Freigeben über

Disposition values for certutil –view –restrict (and some creative samples)

  • Artikel

A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include file in the Windows SDK.

The following two tables show the disposition ID’s for the request queue and the log.

Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate

Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

Show the SerialNumber of all issued and revoked certificates:

certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

Show the most recently issued certificate that is not revoked. To view the certificate copy everything between the line “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“ into a file with the file extension CER and open the file. The expression RequestID=$ instructs certutil to sort the database query from high to low and stop after the first entry is displayed.

certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate

Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Show the SerialNumber and the Request Status Code for all certificate requests that have been submitted by CONTOSO\user1:

certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode

Show all CRL attributes for the CRL that was published before the current CRL:

certutil -restrict "CRLRowID=$-1" –view CRL

Note: If you don’t know how to restrict the query by a certain attribute dump all certificate or request attributes by not specifying the –out parameter. Then take the output as a sample to build the query with the attributes that you are looking for.

Comments

  • Anonymous
    January 01, 2003
    I need to work out an audit/maintenance of our neglected CA and this helped me so much in figuring out how certutil works...THANKS!

  • Anonymous
    April 15, 2013
    Can you -restrict commonname, or other fields using a wildcard? -restrict "Request.CommonName = Hudson"

  • Anonymous
    November 21, 2013
    Is there anyway once you parse the issued certificates to only export the certificate serial numbers into a flat txt file? I am trying to get it where the serial numbers are the only things listed in the out put. Thanks. I used the below command: certutil -view -restrict "Disposition>=20" -out SerialNumber > c:serial.txt The out put is: Schema:  Column Name                   Localized Name                Type    MaxLength  ----------------------------  ----------------------------  ------  ---------  SerialNumber                  Serial Number                 String  128 -- Indexed Row 1:  Serial Number: "611a7474000000000003" Row 2:  Serial Number: "611ab74d000000000004"

  • Anonymous
    October 22, 2014
    You might find the following website helpful, it's a NY law firm that has a service obtaining Certificate of Disposition's for clients. See: www.certificateofdisposition.com

  • Anonymous
    July 05, 2015
    Hi Guys,
    Sorry to bump into this thread with a different question...
    But would you know a way to use certutil to extract certs (starting) on a given date?
    Sample: I would like to extract all certs issued starting Jan 1, 2015.

    The command I issue below doesn't seem to work:
    certutil -view -restrict "NotBefore>=1/1/2015" -out "RequestID,NotBefore,NotAfter,CertificateTemplate" > file.txt

    Thanks in advance,
    Romell

  • Anonymous
    September 18, 2015
    HI I am using the same command to find all the certificates with a disposition value of 20 and then, i needed the
    out put in a table format with columns and rows. how can I accomplish that, piping the result's to format-table is not taking any effect?

    Here is the command:

    certutil.exe -view -restrict "Disposition=20" -out "Request.RequestID,Request.RequesterName,Certificatehash,Request.SubmittedWhen,Request.DistinguishedName"| format-table -wrap -autosize.

    changed the command above to include property names and such but there is no variation to how the output gets printed on the screen, or when piping it to a txt file.

    thanks for your help.