First published on TECHNET on Oct 03, 2008
A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include file in the Windows SDK.
The following two tables show the disposition ID’s for the request queue and the log.
Disposition values for requests in the queue:
|8||request is being processed|
|9||request is taken under submission|
|12||certificate is an archived foreign certificate|
|15||certificate is a CA certificate|
|16||parent CA certificates of the CA certificate|
|17||certificate is a key recovery agent certificate|
Disposition values for requests in the log:
|20||certificate was issued|
|21||certificate is revoked|
|30||certificate request failed|
|31||certificate request is denied|
Show the SerialNumber of all issued and revoked certificates:
certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber
Show the most recently issued certificate that is not revoked. To view the certificate copy everything between the line “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“ into a file with the file extension CER and open the file. The expression RequestID=$ instructs certutil to sort the database query from high to low and stop after the first entry is displayed.
certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate
Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:
certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate
Show the SerialNumber and the Request Status Code for all certificate requests that have been submitted by CONTOSO\user1 :
certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode
Show all CRL attributes for the CRL that was published before the current CRL:
certutil -restrict "CRLRowID=$-1" –view CRL
Note: If you don’t know how to restrict the query by a certain attribute dump all certificate or request attributes by not specifying the –out parameter. Then take the output as a sample to build the query with the attributes that you are looking for.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.