Certutil: Difference between revisions
Jump to navigation
Jump to search
No edit summary (change visibility) |
No edit summary (change visibility) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
notes | notes | ||
<syntaxhighlight lang="powershell"> | |||
#view ad store | #view ad store | ||
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com" | certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com" | ||
Line 26: | Line 26: | ||
#disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | #disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | ||
certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate | certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate | ||
</syntaxhighlight> | |||
all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx | all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx | ||
Line 34: | Line 34: | ||
* http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | * http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | ||
* https://sysengblog.wordpress.com/2012/04/03/complete-microsoft-certificate-authority-maintenance-procedure/ | * https://sysengblog.wordpress.com/2012/04/03/complete-microsoft-certificate-authority-maintenance-procedure/ | ||
* http://ss64.com/nt/certutil.html | |||
{| class="wikitable" | |||
|- | |||
| certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" || Export to pfx|| | |||
|- | |||
| certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt || Get all certificates after 08/20/2009 and export in csv format to out.txt|| | |||
|- | |||
| certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt || Get all certificates after 08/20/2009 with properties and export in csv format to out.txt|| | |||
|- | |||
| certutil -template|| Get templates || | |||
|- | |||
| certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags"|| Get all certificates about to expire ($today)|| | |||
|- | |||
| certutil -CAInfo|| Display CA Information|| https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | |||
|- | |||
| certutil -dcinfo || Display domain controller information || https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | |||
|- | |||
| certutil -entinfo || Display Enterprise CA information || https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | |||
|- | |||
| certutil -tcainfo || Display CA information || https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | |||
|- | |||
| | |||
The following two tables show the disposition ID’s for the request queue and the log. | |||
Disposition values for requests in the queue: | |||
{| class="wikitable" | |||
|- | |||
! Disposition !! Description | |||
|- | |||
| 8|| request is being processed | |||
|- | |||
| 9 || request is taken under submission | |||
|- | |||
| 12|| certificate is an archived foreign certificate | |||
|- | |||
| 15|| certificate is a CA certificate | |||
|- | |||
| 16|| parent CA certificates of the CA certificate | |||
|- | |||
| 17|| certificate is a key recovery agent certificate | |||
|} | |||
Disposition values for requests in the log: | |||
{| class="wikitable" | |||
|- | |||
! Disposition !! Description | |||
|- | |||
| 20 || certificate was issued | |||
|- | |||
| 21|| certificate is revoked | |||
|- | |||
| 30|| certificate request failed | |||
|- | |||
| 31|| certificate request is denied | |||
|} | |||
Show the SerialNumber of all issued and revoked certificates: | |||
certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber | |||
certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate | |||
|| Get requests base on status | |||
or | |||
Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008: | |||
|| http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | |||
|- | |||
| certutil -view –restrict "RequesterName=contoso\TWT" || get all certs requested by || | |||
|- | |||
| certutil -store -user My | |||
certutil -repairstore my "SerialNumber" | |||
|| repair missing private keys (Repair key association or update certificate properties or key security descriptor) | |||
|| | |||
|} |
Revision as of 09:28, 4 May 2017
certificate tool
notes
#view ad store
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
certutil -store -enterprise NTAuth
certutil -store -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
#delete from ntauth store
certutil -delstore -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
#get all certs after september with information about the private key
certutil -view -restrict "NotBefore>=9/9/2015" -out "request.submittedwhen,Request.RequesterName,request.rawarchivedkey"
#get all certificates about to expire
$today=Get-Date
$endperiod=$today.AddDays(31)
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags"
#get all certificates
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt
#get certificates by templatename
certutil -view -restrict "certificate template=1.3.6.1.4.1.311.21.8.2819805.2707949.10374545.1112108.15908497.246.7506132.8196480" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition > c:\Template1-Requests.txt
# or for default templates use the name instead of the OID like so
certutil -view -restrict "certificate template=user" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition
#get certificates by requestor
certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode
#disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate
all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx
sources:
- http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
- https://sysengblog.wordpress.com/2012/04/03/complete-microsoft-certificate-authority-maintenance-procedure/
- http://ss64.com/nt/certutil.html
certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" | Export to pfx | |||||||||||||||||||||||||
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt | Get all certificates after 08/20/2009 and export in csv format to out.txt | |||||||||||||||||||||||||
certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt | Get all certificates after 08/20/2009 with properties and export in csv format to out.txt | |||||||||||||||||||||||||
certutil -template | Get templates | |||||||||||||||||||||||||
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags" | Get all certificates about to expire ($today) | |||||||||||||||||||||||||
certutil -CAInfo | Display CA Information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
certutil -dcinfo | Display domain controller information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
certutil -entinfo | Display Enterprise CA information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
certutil -tcainfo | Display CA information | https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard | ||||||||||||||||||||||||
The following two tables show the disposition ID’s for the request queue and the log. Disposition values for requests in the queue:
Show the SerialNumber of all issued and revoked certificates: certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate |
Get requests base on status
or Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008: |
http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx | ||||||||||||||||||||||||
certutil -view –restrict "RequesterName=contoso\TWT" | get all certs requested by | |||||||||||||||||||||||||
certutil -store -user My
certutil -repairstore my "SerialNumber" |
repair missing private keys (Repair key association or update certificate properties or key security descriptor) |