Collect data about certificates

The certStats tool collects data about certificates in the database. It is in <install directory>\tools and must be run from the tools directory.

You can run certStats with or without parameters. The tool can be invoked as:

certStats [-file <file>] [-export <dir>] [-clean] [-cross]


  • -file <file> instructs the tool to dump its results to the specified file as well as to standard output.
  • - export <dir> instructs the tool to export all certificates to the specified directory. Within the directory are created the subdirectories ca/root, ca/intermediate, user/endentity and user/selfsigned. Certificates are exported appropriately to the subdirectories.
  • -clean instructs the tool to clean the specified export directory and all subdirectories before exporting any certificates.
  • -cross instructs the tool to check for cross certificates.

The tool inspects all certificates in the database and collects statistics. The tool does its best to differentiate between CA certificates and user certificates. However, it sometimes classifies a CA certificate as a user certificate.

The tool further differentiates between CA root, CA intermediate, user self-signed and user end-entity certificates. For each of these four classes of certificates, the tool gathers statistics including how many certificates contain subject key identifier information and how many certificates contain authority key identifier information. The tool also finds each certificate's issuing certificate. Note that CA root and user end-entity certificates are their own issuer, so a problem finding the issuer indicates a problem with the certificate itself, such as a corrupted certificate.

If the -export <dir> option is supplied, each certificate is exported to the appropriate subdirectory of the indicated directory. Each certificate file is named based upon the certificate's subject name. If the certificate's subject name does not contain the information required to construct a file name, then cert is used as the file name. If a file with the determined name already exists, a sequence number is added to the name to avoid the conflict. All certificate file names are suffixed with the .cer extension.

After all statistics are collected, the results are dumped to standard output and to the designated file if the -file <file> extension is supplied.

If the -cross extension is supplied, the tool looks for cross certificates. Cross certificates are two intermediate certificates that are used to sign each other. For each pair of cross certificates found, the tool also finds all related certificates that are issued by or an issuer of each cross certificate. After all sets of cross certificates are found they are dumped to standard output and to the designated file if the -file <file> option is supplied.

Related topics

Related Links