|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Re: Q: Digital certificate inventory within network?CertUtil doesn't do what I want. I want to generate a list of all (or specific) certificates, especially issuer (CA) and expiration dates. I have found no tool/scripts out there that performs this simple task. I have to use the CERTMGR.MSC snap-in on each individual server, which is a pain in the ass. Anyone have an idea how to get this from the command line? Thanks. M.T. PS: Email is a decoy, please respond in this thread On Oct 22, 1:15 pm, Martin Rublik <martin.rub...@nospam.com> wrote: Show quoteHide quote > You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display... > > You can make a script and redirect its output to a filesystem and then collect > these files. > > HTH > > Martin > > > > x13 wrote: > > Hi all. > > > If I want to see the digital certificates installed on a specific > > server, I MSTSC to the server, run CERTMGR and export desired > > certificates (list) with Actions / Export list. > > > This results in a TXT or CSV file I can then import into Excel; but > > this process is purely interactive, and must be repeated on each > > server. Then, all the text files have to be merged and sorted to get a > > general overview. > > Which is by no means difficult, but it's a pain in the ass... > > > With this overview I can plan certificate renewals and see which > > server has which certificate installed. > > > So how can I create a list of installed digital certificates on > > servers of my choosing? > > > Thanks! > > M.T. > > (ps: email is a d-coy, please respond within thread) Try
certutil -store ca | findstr -i "=== NotBefore NotAfter Subject:" certutil -store root | findstr -i "=== NotBefore NotAfter Subject:" certutil -enterprise -store ca | findstr -i "=== NotBefore NotAfter Subject:" certutil -enterprise -store root | findstr -i "=== NotBefore NotAfter Subject:" If this is not enough could you please specify what kind of funcionality are you missing? HTH Martin x13 wrote: Show quoteHide quote > Martin, > > CertUtil doesn't do what I want. > > I want to generate a list of all (or specific) certificates, > especially issuer (CA) and expiration dates. > I have found no tool/scripts out there that performs this simple > task. I have to use the CERTMGR.MSC snap-in on each individual > server, which is a pain in the ass. > > Anyone have an idea how to get this from the command line? > > Thanks. > > M.T. > > PS: Email is a decoy, please respond in this thread > > On Oct 22, 1:15 pm, Martin Rublik <martin.rub...@nospam.com> wrote: >> You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display... >> >> You can make a script and redirect its output to a filesystem and then collect >> these files. >> >> HTH >> >> Martin >> >> >> >> x13 wrote: >>> Hi all. >>> If I want to see the digital certificates installed on a specific >>> server, I MSTSC to the server, run CERTMGR and export desired >>> certificates (list) with Actions / Export list. >>> This results in a TXT or CSV file I can then import into Excel; but >>> this process is purely interactive, and must be repeated on each >>> server. Then, all the text files have to be merged and sorted to get a >>> general overview. >>> Which is by no means difficult, but it's a pain in the ass... >>> With this overview I can plan certificate renewals and see which >>> server has which certificate installed. >>> So how can I create a list of installed digital certificates on >>> servers of my choosing? >>> Thanks! >>> M.T. >>> (ps: email is a d-coy, please respond within thread) > In addition if you are looking for user certificates try
computer store certutil -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" user store certutil -user -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" HTH Martin Martin Rublik wrote: Show quoteHide quote > Try > > certutil -store ca | findstr -i "=== NotBefore NotAfter Subject:" > certutil -store root | findstr -i "=== NotBefore NotAfter Subject:" > > certutil -enterprise -store ca | findstr -i "=== NotBefore NotAfter Subject:" > certutil -enterprise -store root | findstr -i "=== NotBefore NotAfter Subject:" > > If this is not enough could you please specify what kind of funcionality are you > missing? > > HTH > > Martin > > x13 wrote: >> Martin, >> >> CertUtil doesn't do what I want. >> >> I want to generate a list of all (or specific) certificates, >> especially issuer (CA) and expiration dates. >> I have found no tool/scripts out there that performs this simple >> task. I have to use the CERTMGR.MSC snap-in on each individual >> server, which is a pain in the ass. >> >> Anyone have an idea how to get this from the command line? >> >> Thanks. >> >> M.T. >> >> PS: Email is a decoy, please respond in this thread >> >> On Oct 22, 1:15 pm, Martin Rublik <martin.rub...@nospam.com> wrote: >>> You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display... >>> >>> You can make a script and redirect its output to a filesystem and then collect >>> these files. >>> >>> HTH >>> >>> Martin >>> >>> >>> >>> x13 wrote: >>>> Hi all. >>>> If I want to see the digital certificates installed on a specific >>>> server, I MSTSC to the server, run CERTMGR and export desired >>>> certificates (list) with Actions / Export list. >>>> This results in a TXT or CSV file I can then import into Excel; but >>>> this process is purely interactive, and must be repeated on each >>>> server. Then, all the text files have to be merged and sorted to get a >>>> general overview. >>>> Which is by no means difficult, but it's a pain in the ass... >>>> With this overview I can plan certificate renewals and see which >>>> server has which certificate installed. >>>> So how can I create a list of installed digital certificates on >>>> servers of my choosing? >>>> Thanks! >>>> M.T. >>>> (ps: email is a d-coy, please respond within thread) Martin:
Great stuff, but none of your suggestion list date of issuance and expiration/revocation. And the whole point of this is for me to request new certificates before they expire. Thanks. M.T. On 8 dec, 15:05, Martin Rublik <martin.rub...@nospam.com> wrote: Show quoteHide quote > In addition if you are looking for user certificates try > > computer store > certutil -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" > > user store > certutil -user -store my | findstr -i "=== NotBefore NotAfter Issuer: Subject:" > > HTH > > Martin > > > > Martin Rublik wrote: > > Try > > > certutil -store ca | findstr -i "=== NotBefore NotAfter Subject:" > > certutil -store root | findstr -i "=== NotBefore NotAfter Subject:" > > > certutil -enterprise -store ca | findstr -i "=== NotBefore NotAfter Subject:" > > certutil -enterprise -store root | findstr -i "=== NotBefore NotAfter Subject:" > > > If this is not enough could you please specify what kind of funcionality are you > > missing? > > > HTH > > > Martin > > > x13 wrote: > >> Martin, > > >> CertUtil doesn't do what I want. > > >> I want to generate a list of all (or specific) certificates, > >> especially issuer (CA) and expiration dates. > >> I have found no tool/scripts out there that performs this simple > >> task. I have to use the CERTMGR.MSC snap-in on each individual > >> server, which is a pain in the ass. > > >> Anyone have an idea how to get this from the command line? > > >> Thanks. > > >> M.T. > > >> PS: Email is a decoy, please respond in this thread > > >> On Oct 22, 1:15 pm, Martin Rublik <martin.rub...@nospam.com> wrote: > >>> You can look at the certutil utility for more info checkhttp://technet.microsoft.com/en-us/library/cc772898.aspx#BKMK_display... > > >>> You can make a script and redirect its output to a filesystem and then collect > >>> these files. > > >>> HTH > > >>> Martin > > >>> x13 wrote: > >>>> Hi all. > >>>> If I want to see the digital certificates installed on a specific > >>>> server, I MSTSC to the server, run CERTMGR and export desired > >>>> certificates (list) with Actions / Export list. > >>>> This results in a TXT or CSV file I can then import into Excel; but > >>>> this process is purely interactive, and must be repeated on each > >>>> server. Then, all the text files have to be merged and sorted to get a > >>>> general overview. > >>>> Which is by no means difficult, but it's a pain in the ass... > >>>> With this overview I can plan certificate renewals and see which > >>>> server has which certificate installed. > >>>> So how can I create a list of installed digital certificates on > >>>> servers of my choosing? > >>>> Thanks! > >>>> M.T. > >>>> (ps: email is a d-coy, please respond within thread) x13 wrote:
> Martin: Hi,> > Great stuff, but none of your suggestion list date of issuance and > expiration/revocation. > And the whole point of this is for me to request new certificates > before they expire. > > Thanks. > M.T. http://www.ietf.org/rfc/rfc3280.txt defines Validity as 4.1.2.5 Validity The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. The field is represented as a SEQUENCE of two dates: the date on which the certificate validity period begins (notBefore) and the date on which the certificate validity period ends (notAfter). Both notBefore and notAfter may be encoded as UTCTime or GeneralizedTime. e.g. notBefore means Valid From and notAfter means Valid To. Here is a sample output of the command ================ Certificate 0 ================ Issuer: CN=Some CA0 NotBefore: 2. 3. 2007 10:42 NotAfter: 1. 3. 2008 10:42 Subject: CN=Some User0 ================ Certificate 1 ================ Issuer: CN=Some CA1 NotBefore: 6. 5. 2005 10:51 NotAfter: 6. 5. 2006 10:51 Subject: CN=Some User1 This dump says you have to certificates, one of them is issued by Some CA0 the other one is issued by Some CA1. These certificates are issued to Some User0 and Some User1 respectivelly. Also the Certificate 0 expired on 1.3. 2008 and the Certificate 1 expired on 6.5.2006. As for the revocation you need to check a revocation list, this is not done when you are looking at the certificate through MMC. But I guess that if you are requesting a revocation then you are going to know that the certificate is not valid. Also if CA is revoking your certificate, you should be notified. If you would like to check for revocation you would need to first export the certificates and then run certutil -verify -urlfetch certificate-filename.cer Best regards Martin 
Other interesting topics
Windows Authentication Access Denied Error
Web App using integrated Active Directory Authentication Problem processing SSL certificate response. IIS IWA no longer works after VS2008 SP1 installed ASP Authentication on IIS 6.0 Windows 2003 Server 32bit help please WEB app with OLE server works on WinXP & IIS5 but not on Server200 ASP can't use database on slave server IIS Restrictions How to use SSL host headers for multiple domains on the same serve Certificate Types |
|||||||||||||||||||||||
