Disposition values for certutil –view –restrict (and some creative samples)
Published Jan 24 2020 01:43 PM 7,893 Views

First published on TECHNET on Oct 03, 2008

A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include file in the Windows SDK.

The following two tables show the disposition ID’s for the request queue and the log.

Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate

Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

Show the SerialNumber of all issued and revoked certificates:

certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

Show the most recently issued certificate that is not revoked. To view the certificate copy everything between the line “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“ into a file with the file extension CER and open the file. The expression RequestID=$ instructs certutil to sort the database query from high to low and stop after the first entry is displayed.

certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate

Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Show the SerialNumber and the Request Status Code for all certificate requests that have been submitted by CONTOSO\user1 :

certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode

Show all CRL attributes for the CRL that was published before the current CRL:

certutil -restrict "CRLRowID=$-1" –view CRL

Note: If you don’t know how to restrict the query by a certain attribute dump all certificate or request attributes by not specifying the –out parameter. Then take the output as a sample to build the query with the attributes that you are looking for.

Version history
Last update:
‎Mar 06 2023 08:23 AM
Updated by: