Certutil

From WikiWiki
Jump to navigation Jump to search

certificate tool

notes

all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx


sources:

certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" Export to pfx
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 and export in csv format to out.txt
certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 with properties and export in csv format to out.txt
certutil -template Get templates
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags" Get all certificates about to expire ($today)
certutil -CAInfo Display CA Information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -dcinfo Display domain controller information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -entinfo Display Enterprise CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -tcainfo Display CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard

The following two tables show the disposition ID’s for the request queue and the log. Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate



Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

Show the SerialNumber of all issued and revoked certificates: certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Get requests base on status

or Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
certutil -view –restrict "RequesterName=contoso\TWT" get all certs requested by
certutil -store -user My

certutil -repairstore my "SerialNumber"

repair missing private keys (Repair key association or update certificate properties or key security descriptor)