Certutil: Difference between revisions
Jump to navigation
Jump to search
No edit summary (change visibility) |
No edit summary (change visibility) |
||
Line 104: | Line 104: | ||
Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008: | Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008: | ||
|| http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | || http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | ||
|- | |||
| certutil -view –restrict "RequesterName=contoso\TWT" ||get all certs requested by || | |||
|} | |} |
Revision as of 13:36, 1 February 2016
certificate tool
notes
#view ad store
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
certutil -store -enterprise NTAuth
certutil -store -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
#delete from ntauth store
certutil -delstore -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
#get all certs after september with information about the private key
certutil -view -restrict "NotBefore>=9/9/2015" -out "request.submittedwhen,Request.RequesterName,request.rawarchivedkey"
#get all certificates about to expire
$today=Get-Date
$endperiod=$today.AddDays(31)
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags"
#get all certificates
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt
#get certificates by templatename
certutil -view -restrict "certificate template=1.3.6.1.4.1.311.21.8.2819805.2707949.10374545.1112108.15908497.246.7506132.8196480" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition > c:\Template1-Requests.txt
# or for default templates use the name instead of the OID like so
certutil -view -restrict "certificate template=user" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition
#get certificates by requestor
certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode
#disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate
all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx
sources:
- http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
- https://sysengblog.wordpress.com/2012/04/03/complete-microsoft-certificate-authority-maintenance-procedure/
- http://ss64.com/nt/certutil.html
certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" | Export to pfx | |||||||||||||||||||||||||
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt | Get all certificates after 08/20/2009 and export in csv format to out.txt | |||||||||||||||||||||||||
certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt | Get all certificates after 08/20/2009 with properties and export in csv format to out.txt | |||||||||||||||||||||||||
certutil -template | Get templates | |||||||||||||||||||||||||
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags" | Get all certificates about to expire ($today) | |||||||||||||||||||||||||
certutil -CAInfo | Display CA Information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
certutil -dcinfo | Display domain controller information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
certutil -entinfo | Display Enterprise CA information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
certutil -tcainfo | Display CA information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
The following two tables show the disposition ID’s for the request queue and the log. Disposition values for requests in the queue:
Show the SerialNumber of all issued and revoked certificates: certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate |
Get requests base on status
or Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008: |
http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | ||||||||||||||||||||||||
certutil -view –restrict "RequesterName=contoso\TWT" | get all certs requested by |