Certutil: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
No edit summary   (change visibility)
No edit summary   (change visibility)
Line 104: Line 104:
Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:
Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:
  || http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
  || http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
|-
| certutil -view –restrict "RequesterName=contoso\TWT" ||get all certs requested by ||
|}
|}

Revision as of 13:36, 1 February 2016

certificate tool

notes

  #view ad store
  certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
  certutil -store -enterprise NTAuth
  certutil -store -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
  #delete from ntauth store
  certutil -delstore -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
  #get all certs after september with information about the private key
  certutil -view -restrict "NotBefore>=9/9/2015" -out "request.submittedwhen,Request.RequesterName,request.rawarchivedkey"
  #get all certificates about to expire
  $today=Get-Date
  $endperiod=$today.AddDays(31)
  certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags"
  #get all certificates
  certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt 
  #get certificates by templatename
  certutil -view -restrict "certificate template=1.3.6.1.4.1.311.21.8.2819805.2707949.10374545.1112108.15908497.246.7506132.8196480" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition > c:\Template1-Requests.txt
  # or for default templates use the name instead of the OID like so
  certutil -view -restrict "certificate template=user" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition
  #get certificates by requestor
  certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode
  #disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
  certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate

all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx


sources:

certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" Export to pfx
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 and export in csv format to out.txt
certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 with properties and export in csv format to out.txt
certutil -template Get templates
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags" Get all certificates about to expire ($today)
certutil -CAInfo Display CA Information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -dcinfo Display domain controller information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -entinfo Display Enterprise CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -tcainfo Display CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard

The following two tables show the disposition ID’s for the request queue and the log. Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate



Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

Show the SerialNumber of all issued and revoked certificates: certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Get requests base on status

or Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
certutil -view –restrict "RequesterName=contoso\TWT" get all certs requested by