabilities:
Request File:PKCS7 AttributeNo SignatureCertificate Sequence:Cannot find certificate:Valid Encrypted Key Hash[%1 | %2 | %3]'[%1 | %2 | %3 | %4 | %5 | %6 | %7] [%8]![FullDSDN] | [CRLIndex [OutFile]]PADisplay DS Delta CRLs+Display times with seconds and milliseconds2ERROR: CA Cert has no Basic Constraints2 Extension9ERROR: Cannot decode CA Cert Basic Constraints2 Extension+ERROR: CA Cert is an End Entity certificateCert is a CA certificate!Cert is an End Entity certificateElement %u:CMCCertificate is NOT valid: %wsEncryption test passedEncryption test FAILEDUse V1 interfacesFile versionProduct versionExit module countPAExit module descriptionPolicy module descriptionCA nameSanitized CA name
Shared folderCA type	Parent CA
CA cert countCA cert
CA cert chainCA exchange cert countCA exchange certCA exchange cert chainBase CRL	Delta CRLCA certCRLCA info$Display CA Property Type Information!Use ICertAdmin2 for CA PropertiesMaximum CA PropId(Select a certificate from a selection UICertificate ListList certificatesList certificates for ObjectId3List Enrollment Registration Authority certificates$List Key Recovery Agent certificatesKey Id Hash(%ws):CMS Certificate Request:
CMS Response:Tagged Attributes:Tagged Content Info:Tagged Requests:Tagged Other Messages:UNKNOWN Request Choice
Body Part Id:Cannot load key: %wsExpired certificateUnauthenticated AttributesContent TypeData ReferenceCert ReferenceValueUNKNOWN Tagged AttributeSigner CountSigner InfoHash Algorithm:Encrypted Hash Algorithm:Stored Hash%ws:Computed Hash%ws:
CMC Attribute%Exchange Authority Information AccessExchange VersionInFile [HashAlgorithm]3Generate and display cryptographic hash over a file%ws hash of %ws:CA Key Exchange CertificatePassNo RecipientRecipient CountRecipient InfoDNS NamehSearchToken [RecoveryBlobOutFile]
SearchToken %1 OutputScriptFile
SearchToken %2 | %3 OutputFileBaseNamegRetrieve archived private key recovery blob, generate a recovery script,
      or recover archived keys0RecoveryBlobInFile [PFXOutFile [RecipientIndex]]Recover archived private key
[File]Decrypted PKCS7 Message ContentCannot decrypt message content.LKey recovery requires one of the following certificates and its private key:User Certificate:Algorithm ClassAlgorithm TypeAlgorithm Sub-idCMC Status InfoBody Part Id Reference
Status StringOther Info Choice	Fail InfoPend Token:	Pend TimeNCertFile [%1 | %2 | %3 | %4 | %5 | %6 | %7]
CRLFile [DSCDPContainer [DSCDPCN]].Publish certificate or CRL to Active Directory1Could not load Certificate or CRL from file (%ws)UserAuthenticated SessionSmartcard Logon	Basic EFS
AdministratorEFS Recovery AgentCode SigningTrust List SigningComputerDomain Controller
Web ServerKDCRoot Certification Authority#Subordinate Certification AuthorityEnrollment AgentSmartcard UserUser Signature OnlydThe value for the following key is incorrect in the INF file. It should be a non-zero numeric value.IPSecmThe value for RenewalValidityPeriodUnits is incorrect in CAPolicy.inf. It should be a non-zero numeric value.IPSec (Offline request)�The value for RenewalValidityPeriod is incorrect in CAPolicy.inf. It should be one of the following: Years, Months, Weeks or Days (in English).Router (Offline request)reqOpen Request File�Request Files (*.req; *.txt; *.cmc; *.der)|*.req;*.txt;*.cmc;*.der|Certificate Files(*.cer; *.crt; *.der)|*.cer;*.crt;*.der|All Files (*.*)|*.*||Please enter a computer name.7Please make sure there is a running CA on the computer.�There is no matched CA on the computer. This might be caused by the computer being offline. Please contact the system administrator or select a different CA.@Cannot ping the selected CA. Please make sure the CA is running.+Exchange Enrollment Agent (Offline request)
Exchange UserExchange Signature OnlyeThere are no published CAs available. Please contact the system administrator or select a CA by name.Enrollment Agent (Computer)Save Request FileCEP EncryptionBuilt PolicyPolicy ElementPolicy Statement Extension!Policy inf missing section or keyOpened Policy infCannot open Policy infBeginEnd	Manage CAIssue and Manage CertificatesManage Audit LogsBackup and RestoreReadRequest CertificatesPAClosed Policy infMessage Box�The value for RenewalValidityPeriod is incorrect in unattended answer file. It should be one of the following: Years, Months, Weeks or Days (in English).Key Recovery AgentCA Exchange Cross Certification Authority Domain Controller AuthenticationDirectory Email Replication/
You have configured this Web client to forward requests to an enterprise CA. If the CA is using the enterprise default policy module, this computer must have delegation enabled and use Kerberos authentication. To enable delegation, see 'Allow computer accounts to be trusted for delegation' help topic.KThe Web client cannot be configured to forward requests to the selected CA.sThe value for the following key is incorrect in the INF file. It should be a boolean value (Yes/No/True/False/0/1).Workstation AuthenticationRAS and IAS Server
Low AssuranceMedium AssuranceHigh AssuranceOCSP Response SigningKerberos AuthenticationPAKey recovery agentDirectory e-mail replication'Cross-certified certification authorityCertification authority (CA)ComputerUserUnknownActive Directory KRAActive Directory AIALogged on userLocal systemusername/passwordcertificatewindows integrated	anonymousunknowncredential is privatePABytes%ws already in DS store.CertificateSubject Key Id (%ws):precomputedCannot open Cert store.NCannot open existing Cert store.  Use %ws option to force Cert store creation.JCertificateStoreName CertIdList [PropertyInfFile | SDDLSecurityDescriptor]RRepair key association or update certificate properties or key security descriptor
%d bit keyDelete registry value Cannot verify detached signature1[CertificateStoreName] CertId PFXFile [Modifiers]"Export certificate and private key*[CertificateStoreName] PFXFile [Modifiers]"Import certificate and private keyPA
[Template]Display DS Template AttributesTemplateInfFileAdd DS TemplatesCreated DS TemplateUpdated DS Template)%ws: -%ws command completed successfully.DThe %ws service may need to be restarted for changes to take effect.
[Template]#Display Enrollment Policy templatesTemplateDisplay CAs for template
[Template]Display templates for CADisplay user templatesDisplay machine templatesTemplate Extensions:'Enter new password for output file %ws:Enter password for %ws:!Encode text without CR charactersInFile OutFile [type]Encode file in hexadecimalEmbedded ASN.1 Element:0Split embedded ASN.1 elements, and save to files7Use local machine Enterprise registry certificate storeNo root certificates found.Invalidity DateQuerying %wsRole SeparationVerified Issuance PoliciesVerified Application Policies[URL | %1 | %2 [%3]]#Display or delete URL cache entriesKRA cert countKRA cert used countKRA certInvalid ObjectId or AlgorithmPKCS7/CMS Message:No display names
Type mismatchLocalized nameCSP Provider Info�InFileList|SerialNumber|%1 OutFileList [StartDate[+|-%9]+|-%9] [+SerialNumberList | -SerialNumberList | -ObjectIdList | @ExtensionFile]
InFileList|SerialNumber|%1 OutFileList [#HashAlgorithm] [+%6 | -%6]
InFileList OutFileList [%10] [%11hex data]Re-sign CRL or certificateSigning certificate Subject%RowId | Date [%1 | %2 | %3 | %4 | %5]Delete server database rowRows deleted: %uPAPOne of the following tables must be specified when deleting rows older than %ws:(The date specified is in the future: %wsCRL Hash(%ws):Include CRLs
Full ResponseCA cert chain with CRLs CA exchange cert chain with CRLs&Pulse autoenrollment event or NGC taskDomainName\MachineName$3Display Active Directory machine object information%Machine object missing %ws attribute.Group Memberships:[Domain] [%1 | %2 | %3]%Display domain controller informationEnterprise Root store: %wsKDC certificates: %wsDC UNAVAILABLE: %ws*** Testing DC[%u]: %ws*** Enterprise Root Certificates for DC %ws** KDC Certificates for DC %wsUnknown PropertyTemplatePublic Key Length: %u bitsAdvanced ServerCRL Publish StatusDelta CRL Publish Status	TemplatesParameter = %xParameter Flags = %x	Archived!DomainName\MachineName$Display enterprise informationDisplay CA informationDSS Key Length: %u bits(================ CTL %d ================
Client Id:User:Machine:Certificate Trust List:List Identifier:Sequence Number:Subject Algorithm:CTL Entries:Usage Entries:Subject Identifier%ws:View Certificate StoreSelect CertificateSelect Certificate to DeletePASaved certificate %wsDeleted certificate %wsEnroll-on-Behalf-of[ReaderName [%1]]Display smart card informationService is paused.Service is stopped.Service is in an unknown state.5The Microsoft Smart Card Resource Manager is running.9The Microsoft Smart Card Resource Manager is not running.0Found AT_SIGNATURE key but no AT_KEYEXCHANGE key Server could not be reached: %wsSelect Decryption CertificateForeign CertKRA CertUPN:PASubject Unmodified
Publish ErrorNULL signature verifiesSource Url Name:Local File Name:
Use Count: %dHit Rate: %d
File Size: %dLast Modified Time:Expire Time:Last Access Time:Last Sync Time:6Error: Check machine name.  Should be domain\computer$#%ws is missing trailing $, correct?Issuer Domain Policy = Subject Domain Policy = PAMap[%u]:Cert Type not DC: %wsCert Usage missing %wsDeleted KDC certificate!+CertDeleteCertificateFromStore failed! - %x%u KDC certificates for %wsNo KDC Certificate in MY store)No certificates in Enterprise Root store!-CertOpenStore on remote My store failed! - %x%Error Getting Archived Prop bit! - %x++ Archived Certificate +++No Autoenrolled Certificates in MY store!!!,CertOpenStore on remote ent store failed! %xNo Autoenrollment Objects!!!
No Access!*Retrieve and verify AIA Certs and CDP CRLsPAfDefaults to Request and Certificate table
%1 -- Extension table
%2 -- Attribute table
%3 -- CRL table
$CA Registry Validity Period: %ws %ws Supported Certificate Templates:$No supported Certificate Templates::$CA Name property fetching failed! %xCA Name: %ws%DNS Name property fetching failed! %xMachine Name: %wsDS Location: %ws$Cert DN property fetching failed! %xCert DN: %ws$Sig Alg property fetching failed! %xSupported signature algs: %ws %No signature algs on DS! <Unexpected> No Certificate types for this CA2No certificate type returned, although one exists!PA�No CA's listed in the domain. The configuration might be stored in the root domain. Use the -dc option to target your root domain controller for the information.Cannot access DFS shareDFS Data is accessible No entries found in Ping Search! No DSPath for Policy [non-fatal]!RegQueryValue (DSPATH) failed! %x%No FileSysPath for Policy [non-fatal]Done. ldap search (%ws) found 0 items!2=========== Root Certs in policy =================Certificate %u:.No Root Certificates in Policy on this machine#Check event log for UserEnv errors!)====  Policies Processed for MACHINE  ===)====  Policies Processed for USER     ===?Possibly No Policies applied. See Event Log for Userenv errors!#Target a specific Domain ControllerDCName
Display Name:Computer Name: %wsUser Name: %ws
bad option ++++++++  MACHINE: %ws  ++++++++### Key:
GPO Name: %ws$Signature matches request Public Key
ColumnListComma separated Column ListRestrictionList Comma separated Restriction ListMachine\CANameCA and Machine name stringPA"Display a verb list (command list)$Display help text for the "%ws" verb#Display all help text for all verbsImported foreign certificateImported certificateCertificate already importedArchived key updatedArchived keyKey already archivedIgnored signing certificateUsersIgnored signature certificatesCertificates with keysForeign certificates importedCertificates already importedCertificates importedCertificates not importedKeysKeys already archivedKeys updated
Keys archivedKeys not archivedMerge PFX files$PFXInFileList PFXOutFile [Modifiers]OnlineOFFLINEPrevious CA Cert HashMessage DigestArchived Key Cert HashIssued Cert HashEncrypted Key Hash
CRL NumberPAMinimum Base CRL NumberVirtual Base CRL NumberCRL Next PublishSigning Time
Delta CRL CDPCRL Self CDPApplication PoliciesApplication Policy MappingsApplication Policy ConstraintsPolicy MappingsPolicy ConstraintsCounter Signature%%u Machine certificates (%u archived)for %wsV1 Autoenrollment Objects:Skipping CSP at index %uProvider Name:Provider Type:Private key verifiesProcessing KMS exports from:User:Encrypted key:Decrypted key:Failed to import symmetric key5Lock box opened, symmetric key successfully decrypted(Moved AT_SIGNATURE key to AT_KEYEXCHANGEValidated Cert Types	Cert Type==== %u CAs on %ws Domain ====)CACountCAs inconsistent with CAEnumNextCACached LDAP DCCurrent reader/card status:PA,SCardEstablishContext failed for user scope.2A list of smart card readers cannot be determined.-SCardListReaders failed for SCARD_ALL_READERS.No smart card readers are currently available.5A list of smart card readers could not be determined.Readers:--- Reader:--- Status:No card.+The card is unrecognized or not responding..Card is in use exclusively by another process.&The card is being shared by a process.The card is available for use.Card/Reader not responding.---   Card:
Unknown Card.*Performing %ws public key matching test...$%ws succeeded but returned zero size&Public key from KeyProvInfo container:Public key from Cert:"Public key matching test succeededChain on smart card is invalidChain validatesNo %ws key for reader:#Cannot open the %ws key for reader:!No %ws cert retrieved for reader:%Performing cert chain verification...Displayed %ws cert for reader:Analyzing card in reader:%Cannot retrieve Provider Name for %ws�%1 -- Failed and pending requests (submission date)
%2 -- Expired and revoked certificates (expiration date)
%3 -- Extension table
%4 -- Attribute table
%5 -- CRL table (expiration date)

To delete failed and pending requests submitted by January 22, 2001:
    1/22/2001 %1
To delete all certificates that expired by January 22, 2001:
    1/22/2001 %2
To delete the certificate row, attributes and extensions for RequestId 37:
    37
To delete CRLs that expired by January 22, 2001:
    1/22/2001 %5AllPANoneSelect Certificate or CRL/Certificate Files|*.cer;*.crt|CRL Files|*.crl||cerConvert PFX files to EPF file6PFXInFileList EPFOutFile [%1 | %2] [V3CACertId][,Salt]FERROR: Could not find a matching user or computer in Active Directory.KMS CA Certificate ListSelect KMS CA certificate�RequestId -- numeric Request Id of a pending request
ExtensionName -- ObjectId string of the extension
Flags -- 0 is recommended.  1 makes the extension critical,
2 disables it, 3 does both.
If the last parameter is numeric, it is taken as a Long.
If it can be parsed as a date, it is taken as a Date.
If it starts with '@', the rest of the token is the filename containing binary data or an ascii-text hex dump.
Anything else is taken as a String.�InFileList -- comma separated list of Certificate or CRL files to modify
         and re-sign
SerialNumber -- Serial number of certificate to create
         Validity period and other options must not be present
%1 -- Create an empty CRL
         Validity period and other options must not be present
OutFileList -- comma separated list of modified Certificate or CRL output
         files.  The number of files must match InFileList.
StartDate[+|-%9]+|-%9 -- new validity period: optional date plus
         optional days and hours start date offset and optional
         days and hours validity period
         If multiple fields are used, use a (+) or (-) separator
         Use "%7[+%9]" to start at the current time
         Use "%7-%9+%9" to start at a fixed offset from the current
         time and a fixed validity period
         Use "%8" to have no expiration date (for CRLs only)
SerialNumberList -- comma separated serial number list to add or remove
ObjectIdList -- comma separated extension ObjectId list to remove
@ExtensionFile -- INF file containing extensions to update or remove:
        %2
        %3 Remove CRL Distribution Points extension
        %4 Update Key Usage extension
        %5
HashAlgorithm -- Name of the hash algorithm preceded by a # sign
%6 -- alternate Signature algorithm specifier

 
A minus sign causes serial numbers and extensions to be removed.
A plus sign causes serial numbers to be added to a CRL.
When removing items from a CRL, the list may contain both serial numbers
and ObjectIds. 
A minus sign before %6 causes the legacy signature format to be used. 
A plus sign before %6 causes the alternature signature format to be used. 
If %6 is not specifed then the signature format in the certificate or CRL is used. �InfoName -- indicates the CA property to display (see below)
        Use "*" for all properties
Index -- optional zero-based property index
ErrorCode -- numeric error code�%1 -- Use CA's registry key
%2 -- Use CA's restore registry key
%3 -- Use policy module's registry key
%4 -- Use first exit module's registry key
%5 -- Use template registry key (use -user for user templates)
%6 -- Use enrollment registry key (use -user for user context)
%7 -- Use chain configuration registry key
%8 -- Use Policy Servers registry key
%9 -- Use policy or exit module's ProgId (registry subkey name)

RegistryValueName -- registry value name (use "Name*" to prefix match)
Value -- new numeric, string or date registry value or filename.
    If a numeric value starts with "+" or "-", the bits specified
    in the new value are set or cleared in the existing registry value.

    If a string value starts with "+" or "-", and the existing value
    is a REG_MULTI_SZ value, the string is added to or removed from
    the existing registry value.
    To force creation of a REG_MULTI_SZ value, add a "\n" to the end
    of the string value.

    If the value starts with "@", the rest of the value is the name
    of the file containing the hexadecimal text representation
    of a binary value.
    If it does not refer to a valid file, it is instead parsed as
    [Date][+|-][%11] -- an optional date plus or minus optional
    days and hours.
    If both are specified, use a plus sign (+) or minus sign (-) separator.
    Use "%10+%11" for a date relative to the current time.
    Use "%13" as a suffix to create a REG_QWORD value.

Use "%7\%12 @%10" to effectively flush cached CRLs.�%3 -- new CRL validity period in days and hours
%1 -- republish most recent CRLs
%2 -- delta CRLs only (default is base and delta CRLs)fIndex -- CRL index or key index (defaults to CRL for newest key)
%1 -- delta CRL (default is base CRL)�CertFile -- Certificate to verify
ApplicationPolicyList -- optional comma separated list of required
        Application Policy ObjectIds
IssuancePolicyList -- optional comma separated list of required Issuance
        Policy ObjectIds

CACertFile -- optional issuing CA certificate to verify against
CrossedCACertFile -- optional certificate cross-certified by CertFile

CRLFile -- CRL to verify
IssuedCertFile -- optional issued certificate covered by CRLFile
DeltaCRLFile -- optional delta CRL

If ApplicationPolicyList is specified, chain building is restricted to
        chains valid for the specified Application Policies.
If IssuancePolicyList is specified, chain building is restricted to chains
        valid for the specified Issuance Policies.

If CACertFile is specified, fields in CACertFile are verified against
        CertFile or CRLFile.
If CACertFile is not specified, CertFile is used to build and verify a full
        chain.
If CACertFile and CrossedCACertFile are both specified, fields in
        CACertFile and CrossedCACertFile are verified against CertFile.

If IssuedCertFile is specified, fields in IssuedCertFile are verified
        against CRLFile.
If DeltaCRLFile is specified, fields in DeltaCRLFile are verified against
        CRLFile.SKeyContainerName -- key container name of the key to verify
        Defaults to machine keys.  Use -user for user keys
CACertFile -- signing or encryption certificate file
If no arguments are specified, each signing CA cert is verified against its
        private key.
This operation can only be performed against a local CA or local keys.�CertificateStoreName -- Certificate store name.  Examples:
        "%1", "%2" (default), "%3",

        "%10" (View Root Certificates)

        "%11" (Modify Root Certificates)

        "%12" (View CRLs)

        "%13" (Enterprise CA Certificates)
        %16 (AD machine object certificates)
        %5 %16 (AD user object certificates)

CertId -- Certificate or CRL match token.  This can be a serial number,
        an SHA-1 certificate, CRL, CTL or public key hash,
        a numeric cert index (0, 1, etc.),
        a numeric CRL index (.0, .1, etc.),
        a numeric CTL index (..0, ..1, etc.),
        a public key, signature or extension ObjectId,
        a certificate subject Common Name,
        an e-mail address, UPN or DNS name,
        a key container name or CSP name,
        a template name or ObjectId,
        an EKU or Application Policies ObjectId,
        or a CRL issuer Common Name.
        Many of the above may result in multiple matches.
OutputFile -- file to save matching cert
Use %5 to access a user store instead of a machine store.
Use %4 to access a machine enterprise store.
Use %14 to access a machine service store.
Use %15 to access a machine group policy store.

Examples:
%6
%7
%8
%9oCertificateStoreName -- Certificate store name.  See -store.
InFile -- Certificate or CRL file to add to store.sCertificateStoreName -- Certificate store name.  See -store.
CertId -- Certificate or CRL match token.  See -store.�BackupDirectory -- directory to store backed up data
%1 -- perform incremental backup only (default is full backup)
%2 -- preserve database log files (default is to truncate log files)�BackupDirectory -- directory to store backed up database files
%1 -- perform incremental backup only (default is full backup)
%2 -- preserve database log files (default is to truncate log files)8BackupDirectory -- directory to store backed up PFX file;BackupDirectory -- directory containing data to be restoredEBackupDirectory -- directory containing database files to be restoredbBackupDirectory -- directory containing PFX file to be restored
PFXFile -- PFX file to be restored�CertificateStoreName -- Certificate store name.  See -store.
CertId -- Certificate or CRL match token.  See -store.
PFXFile -- exported PFX data output file
Modifiers -- Comma separated list of one or more of the following:
        %5 -- Do not export the certificate chain
        %6 -- Do not export the root certificate
        %9 -- Include extended properties
        %10 -- Do not encrypt the certificates
        %11 -- Encrypt the certificates
        %12 -- Export Parameters
        %13=AlgorithmString -- Cryptographic Algorithm
          AlgorithmString Examples:
            %14
            %15
Defaults to personal machine store.:CertificateStoreName -- Certificate store name.  See -store.
PFXFile -- PFX file to be imported
Modifiers -- Comma separated list of one or more of the following:
        %1 -- Change the KeySpec to Signature
        %2 -- Change the KeySpec to Key Exchange
        %3 -- Make the private key non-exportable
        %4 -- Do not import the certificate
        %5 -- Do not import the certificate chain
        %6 -- Do not import the root certificate
        %7 -- Protect keys with password
        %8 -- Do not password protect keys
Defaults to personal machine store.IUserKeyAndCertFile -- Data file containing user private keys and
certificates to be archived.  This can be any of the following:
        Exchange Key Management Server (KMS) export file
        PFX file
CertId -- KMS export file decryption certificate match token.  See -store.
Use %1 to import certificates not issued by the CA.7PFXInFileList -- Comma separated PFX input file list
PFXOutFile -- PFX output file
Modifiers -- Comma separated list of one or more of the following:
        %9 -- Include extended properties
        %10 -- Do not encrypt the certificates
        %11 -- Encrypt the certificates
The password specified on the command line is a comma separated password
list.  If more than one password is specified, the last password is used
for the output file.  If only one password is provided or if the last
password is "*", the user will be prompted for the output file password. PFXInFileList -- Comma separated PFX input file list
EPF -- EPF output file
%1 -- Use CAST 64 encryption
%2 -- Use CAST 64 encryption (export)
V3CACertId -- V3 CA Certificate match token.  See -store CertId description.
Salt -- EPF output file salt string
The password specified on the command line is a comma separated password
list.  If more than one password is specified, the last password is used
for the output file.  If only one password is provided or if the last
password is "*", the user will be prompted for the output file password.WRequestId -- numeric Request Id of pending request
AttributeString -- Request Attribute name and value pairs
        Names and values are colon separated.
        Multiple name, value pairs are newline separated.
        Example: "CertificateTemplate:User\nEMail:User@Domain.com"
        Each "\n" sequence is converted to a newline separator.�SerialNumber -- Comma separated list of certificate serial numbers to revoke
Reason -- numeric or symbolic revocation reason:
        0: %1  -- Unspecified (default)
        1: %2  -- Key Compromise
        2: %3  -- CA Compromise
        3: %4  -- Affiliation Changed
        4: %5  -- Superseded
        5: %6  -- Cessation of Operation
        6: %7  -- Certificate Hold
        8: %8  -- Remove From CRL
        9: %9  -- Privilege Withdrawn
        10: %10 -- AA Compromise
        -1: %11 -- Unrevoke�Use %1 to import the certificate in place of a pending request for the same key. 
Use %2 to import certificates not issued by the CA.
The CA may also need to be configured to support foreign certificate import:
     %3\OutCACertFile -- output file
Index -- CA certificate renewal index (defaults to most recent)aOutCACertChainFile -- output file
Index -- CA certificate renewal index (defaults to most recent)LUse %2 to ignore an outstanding renewal request, and generate a new request.Verify Certificate or CRL URLsInFile | URL#Certificate "%ws" already in store.!Certificate "%ws" added to store.CRL "%ws" already in store.CRL "%ws" added to store.CTL %ws already in store.CTL %ws added to store.KMS V1 CA Certificate ListSelect KMS V1 CA certificateError message textPA!Error message text and error code
RetrievingSuccessFailed	VerifyingVerify FailureNo URLsErrorExpiredWrong IssuerRevokedRevocation Check FailedNo CRLOKCDPAIABase CRL	Delta CRLCertificateNoneStatusTypeUrlRetrieval TimeGetObjectUrlCertificate SubjectBase CRL IssuerDelta CRL IssuerNo SelectionNo Certificate Selected%Error Opening Certificate or CRL FileSelect Certificate or CRLError InformationError retrieving URL: %wsNo URLs found: %wsoCannot find KMS CA certificate required to construct the EPF file.
Enroll a client in the same KMS and use Outlook to save the user keys
to an EPF file.  Take the EPF file to the current machine and use certutil
to dump the EPF file.  This will import the needed KMS CA certificates into
the local machine cert store, making them available to construct new EPF files.a%1 -- generate a script to retrieve and recover keys (default behavior
        if multiple matching recovery candidates are found, or if the
        output file is not specified).
%2 -- retrieve one or more Key Recovery Blobs (default behavior if
        exactly one matching recovery candidate is found, and if the output
        file is specified)
%3 -- retrieve and recover private keys in one step (requires Key
        Recovery Agent certificates and private keys)
SearchToken -- Used to select the keys and certificates to be recovered.
        Can be any of the following:
        Certificate Common Name
        Certificate Serial Number
        Certificate SHA-1 hash (thumbprint)
        Certificate KeyId SHA-1 hash (Subject Key Identifier)
        Requester Name (domain\user)
        UPN (user@domain)
RecoveryBlobOutFile -- output file containing a certificate chain and an
        associated private key, still encrypted to one or more Key Recovery
        Agent certificates.
OutputScriptFile -- output file containing a batch script to retrieve and
        recover private keys.
OutputFileBaseName -- output file base name.
        For %2, any extension is truncated and a certificate-specific
        string and the %4 extension are appended for each key recovery
        blob.  Each file contains a certificate chain and an associated
        private key, still encrypted to one or more Key Recovery Agent
        certificates.
        For %3, any extension is truncated and the %5 extension is
        appended.  Contains the recovered certificate chains and associated
        private keys, stored as a PFX file.%ws deleted from DS store.Forward cross certBackward cross certForward cross certBackward cross certKRA cert	Not foundInvalid	UntrustedPA
Not loaded
CA cross certSystem default Language Id:!Version %u certificates and keys:Use old PFX encryptionCertificate signature is validKey usage countDisabled
Not supportedCA cert version!Enabled Active Server Pages (ASP))Active Server Pages (ASP) already enabled(Error enabling Active Server Pages (ASP)MISSING!!Sanitized CA short name (DS name)!WinINet Cache entries deleted: %uWinINet Cache entries: %u	PermittedExcluded
IP AddressMask�URL -- cached URL
%1 -- operate on all cached CRL URLs only
%2 -- operate on all cached URLs
%3 -- delete relevant URLs from the current user's local cache
Use %4 to force fetching a specific URL and updating the cache.SubtreeRelated Certificates:
Related CRLs:Exact match:Protect keys with passwordSet templates for CA[+ | -]TemplateListAddingRemovingAlready presentNot present"KMS export file signature verifiesAutoEnroll Property	RequestId	Authority
Friendly NameToken matchBad Asn length encodingAsn encoding: %x extra bytes$%ws key verifies against certificate"%ws key does not match certificateExpectedPublic key:Cert Public key:certificatesSigningPAExchange LoadCert(CACrossed) returned %wsCrossed CA CertCrossed CA Cert Serial Number:,Crossed CA Subject name matches Cert Subject:ERROR: Crossed CA Subject name does not match Cert Subject&Crossed CA public key matches Cert key5ERROR: Certificate public key does NOT match Cert key5Crossed CA Subject Key Id matches Cert Subject Key Id.ERROR: Crossed CA Key Id does not match Key IdCA Cert
canonicalized#A required CRL extension is missingVerifiedBad CA Cert SubjectBad Cert IssuerOld Base CRLBad Authority Key IdNo IDP Intersection,ERROR: CRL Issuer does not match Cert IssuerCRL Issuer matches Cert IssuerProvider0ERROR: CRL IDP extension does not match Cert CDP1ERROR: CRL Issuer does not match Delta CRL Issuer#CRL Issuer matches Delta CRL Issuer6WARNING: CRL CA Version does not match Cert CA Version;WARNING: CRL CA Version does not match Delta CRL CA Version2ERROR: CRL Number less than Delta CRL Minimum BaseERROR: CRL is not a Base CRLERROR: CRL is not a Delta CRLVerifying Issued Certificate:Verifying Delta CRL:!WinHttp Cache entries deleted: %uWinHttp Cache entries: %uMeta File Name:WinINet Cache entry:WinHttp Cache entry:CANameMachineNameTime:Certificate AIACertificate CDPBase CRL CDP!URL fetch timeout in millisecondsTimeoutCannot export public key%Display password and private key dataOCSPDecode ErrorUnsuccessfulUnsupported	No SignerInvalid Signature
OCSP Request:OCSP Response:Produced AtOCSP Response Entries:OCSP Response InfoOCSP Request Entries:OCSP Request InfoIssuer Name Hash(%ws):Issuer Key Hash(%ws):Serial Number Not FoundUnknownInvalid Signer EKUSigner Expired
Revoked As OfCertificate OCSPParse ASN.1 fileFile [type]
DECODE ERROR!Unique container nameTo be backed upExpected Base CRLExpected Delta CRLDefault ContainerEnd Of Content4Install a Certification Authority on current machine#Manage smart card root certificatesRoot Certificate ProvisioningPAt%1 [%5][InputRootFile] [ReaderName]
%2 %6OutputRootFile [ReaderName]
%3 [InputRootFile | ReaderName]
%4 [ReaderName]Use hash of data as signatureSimple container nameCipher AlgorithmsHash Algorithms Asymmetric Encryption AlgorithmsSecret Agreement AlgorithmsSignature AlgorithmsRNG Algorithms Display COM registry information [ClassId | ProgId | DllName | *]YesNoAllowDenyCA AdministratorPACertificate ManagerReadEnrollAuto-EnrollFull ControlWriteAdministrator permissions are needed to use the selected options.  Use an administrator command prompt to complete these tasks.�The restored CA certificate has expired. Before restarting Active Directory Certificate Services you must renew the CA certificate.2Create/delete web virtual roots for OCSP web proxy[%1]"The OCSP Web Proxy already exists.RName of Symmetric Key Algorithm with optional key length, example: AES,128 or 3DES!SymmetricKeyAlgorithm[,KeyLength]1This verb has been restricted by Common Criteria.rThe certification propagation service could not be contacted. Your root certificates may not be available for use.Content Encryption Algorithm:$Encode text without CR-LF characters"Write redirected output in UnicodeEnumerate certificate stores[\\MachineName]#MachineName -- remote machine name.Use service certificate store"Use Group Policy certificate store%Install default certificate templates�CertificateStoreName -- Certificate store name.  See -store.
CertIdList -- comma separated list of Certificate or CRL match tokens.
        See -store's CertId description.
PropertyInfFile -- INF file containing external properties:
        %1
        %2 Add archived property, OR:
        %3 Remove archived property

        %4 "%5Friendly Name" ; Add friendly name property

        %6 Add custom hexadecimal property
          %7
          %8

        %9 Add Key Provider Information property
          %10Container Name%11
          %12
          %13
          %14
          %15

        %16 Add Enhanced Key Usage property
          %17
          %18 Dump smart card file information[ReaderName]Cannot read fileSuccessfully uncompressedCannot uncompress fileFailed to authenticate to card"Successfully authenticated to cardPAReading directory
Enter PIN:� Each restriction consists of a column name, a relational operator and
 a constant integer, string or date. One column name may be preceded
 by a plus or minus sign to indicate the sort order.
 Examples:
    %1
    %2
    %3Provider Aliases:Provider Module:Display CNG ConfigurationDisplay Enrollment Policy CAs[CAName | TemplateName]Manage Site Names for CAs [%1] [SiteName]
%2 [SiteName]
%3Out of dateSuccessfully updatedUpdate errorAsymmetric AlgorithmsAll AlgorithmsEnrollment Policy Server ListPASelect Policy ServerDefault---    ATR:Display AD templates
[Template]Display AD CAs[CAName]Display Enrollment PolicyPolicy Server URL or IdURLOrIdDistinguishedName,type -- numeric CRYPT_STRING_* decoding type,type -- numeric CRYPT_STRING_* encoding typeBERROR: Could not verify certificate public key against private keyEnrollment Policy UrlEnrollment Policy IdPAFlagsEnrollment Server Url
Request IdAuthentication	Url Flags$Add an Enrollment Server application%1 | %3 | %5 [%10] [%11]jAdd an Enrollment Server application and application pool if necessary,
for the specified CA. This command does not install binaries or packages
One of the following authentication methods with which the client connects
to a Certificate Enrollment Server
        %1 -- %2
        %3 -- %4
        %5 -- %6
        %10 -- Only renewal requests can be submitted to this
                             CA via this URL
        %11 -- Allows use of a certificate that has no
                          associated account in the AD. This applies only
                          with ClientCertificate and AllowRenewalsOnly mode.'Delete an Enrollment Server application%1 | %3 | %54Delete an Enrollment Server application and application pool if necessary,
for the specified CA. This command does not remove binaries or packages
One of the following authentication methods with which the client connects
to a Certificate Enrollment Server
        %1 -- %2
        %3 -- %4
        %5 -- %6.$Install succeeded with warnings: %ws&UnInstall succeeded with warnings: %wsSmart Card Serial Number:ObjectId	ObjectIds	Extension
ExtensionsTemplate	TemplatesCACAsUse anonymous SSL credentialsUse Kerberos SSL credentials%Use X.509 Certificate SSL credentialsClientCertId%Use named account for SSL credentialsUserNameConflicting SSL credentialsCertificate List(Select client authentication certificateCA locale namePABDisplay, add or delete enrollment server URLs associated with a CA6[URL AuthenticationType [Priority] [Modifiers]]
URL %9xAuthenticationType -- Specify one of the following client authentication methods while adding a URL
        %1 -- %2
        %3 -- %4
        %5 -- %6
        %7 -- %8.
%9 -- deletes the specified URL associated with the CA.
Priority -- defaults to '1' if not specified when adding a URL.
Modifiers -- Comma separated list of one or more of the following:
        %10 -- Only renewal requests can be submitted to this
               CA via this URL
        %11 -- Allows use of a certificate that has no
               associated account in the AD. This applies only with
               ClientCertificate and AllowRenewalsOnly Mode.Priority1Display or delete Enrollment Policy Cache entries[%1]R%1 -- delete Policy Server cache entries
%2 -- use %2 to delete all cache entries.
NextUpdate
LastUpdateUrlIdDefaultPathAuthenticationAllowUntrustedCAPriorityPACache file existsDeleting cache entry!
No cache file"Url does NOT match cache file nameCache DirectoryOrphaned Cache file/Display, add or delete Credential Store entries[URL]
URL %3
URL %1URL -- target URL.  Use %4 to match all entries
        Use %5 to match a URL prefix
%3 -- add a Credential Store entry
        SSL credentials must also be specified
%1 -- delete Credential Store entries
%2 -- use %2 to overwrite an entry or to delete multiple entries.
Enforce UTF-8Name
Friendly NameUrlIdPassword
CredentialCredentialsEnrollment CertificateEnrollment Username/PasswordSchemaId
PropertiesDeletingSettingIndefinite Length'%1 -- Delete all keys on the smart card(================ Url %d ================"ERROR: Container name inconsistentBFor selection U/I, use %3%1 %3
For all Policy Servers, use %3%1 %2For selection U/I, use %2%1 %2For selection U/I, use %2%1 %2@WARNING: CA certificate expires before registry validity period.AddedPA	AnonymousKerberosCertificateUsernameUnknownWeb Enrollment Servers:Matches�You must install the Certificate Enrollment Web Service using Server Manager or ServerManagerCmd.exe before adding an enrollment server application.(To import a foreign certificate, see %ws Enrollment Server AuthenticationAdd a Policy Server application%1 | %3 | %5 [%10]
Add a Policy Server application and application pool if necessary. This command
does not install binaries or packages
One of the following authentication methods with which the client connects
to a Certificate Policy Server
        %1 -- %2
        %3 -- %4
        %5 -- %6
        %10 -- Only policies that contain KeyBasedRenewal
                          templates are returned to the client. This flag
                          applies only for UserName and ClientCertificate
                          authentication."Delete a Policy Server application%1 | %3 | %5 [%10]BDelete a Policy Server application and application pool if necessary. This
command does not remove binaries or packages
One of the following authentication methods with which the client connects
to a Certificate Policy Server
        %1 -- %2
        %3 -- %4
        %5 -- %6
        %10 -- KeyBasedRenewal policy server.�You must install the Certificate Enrollment Policy Web Service using Server Manager or ServerManagerCmd.exe before adding a policy server application.*ERROR: Signed signature algorithm conflict*ERROR: Signed signature parameter conflictAllowRenewalsOnlyAllowKeyBasedRenewalWrite output file in UnicodeSubject Template OIDs�ERROR: The password you specified is incorrect.
However, you have permission to access the PFX without a password.
Re-run the command without specifying a password.PFX protected password: "%ws"
IThe PFX protected password is incorrectly stored in the PFX file. It is:
PFX protected to:
ANDORSuccessfully deletedAlready deletedSet, Verify or Delete CA site names
        Use the %4 option to target a single CA (Default is all CAs)
        SiteName is allowed only when targeting a single CA
        Use %5 to override validation errors for the specified SiteName
        Use %5 to delete all CA site names*Specified and Detected site names conflictExistingDetectedSKIPPED"[MaxSecondsToWait | CAMachineList]�CAMachineList -- Comma-separated CA machine name list
        For a single machine, use a terminating comma
        Displays the site cost for each CA machine'ERROR: missing key association propertyName Hash(%ws):Signature Hash:Cached Key Identifier:No container name matchERROR: wrong KeyId!Found exact matchNo KeyId match"WARNING: different container name!!Comma separated SAM Name/SID ListSAMNameAndSIDListCAs	DecryptedFull query resultsFull Results	Key QueryKey Recovery ErrorsKey Blob
Key Handle	Key StateKRA certNoNo archived key to recover.Recovery	RetrievalendPAstartQueries
Query matches	RecoveredRecovered CertificatesRecovered key filesRecovery blobs retrievedRecovery CandidatesRecovery ErrorsRecovery ResultRetrieved key filesRetrieved KeysRetrieved, but not RecoveredRows
Rows (no key)Script filePAStateToken Query
Total QueriesYesSmart Card PINMissing output script filename.Missing output file base name.Use %ws to delete all entries.Error saving key dataTOne of the following Key Recovery Agent certificates is required to recover the key:File(Private key is NOT plain text exportableRecovery blob file.Verify AuthRoot or Disallowed Certificates CTLCTLObject [CertDir] [CertFile]CTLObject -- Identifies the CTL to verify:
     %1 -- read AuthRoot CAB and matching certificates from the URL
         cache.  Use %5 to download from Windows Update instead.

     %2 -- read Disallowed Certificates CAB and disallowed
         certificate store file from the URL cache.  Use %5 to download
         from Windows Update instead.

     %7 -- read PinRules CAB from the URL cache.  Use %5 to download
         from Windows Update instead.

     %3 -- read registry cached AuthRoot CTL.  Use with %5 and a
         CertFile that is not already trusted to force updating the
         registry cached AuthRoot and Disallowed Certificate CTLs.

     %4 -- read registry cached Disallowed Certificates CTL.
         %5 has the same behavior as with %3.

     %8 -- read registry cached PinRules CTL.
         %5 has the same behavior as with %7.

     CTLFileName -- file or %6 path to CTL or CAB

CertDir -- folder containing certificates matching CTL entries
     An %6 folder path must end with a path separator.
     If a folder is not specified with %3 or %4, multiple
     locations will be searched for matching certificates: local
     certificate stores, crypt32.dll resources and the local URL cache.
     Use %5 to download from Windows Update when necessary.
     Otherwise defaults to the same folder or web site as the CTLObject.

CertFile -- file containing certificate(s) to verify.  Certificates
     will be matched against CTL entries, and match results displayed.
     Suppresses most of the default output.PA<ERROR: Signature chain certificate not present in image: %ws6ERROR: Extra signature chain certificate in image: %ws$ERROR: Extra application policy: %ws&ERROR: Missing application policy: %ws%Result: Certificate exact match foundResult: Certificate match found#Result: Certificate match NOT found(Result: Certificate public key collision	OCSP URLsAIA URLsCDP URLs7Certificates that do not belong to the targeted CTL: %u:Default is to display DC certificates without verification%ws failed with error:LoadingCert[%u]: references:PACTL[%u]: matches:
Less than %ws+Strong Signature verification not supportedStrong Signature error:Legacy Signature error:Counter Signed!:Authenticated attribute!:Critical Extension%u of %u entries presentCertificates to match:Legacy signatures:Strong signatures:#Missing Enhanced Key Usage propertyPINSigning certificateCertIdPASync with Windows UpdateDestinationDirrDestinationDir -- folder to copy to.
     The following files are downloaded from Windows Update:
         %1 - contains CTL of Third Party Roots.
         %2 - contains CTL of Disallowed Certificates.
         %3 - Disallowed Certificates.
         %4 - contains CTL of SSL Pin Rules.
         %5 - Pin Rules Certificates.
         <thumbprint>.crt - Third Party Roots. Generate SST from Windows UpdateSSTFile�SSTFile -- %1 file to be created.
     The generated %1 file contains the Third Party Roots
     downloaded from Windows Update.Updating2"%ws" exists. Use "%ws" option to force overwrite.;Warning! Encountered the following no longer trusted roots:�Use "%ws" options to force the delete of the above "%ws" files.
Was "%ws" updated?
If yes, consider deferring the delete until all clients have been updated.$Enabling temporary auto root update.&Restoring disable of auto root update.ZCannot enable auto root update in the registry.
Are you running as elevated administrator?No Updates!"Added %d files.  Updated %d files.Updated SST file.PA+Display Trusted Platform Module InformationCA Exchange Cert HashVerify Key Attestation RequestRequestFile)Manufacturer Endorsement Key Certificates"Other Endorsement Key CertificatesChallenge PendingChallenge SatisfiedTrust On UseTrust Endorsement CertificateTrust Endorsement KeyNonce digestAttestation successful.SecretDecrypted EKInfo
EK Public Key
ActivationDecrypted SecretActivation successful.WritingCannot fetch EK public keyEK KeyId(%ws):%1Numeric SIDT        %2 -- Local System
        %3 -- Local Service
        %4 -- Network ServiceHash algorithms:,No Manufacturer Endorsement Key Certificates%No Other Endorsement Key CertificatesResource+Updated DS Template and security descriptor
Modifiers:End Entity certificate onlyPAExclude root certificateCertificates: Not Encrypted)Enabling temporary Pin Rules auto update.+Restoring disable of Pin Rules auto update._Cannot enable Pin Rules auto update in the registry.
Are you running as elevated administrator?
Add ECC Curve=[CurveClass:]CurveName CurveParameters [CurveOID] [CurveType]�
  CurveClass:       -- ECC Curve Class Type:
                         - %1 [Default]
                         - %2 
                         - %3 

  CurveName         -- ECC Curve Name

  CurveParameters   -- ECC Curve Parameters. It is one of the following 
                         - Certificate Filename Containing ASN Encoded Parameters
                         - File Containing ASN Encoded Parameters

  CurveOID          -- ECC Curve OID. It is one of the following:
                         - Certificate Filename Containing ASN Encoded OID
                         - Explicit ECC Curve OID

  CurveType         -- Schannel ECC NamedCurve Point (Numeric)Delete ECC CurveCurveName | CurveOID6CurveName -- ECC Curve Name
CurveOID  -- ECC Curve OIDDisplay ECC Curve[CurveName | CurveOID]6CurveName -- ECC Curve name
CurveOID  -- ECC Curve OIDECC Curve ParametersCNG Parameters BlobASN Parameters BlobPublic Key LengthGenerate Pin Rules CTL,XMLFile CTLFile [SSTFile [QueryFilesPrefix]]�XMLFile -- input XML file to be parsed.
CTLFile -- output CTL file to be generated.
SSTFile -- optional %1 file to be created.
     The %1 file contains all of the certificates
     used for pinning.
QueryFilesPrefix -- optional %2 and %3 files to be created for database query.
     The QueryFilesPrefix string is prepended to each created file.
     The %2 file contains rule name, domain rows.
     The %3 file contains rule name, key SHA256 thumbprint rows.SSL Policy matching ServerName
ServerName�Warning => Unable to verify downloaded Pin Rules on this version of Windows.
Will continue. Recommend running on a later version of Windows.FailedWarningExpiredEncodingParsingMatchingSkippingGettingAdd ExistingAdd NewRemoving DuplicateSkipping Element
Only AllowElementsElement CountsDuplicate ElementNegative duration value,Not supported years or months duration valueWrite Query FilesXML Parser Error DetailsSave To SST FileFinding Element: %wsQuery Element: %wsGetting %ws Element CountParsing Element: %ws Attributes&Duplicate => Removing %ws Matching %wsMissing from other %ws ElementsNo %ws Elements Opening => Element: %ws %ws: %ws$Enumerating => Element: %ws %ws: %ws>Duplicate Attribute Value => %ws: %ws in Elements: %ws and %wsENormalize Attribute => Element: %ws Attribute: %ws: Value: %ws to %ws6Failed => Duplicate Attribute %ws: %hs in Element: %ws*Failed => Element: %ws has no %ws Elements+Warning => Element: %ws has no %ws ElementsFailed => Missing Element: %ws1Failed => Element: %ws has invalid Attribute: %ws<Failed => Element: %ws Attribute: %ws has invalid Value: %wsDFailed => Element: %ws has invalid Attribute: %ws with Reason: <%ws>OFailed => Element: %ws Attribute: %ws has invalid Value: %ws with Reason: <%ws>0Failed => Element: %ws is missing Attribute: %ws;Duplicate Attribute Value %ws: %hs in Elements: %ws and %ws2Warning => No %ws certificates to save to SST FileAlternateStorageLocationAIK Public KeyAIK KeyId(%ws):.Download OCSP Responses and Write to Directory0CertificateDir OcspDir [ThreadCount] [Modifiers]�CertificateDir -- directory of certificate, store and PFX files.
OcspDir        -- directory to write OCSP responses.
ThreadCount    -- optional maximum number of threads for concurrent downloading. Default is 10.
Modifiers -- Comma separated list of one or more of the following:
        %1 -- Download once and exit
        %2 -- Read from OcspDir instead of writing
By default, certutil won't exit and must be explicitly terminated.*Check certificate files in directory <%ws>
No Downloads!Wait forever for downloadsGFailed => downloadOcsp option not supported on this version of Windows.dWith previous RemainingMinutes: %d downloaded new OCSP response with ThisUpdate: %ws NextUpdate: %ws"Open OCSP subject certificate file$Remove OCSP subject certificate fileAdd OCSP response fileRemove OCSP response file1Waiting for %d download OCSP reponses to completeDownloaded OCSP ResponsesEMilliseconds: %d ThisUpdate: %ws NextUpdate: %ws RemainingMinutes: %dUTotal: %d Downloaded: %d Warnings: %d Pending: %d Errors: %d Maximum Thread Count: %d$Error => Download OCSP response. %ws&Error => Write OCSP response file. %ws#Error => Missing issuer certificate0Error => Open OCSP subject certificate file. %ws'Error => Pending OCSP response download/Warning => No OCSP subject certificates in file'Warning => Duplicate OCSP response file-Warning => OCSP not supported for certificatetest passedtest FAILEDtest skippedKey Encryption Algorithm:Encrypted Key:[TaskName [SRKThumbprint]]�TaskName -- task to trigger
        %1 -- NGC Key Pregen task
        %2 -- NGC AIK certificate enrollment task.
        defaults to autoenrollment event.
SRKThumbprint -- Thumprint of Storage Root KeyAIK CertificatesNo AIK CertificatesReason: Privilege WithdrawnReason: AA CompromiseCannot import private keycountCannot decrypt contentDecrypted contentUnprotected attributesComputedIteration count
Local Key Id:Invalid TemplatePKCS Attributes:*Verified Extended Validation (EV) PoliciesExtended Validation CertificateStrong signature verificationMust chain to a Microsoft root#Must chain to a Microsoft test root*Must chain to a Microsoft application root"Enforce Extended Validation Policy%Detached signature matches Public KeyFGenerate HPKP header using certificates in specified file or directory,CertFileOrDir MaxAge [ReportUri] [Modifiers]CertFileOrDir  -- file or directory of certificates. Source of pin-sha256.
MaxAge         -- max-age value in seconds.
ReportUri      -- optional report-uri.
Modifiers -- Comma separated list of one or more of the following:
        %1 -- append includeSubDomains.#Error => Open certificate file. %ws%Success => Open certificate file: %wsSkipping => Duplicate: %wsError => No certificatesRegistry Aliases:Indirect key name4================ Begin force NCrypt ================4----------------  End force NCrypt  ----------------9================ Begin Windows Hello Key ================9----------------  End Windows Hello Key  ----------------invoke CryptUI	File [%1]
ThumbprintPrivate key is a VSM keyAdd certificate chainLogId certificate OutFileAdd pre-certificate chainLogId pre-certificate OutFileGet signed tree head[LogId]Get signed tree head changesLogId TreeSize1 TreeSize2Get proof by hashLogId Hash [TreeSize]PAGet entriesLogId FirstIndex LastIndex	Get rootsLogIdGet entry and proofLogId Index [TreeSize]Verify certificate SCTCertificate SCT [%1]
Extra dataChainComputed Root HashDataEntry
EntryAndProofFetched Root Hash
AuditPath[%u]PA	Entry[%u]KeyId matchLeaf	Leaf HashLogIdMerkle Tree HashMessageOperated by"Precert TBS matches log leaf entry)Precert TBS does not match log leaf entryProof	SignatureSkipping inactive logComputed hash matches STH hash%Computed hash does not match STH hashDisplay Log Servers[URL]mDelete Hello Logon container.  
     ** Users need to sign out after using this option for it to complete. **>Flush specified caches in selected process, such as, lsass.exeProcessId CacheMask [Modifiers]�ProcessId -- numeric id of process to flush. Set to 0 to flush all processes where flush is enabled.
CacheMask -- bit mask of caches to be flushed. Numeric OR of following bits:
        0x01: %1
        0x02: %2
        0x04: %3
        0x08: %4
        0x10: %5
        0x20: %6
        0x40: %7
           0: %8
Modifiers -- Comma separated list of one or more of the following:
        %9 - Show caches being flushed. Certutil must be explicitly terminated.\ProcessId: %d Mask: 0x%x State: %d Count: %d Error: 0x%x DeltaTick: %d Tick: %I64d Stamp: %d1Cryptographic algorithm used to create a PFX file#Sign out now to complete this task.PA5Certificate Enrollment - Username/Password Credential/Certificate Enrollment - Certificate CredentialSelect Certification Authority5Select a Certification Authority to send the request.PA2Invalid Schema , Message Format Error from server.'Server failed to authenticate the user.!User is not authorized to enroll. Unhandled exception from server.GRedirection is needed and redirected location is not a wellknown serverDiscovery failedRegistration quota reached6Operation successful but the machine requires a rebootPA+The AIK certificate is not valid or trusted9The attestation statement of the transport key is invalid#Server returned a bad message error#Tenant Id is not found in the token"User Sid is not found in the token2The device is required to be classic domain joined4Some join information cannot be read from the deviceThe device is not joined to AAD9The client timed out while waiting for a server response.9The client timed out while waiting for a server response.9The client timed out while waiting for a server response.9The client timed out while waiting for a server response.PA9The client timed out while waiting for a server response.9The client timed out while waiting for a server response.$The token does not contain device ID2The operation requires multi-factor authentication"The specified user cannot be foundServer is busy!The NGC key is already registered"The graph directory request is bad1The graph request failed with replica unavailable)The graph request was throttled by serverThe graph request was denied-TPM lockout or some other crypto layer issue.The device key is missing.*The web server returned an error (non 200),The web server returned success, but no data7The AAD Cloud AP Plugin does not have the requested PRTToken was not found in requestPA0There is no core windows for the current thread.Unable to obtain user token"Failed to recieve user creds input'AAD token request was cancelled by userDevice is not joined"Server response message is invalid*Server failed to authorize user or device.)Server response http status is unexpected Unhandled exception from server.+The request sent to the server was invalid.Attestation failed'The AIK certificate is no longer valid.PA(There is no key registered for the user.There is no UPN in the token.(The general server side directory error.CThe device specified in the request was not found in the directory.JThe device is not ready to provide a CXH scenario Id for NGC registration.JThe device is not ready to provide a CXH scenario Id for NGC registration.DFailed to enroll for an NGC cert because there is NO Enterprise SSO.Invalid NGC request type2Invalid Schema , Message Format Error from server.'Server failed to authenticate the user.!User is not authorized to enroll.>User has no permission on the cert template or CA unreachable.@Generic Failure from management server, such as DB access error. Unhandled exception from server. Unhandled exception from server.Unknown server error.3Another enrollment operation is currently underway.Device is already enrolled.Device is not enrolled./During discovery the sec cert date was invalid.*A password is needed (And wasn't supplied)An error during WAB enrollmentPA/A http (or lower) error, such as dns or timeoutThe SSL cert wasn't validuUser already enrolled too many devices. Delete or unenroll old ones to fix this error (user can fix it without admin)|Specific platform (e.g. Windows) or version is not supported (no point retrying or calling admin. User could upgrade device)KMobile device management generally not supported (would save an admin call)�Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device (user can fix it by re-enrolling)~Account is in maintenance, retry later (user can retry later but might call admin because doesn't know when problem is solved)TLicense of user is in bad state blocking enrollment (user still needs to call admin)SThe server rejected the Enrollment Data, the server may not be configured correctlyBThe server asked to use HTTP from HTTPS, but the user didn't ok ityindicates trying to do an invalid operation on an enrollment, such as enrolling twice, or unenroll one that doesn't exist)Enrollment type isn't allowed on this SKUunknown client side error+Provisioning failed in CertificateStore CSP#Provisioning failed in W7/DMAcc CSPPA#Provisioning failed in DMClient CSP,Provisioning failed in Passport for Work CSP-Provisioning failed in a CSP not listed above8Provisioning failed, but a specific CSP is not indicated�the public cert was not found: a) when attempting to bind the public cert/private key or b) when looking into provisioning payload (perhaps targeting the wrong store)2Provisioning failed in EnterpriseAppManagement CSPDMDM Management was blocked, such as via GP or SetManagedExternally()-Failed to create the private key as requestedICertificate Authentication was requested, but failed find the cert to use9Server responded with HTTP 200, but the message was emptyPA?CCM_E_ITEMNOTFOUND?CCM_E_EMPTY_CERT_STORECCM_E_NO_CERT_MATCHING_CRITERIACMore than one certificate found but 'select first cert' was not setCCM_E_MISSING_PRIVATEKEYCCM_E_MISSING_SUBJECT_NAMELValida search criteria verbs are 'Subject:', 'SubjectStr:' and 'SubjectAtr:'CCM_E_INVALID_SMS_AUTHORITYCCM_E_MISSING_SITE_SIGNING_CERT2Failures related to decompressing CIs/SDM packages2Failures related to decompressing CIs/SDM packages+job contains no files, no action to perform#Client doesn't have any assigned TS:Client unable to compute Message Signature for InBand Auth8Client unable to Refresh Site server signing certificateClient Unable to verify Policy6Client Unable to find a valid Registration certificate,The client failed to process one or more CIsCCM_E_INVALID_KEY3The client's database record could not be validatedJThe client does not recognize these type of signature (for delta download)More client registration errorMore client registration error4The Client received a reset registration from Server?Client version is not compatible with the primary site version.CCM_E_HASH_MISMATCH+?CCM_E_CERTENROLL_SCEP_CERTREQUEST_PENDING?.?CCM_E_CERTENROLL_SCEP_CERTREQUEST_UNEXPECTED?+?CCM_E_CERTENROLL_SCEP_CERTREQUEST_FAILURE?0?CCM_E_CERTENROLL_SCEP_CERTREQUEST_BADALGORITHM?.?CCM_E_CERTENROLL_SCEP_CERTREQUEST_BADMESSAGE?2?CCM_E_CERTENROLL_SCEP_CERTREQUEST_BADTRANSACTION?2?CCM_E_CERTENROLL_SCEP_CERTREQUEST_BADSIGNINGTIME?-?CCM_E_CERTENROLL_SCEP_CERTREQUEST_BADCERTID?(?CCM_E_CERTENROLL_SCEP_SERVERCERT_EMPTY?'?CCM_E_CERTENROLL_SCEP_SERVERCAP_EMPTY?+?CCM_E_CERTENROLL_SCEP_PKIOPRESPONSE_EMPTY?'?CCM_E_CERTENROLL_SCEP_TPM_UNAVAILABLE?[An attempt was made to perform an operation when initialization has not yet been completed.&The input XML is improperly formatted.The object already exists..A calculation resulted in an integer overflow./A calculation resulted in an integer underflow.!An attempted rollback has failed.(A failure happens when CSP runs outproc.2An implementation limit is exceeded in marshaling.PAThe session has been aborted.$Authentication of the server failed.1The user has chosen to reject management actions.:An action was performed on a node with an unexpected type.1The user has chosen to cancel management actions.)The management command has been bypassed.;A dialog has timed out while awaiting user acknowledgement."Text to be displayed is too large.-The push message data has some parsing error.-The push message data has some parsing error.WPrevious keep alive message is still being processed and server send down new commands./Processing results that span multiple messages.2Cannot find NGC Key to install the certificate to.PABCannot match on-device AAD Key with Key Identifies sent by the MDM2NGC is managed by GP and cannot be managed by MDM._The OMA-DM server replied with a Status code value indicating an error for the client's SyncHdrAThe session has been aborted because a 407 response was received.6The session has been aborted due to user cancellation.gThe session has been aborted because the device is in roaming state and DM is not allowed in this case.dThe session has been aborted because the HMAC provided by server didn't match with the message body.BThe session has been aborted because the account is being deleted.;The session has been aborted because no more retry allowed.JThe session has been aborted because zero-byte data response was received.No more sync session allowed.!The SSLCertCriteria is not valid.AThe session has been aborted because a 401 response was received.AThe session has been aborted because a 403 response was received.AThe session has been aborted because a 404 response was received.AThe session has been aborted because a 413 response was received.VThe session has been aborted because of unexpected http status returned by the server.(The current object is not ready for use.Stream is not ready for use.Data .Compression corrupted.Name is not a valid filename.'There is no file by the specified name.Uninstall file not found.File is unexpectedly readonly.Zip archive is invalid.Unsupported compression methodInvalid stream.Format is not supported.Invalid zip item.Cannot load zlib dll.PA%Cannot find expected exported method.PADevice is already enrolled.PA@The network operation failed and can be retried if retries left.AThe session has been aborted unexpected content type from server.PA�4VS_VERSION_INFO��
|O
|O?�StringFileInfo�040904B0LCompanyNameMicrosoft CorporationB
FileDescriptionCertUtil.exeh$FileVersion10.0.20348.1 (WinBuild.160101.0800):
InternalNameCertUtil.exe�.LegalCopyright� Microsoft Corporation. All rights reserved.JOriginalFilenameCertUtil.exe.muij%ProductNameMicrosoft� Windows� Operating System>
ProductVersion10.0.20348.1DVarFileInfo$Translation	�PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING