Certutil

From WikiWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

certificate tool

notes

  #view ad store
  certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
  certutil -store -enterprise NTAuth
  certutil -store -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
  #delete from ntauth store
  certutil -delstore -enterprise ntauth "5a ce 02 ad 7b 9c a9 1e 11 f8 c8 b9 92 5e ae 3d 23 ec 23 c1"
  #get all certs after september with information about the private key
  certutil -view -restrict "NotBefore>=9/9/2015" -out "request.submittedwhen,Request.RequesterName,request.rawarchivedkey"
  #get all certificates about to expire
  $today=Get-Date
  $endperiod=$today.AddDays(31)
  certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags"
  #get all certificates
  certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt 
  #get certificates by templatename
  certutil -view -restrict "certificate template=1.3.6.1.4.1.311.21.8.2819805.2707949.10374545.1112108.15908497.246.7506132.8196480" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition > c:\Template1-Requests.txt
  # or for default templates use the name instead of the OID like so
  certutil -view -restrict "certificate template=user" -out request.submittedwhen,Request.RequesterName,Request.CallerName,UPN,CommonName,NotAfter,Request.Disposition
  #get certificates by requestor
  certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode
  #disposition is the status -> http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
  certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate

all columns: https://technet.microsoft.com/nl-be/library/cc783853%28v=ws.10%29.aspx


sources:

certutil -exportPFX -p "$Password" "$($CertificateItem.Thumbprint)" "$FileName.pfx" Export to pfx
certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 and export in csv format to out.txt
certutil -view -out "CertificateTemplate,request.submittedwhen" -restrict "NotBefore > 08/20/2009" csv > out.txt Get all certificates after 08/20/2009 with properties and export in csv format to out.txt
certutil -template Get templates
certutil -view -restrict "NotAfter>=$today,NotAfter<=$endperiod" -out "RequestID,RequesterName,RequestType,Email,NotAfter,CommonName,CertificateTemplate,EnrollmentFlags" Get all certificates about to expire ($today)
certutil -CAInfo Display CA Information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -dcinfo Display domain controller information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -entinfo Display Enterprise CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard
certutil -tcainfo Display CA information https://social.technet.microsoft.com/Forums/windowsserver/en-US/f93f38fd-706b-49ec-af79-12caf61cf111/ad-cs-issue-in-server-2008-r2-standard

The following two tables show the disposition ID’s for the request queue and the log. Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate



Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

Show the SerialNumber of all issued and revoked certificates: certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Get requests base on status

or Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx
certutil -view –restrict "RequesterName=contoso\TWT" get all certs requested by
certutil -store -user My

certutil -repairstore my "SerialNumber"

repair missing private keys (Repair key association or update certificate properties or key security descriptor)