A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include file in the Windows SDK.
The following two tables show the disposition ID’s for the request queue and the log.
Disposition values for requests in the queue:
request is being processed
request is taken under submission
certificate is an archived foreign certificate
certificate is a CA certificate
parent CA certificates of the CA certificate
certificate is a key recovery agent certificate
Disposition values for requests in the log:
certificate was issued
certificate is revoked
certificate request failed
certificate request is denied
Show the SerialNumber of all issued and revoked certificates:
Show the most recently issued certificate that is not revoked. To view the certificate copy everything between the line “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“ into a file with the file extension CER and open the file. The expression RequestID=$ instructs certutil to sort the database query from high to low and stop after the first entry is displayed.
Show all CRL attributes for the CRL that was published before the current CRL:
certutil -restrict "CRLRowID=$-1" –view CRL
Note: If you don’t know how to restrict the query by a certain attribute dump all certificate or request attributes by not specifying the –out parameter. Then take the output as a sample to build the query with the attributes that you are looking for.