Certutil: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
No edit summary   (change visibility)
No edit summary   (change visibility)
(3 intermediate revisions by the same user not shown)
Line 3: Line 3:
notes
notes


 
<syntaxhighlight lang="powershell">
   #view ad store
   #view ad store
   certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
   certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
Line 26: Line 26:
   #disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
   #disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
   certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate
   certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate
    
   </syntaxhighlight>


all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx
all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx
Line 34: Line 34:
* http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
* http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
* https://sysengblog.wordpress.com/2012/04/03/complete-microsoft-certificate-authority-maintenance-procedure/
* https://sysengblog.wordpress.com/2012/04/03/complete-microsoft-certificate-authority-maintenance-procedure/
* http://ss64.com/nt/certutil.html
{| class="wikitable"
|-
| certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" || Export to pfx||
|-
| certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt || Get all certificates after 08/20/2009 and export in csv format to out.txt||
|-
| certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt || Get all certificates after 08/20/2009 with properties and export in csv format to out.txt||
|-
| certutil -template|| Get templates ||
|-
| certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags"|| Get all certificates about to expire ($today)||
|-
| certutil -CAInfo||  Display CA Information|| https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
|-
| certutil -dcinfo || Display domain controller information || https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
|-
| certutil -entinfo || Display Enterprise CA information || https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
|-
| certutil -tcainfo ||  Display CA information || https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
|-
|
The following two tables show the disposition ID’s for the request queue and the log.
Disposition values for requests in the queue:
{| class="wikitable"
|-
! Disposition !! Description
|-
| 8|| request is being processed
|-
| 9 || request is taken under submission
|-
| 12|| certificate is an archived foreign certificate
|-
| 15|| certificate is a CA certificate
|-
| 16|| parent CA certificates of the CA certificate
|-
| 17|| certificate is a key recovery agent certificate
|}
Disposition values for requests in the log:
{| class="wikitable"
|-
! Disposition !! Description
|-
| 20 || certificate was issued
|-
| 21|| certificate is revoked
|-
| 30|| certificate request failed
|-
| 31|| certificate request is denied
|}
Show the SerialNumber of all issued and revoked certificates:
certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber
certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate
|| Get requests base on status
or
Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:
|| http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
|-
| certutil -view –restrict "RequesterName=contoso\TWT" || get all certs requested by ||
|-
| certutil -store -user My
certutil -repairstore my "SerialNumber"
|| repair missing private keys (Repair key association or update certificate properties or key security descriptor)
||
|}

Revision as of 09:28, 4 May 2017

certificate tool

notes

  #view ad store
  certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
  certutil -store -enterprise NTAuth
  certutil -store -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
  #delete from ntauth store
  certutil -delstore -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
  #get all certs after september with information about the private key
  certutil -view -restrict "NotBefore>=9/9/2015" -out "request.submittedwhen,Request.RequesterName,request.rawarchivedkey"
  #get all certificates about to expire
  $today=Get-Date
  $endperiod=$today.AddDays(31)
  certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags"
  #get all certificates
  certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt 
  #get certificates by templatename
  certutil -view -restrict "certificate template=1.3.6.1.4.1.311.21.8.2819805.2707949.10374545.1112108.15908497.246.7506132.8196480" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition > c:\Template1-Requests.txt
  # or for default templates use the name instead of the OID like so
  certutil -view -restrict "certificate template=user" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition
  #get certificates by requestor
  certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode
  #disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
  certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate

all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx


sources:

certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" Export to pfx
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 and export in csv format to out.txt
certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 with properties and export in csv format to out.txt
certutil -template Get templates
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags" Get all certificates about to expire ($today)
certutil -CAInfo Display CA Information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -dcinfo Display domain controller information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -entinfo Display Enterprise CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -tcainfo Display CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard

The following two tables show the disposition ID’s for the request queue and the log. Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate



Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

Show the SerialNumber of all issued and revoked certificates: certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Get requests base on status

or Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
certutil -view –restrict "RequesterName=contoso\TWT" get all certs requested by
certutil -store -user My

certutil -repairstore my "SerialNumber"

repair missing private keys (Repair key association or update certificate properties or key security descriptor)