Guest x13 Posted October 21, 2008 Posted October 21, 2008 Hi all. If I want to see the digital certificates installed on a specific server, I MSTSC to the server, run CERTMGR and export desired certificates (list) with Actions / Export list. This results in a TXT or CSV file I can then import into Excel; but this process is purely interactive, and must be repeated on each server. Then, all the text files have to be merged and sorted to get a general overview. Which is by no means difficult, but it's a pain in the ass... With this overview I can plan certificate renewals and see which server has which certificate installed. So how can I create a list of installed digital certificates on servers of my choosing? Thanks! M.T. (ps: email is a d-coy, please respond within thread) Quote
Guest Martin Rublik Posted October 22, 2008 Posted October 22, 2008 You can look at the certutil utility for more info check http://technet.microsoft.com/en-us/library...K_display_certs You can make a script and redirect its output to a filesystem and then collect these files. HTH Martin x13 wrote:<span style="color:blue"> > Hi all. > > If I want to see the digital certificates installed on a specific > server, I MSTSC to the server, run CERTMGR and export desired > certificates (list) with Actions / Export list. > > This results in a TXT or CSV file I can then import into Excel; but > this process is purely interactive, and must be repeated on each > server. Then, all the text files have to be merged and sorted to get a > general overview. > Which is by no means difficult, but it's a pain in the ass... > > With this overview I can plan certificate renewals and see which > server has which certificate installed. > > So how can I create a list of installed digital certificates on > servers of my choosing? > > > Thanks! > M.T. > (ps: email is a d-coy, please respond within thread)</span> Quote
Guest x13 Posted December 8, 2008 Posted December 8, 2008 Martin, CertUtil doesn't do what I want. I want to generate a list of all (or specific) certificates, especially issuer (CA) and expiration dates. I have found no tool/scripts out there that performs this simple task. I have to use the CERTMGR.MSC snap-in on each individual server, which is a pain in the ass. Anyone have an idea how to get this from the command line? Thanks. M.T. PS: Email is a decoy, please respond in this thread On Oct 22, 1:15Â pm, Martin Rublik <martin.rub...@nospam.com> wrote:<span style="color:blue"> > You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display... > > You can make a script and redirect its output to a filesystem and then collect > these files. > > HTH > > Martin > > > > x13 wrote:<span style="color:green"> > > Hi all.</span> ><span style="color:green"> > > If I want to see the digital certificates installed on a specific > > server, I MSTSC to the server, run CERTMGR and export desired > > certificates (list) with Actions / Export list.</span> ><span style="color:green"> > > This results in a TXT or CSV file I can then import into Excel; but > > this process is purely interactive, and must be repeated on each > > server. Then, all the text files have to be merged and sorted to get a > > general overview. > > Which is by no means difficult, but it's a pain in the ass...</span> ><span style="color:green"> > > With this overview I can plan certificate renewals and see which > > server has which certificate installed.</span> ><span style="color:green"> > > So how can I create a list of installed digital certificates on > > servers of my choosing?</span> ><span style="color:green"> > > Thanks! > > M.T. > > (ps: email is a d-coy, please respond within thread)</span></span> Quote
Guest Martin Rublik Posted December 8, 2008 Posted December 8, 2008 Try certutil -store ca | findstr -i "=== NotBefore NotAfter Subject:" certutil -store root | findstr -i "=== NotBefore NotAfter Subject:" certutil -enterprise -store ca | findstr -i "=== NotBefore NotAfter Subject:" certutil -enterprise -store root | findstr -i "=== NotBefore NotAfter Subject:" If this is not enough could you please specify what kind of funcionality are you missing? HTH Martin x13 wrote:<span style="color:blue"> > Martin, > > CertUtil doesn't do what I want. > > I want to generate a list of all (or specific) certificates, > especially issuer (CA) and expiration dates. > I have found no tool/scripts out there that performs this simple > task. I have to use the CERTMGR.MSC snap-in on each individual > server, which is a pain in the ass. > > Anyone have an idea how to get this from the command line? > > Thanks. > > M.T. > > PS: Email is a decoy, please respond in this thread > > On Oct 22, 1:15 pm, Martin Rublik <martin.rub...@nospam.com> wrote:<span style="color:green"> >> You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display... >> >> You can make a script and redirect its output to a filesystem and then collect >> these files. >> >> HTH >> >> Martin >> >> >> >> x13 wrote:<span style="color:darkred"> >>> Hi all. >>> If I want to see the digital certificates installed on a specific >>> server, I MSTSC to the server, run CERTMGR and export desired >>> certificates (list) with Actions / Export list. >>> This results in a TXT or CSV file I can then import into Excel; but >>> this process is purely interactive, and must be repeated on each >>> server. Then, all the text files have to be merged and sorted to get a >>> general overview. >>> Which is by no means difficult, but it's a pain in the ass... >>> With this overview I can plan certificate renewals and see which >>> server has which certificate installed. >>> So how can I create a list of installed digital certificates on >>> servers of my choosing? >>> Thanks! >>> M.T. >>> (ps: email is a d-coy, please respond within thread)</span></span> > </span> Quote
Guest Martin Rublik Posted December 8, 2008 Posted December 8, 2008 In addition if you are looking for user certificates try computer store certutil -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" user store certutil -user -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" HTH Martin Martin Rublik wrote:<span style="color:blue"> > Try > > certutil -store ca | findstr -i "=== NotBefore NotAfter Subject:" > certutil -store root | findstr -i "=== NotBefore NotAfter Subject:" > > certutil -enterprise -store ca | findstr -i "=== NotBefore NotAfter Subject:" > certutil -enterprise -store root | findstr -i "=== NotBefore NotAfter Subject:" > > If this is not enough could you please specify what kind of funcionality are you > missing? > > HTH > > Martin > > x13 wrote:<span style="color:green"> >> Martin, >> >> CertUtil doesn't do what I want. >> >> I want to generate a list of all (or specific) certificates, >> especially issuer (CA) and expiration dates. >> I have found no tool/scripts out there that performs this simple >> task. I have to use the CERTMGR.MSC snap-in on each individual >> server, which is a pain in the ass. >> >> Anyone have an idea how to get this from the command line? >> >> Thanks. >> >> M.T. >> >> PS: Email is a decoy, please respond in this thread >> >> On Oct 22, 1:15 pm, Martin Rublik <martin.rub...@nospam.com> wrote:<span style="color:darkred"> >>> You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display... >>> >>> You can make a script and redirect its output to a filesystem and then collect >>> these files. >>> >>> HTH >>> >>> Martin >>> >>> >>> >>> x13 wrote: >>>> Hi all. >>>> If I want to see the digital certificates installed on a specific >>>> server, I MSTSC to the server, run CERTMGR and export desired >>>> certificates (list) with Actions / Export list. >>>> This results in a TXT or CSV file I can then import into Excel; but >>>> this process is purely interactive, and must be repeated on each >>>> server. Then, all the text files have to be merged and sorted to get a >>>> general overview. >>>> Which is by no means difficult, but it's a pain in the ass... >>>> With this overview I can plan certificate renewals and see which >>>> server has which certificate installed. >>>> So how can I create a list of installed digital certificates on >>>> servers of my choosing? >>>> Thanks! >>>> M.T. >>>> (ps: email is a d-coy, please respond within thread)</span></span></span> Quote
Guest x13 Posted December 10, 2008 Posted December 10, 2008 Martin: Great stuff, but none of your suggestion list date of issuance and expiration/revocation. And the whole point of this is for me to request new certificates before they expire. Thanks. M.T. On 8 dec, 15:05, Martin Rublik <martin.rub...@nospam.com> wrote:<span style="color:blue"> > In addition if you are looking for user certificates try > > computer store > certutil -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" > > user store > certutil -user -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" > > HTH > > Martin > > > > Martin Rublik wrote:<span style="color:green"> > > Try</span> ><span style="color:green"> > > certutil -store ca | findstr -i "=== NotBefore NotAfter Subject:" > > certutil -store root | findstr -i "=== NotBefore NotAfter Subject:"</span> ><span style="color:green"> > > certutil -enterprise -store ca | findstr -i "=== NotBefore NotAfter Subject:" > > certutil -enterprise -store root | findstr -i "=== NotBefore NotAfter Subject:"</span> ><span style="color:green"> > > If this is not enough could you please specify what kind of funcionality are you > > missing?</span> ><span style="color:green"> > > HTH</span> ><span style="color:green"> > > Martin</span> ><span style="color:green"> > > x13 wrote:<span style="color:darkred"> > >> Martin,</span></span> ><span style="color:green"><span style="color:darkred"> > >> CertUtil doesn't do what I want.</span></span> ><span style="color:green"><span style="color:darkred"> > >> I want to generate a list of all (or specific) certificates, > >> especially issuer (CA) and expiration dates. > >> I have found no tool/scripts out there that performs this simple > >> task. Â I have to use the CERTMGR.MSC snap-in on each individual > >> server, which is a pain in the ass.</span></span> ><span style="color:green"><span style="color:darkred"> > >> Anyone have an idea how to get this from the command line?</span></span> ><span style="color:green"><span style="color:darkred"> > >> Thanks.</span></span> ><span style="color:green"><span style="color:darkred"> > >> M.T.</span></span> ><span style="color:green"><span style="color:darkred"> > >> PS: Email is a decoy, please respond in this thread</span></span> ><span style="color:green"><span style="color:darkred"> > >> On Oct 22, 1:15 pm, Martin Rublik <martin.rub...@nospam.com> wrote: > >>> You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display...</span></span> ><span style="color:green"><span style="color:darkred"> > >>> You can make a script and redirect its output to a filesystem and then collect > >>> these files.</span></span> ><span style="color:green"><span style="color:darkred"> > >>> HTH</span></span> ><span style="color:green"><span style="color:darkred"> > >>> Martin</span></span> ><span style="color:green"><span style="color:darkred"> > >>> x13 wrote: > >>>> Hi all. > >>>> If I want to see the digital certificates installed on a specific > >>>> server, I MSTSC to the server, run CERTMGR and export desired > >>>> certificates (list) with Actions / Export list. > >>>> This results in a TXT or CSV file I can then import into Excel; but > >>>> this process is purely interactive, and must be repeated on each > >>>> server. Then, all the text files have to be merged and sorted to get a > >>>> general overview. > >>>> Which is by no means difficult, but it's a pain in the ass... > >>>> With this overview I can plan certificate renewals and see which > >>>> server has which certificate installed. > >>>> So how can I create a list of installed digital certificates on > >>>> servers of my choosing? > >>>> Thanks! > >>>> M.T. > >>>> (ps: email is a d-coy, please respond within thread)</span></span></span> Quote
Guest Martin Rublik Posted December 11, 2008 Posted December 11, 2008 x13 wrote:<span style="color:blue"> > Martin: > > Great stuff, but none of your suggestion list date of issuance and > expiration/revocation. > And the whole point of this is for me to request new certificates > before they expire. > > Thanks. > M.T.</span> Hi, http://www.ietf.org/rfc/rfc3280.txt defines Validity as 4.1.2.5 Validity The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. The field is represented as a SEQUENCE of two dates: the date on which the certificate validity period begins (notBefore) and the date on which the certificate validity period ends (notAfter). Both notBefore and notAfter may be encoded as UTCTime or GeneralizedTime. e.g. notBefore means Valid From and notAfter means Valid To. Here is a sample output of the command ================ Certificate 0 ================ Issuer: CN=Some CA0 NotBefore: 2. 3. 2007 10:42 NotAfter: 1. 3. 2008 10:42 Subject: CN=Some User0 ================ Certificate 1 ================ Issuer: CN=Some CA1 NotBefore: 6. 5. 2005 10:51 NotAfter: 6. 5. 2006 10:51 Subject: CN=Some User1 This dump says you have to certificates, one of them is issued by Some CA0 the other one is issued by Some CA1. These certificates are issued to Some User0 and Some User1 respectivelly. Also the Certificate 0 expired on 1.3. 2008 and the Certificate 1 expired on 6.5.2006. As for the revocation you need to check a revocation list, this is not done when you are looking at the certificate through MMC. But I guess that if you are requesting a revocation then you are going to know that the certificate is not valid. Also if CA is revoking your certificate, you should be notified. If you would like to check for revocation you would need to first export the certificates and then run certutil -verify -urlfetch certificate-filename.cer Best regards Martin Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.