Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, August 8, 2014 5:01 PM
D:\certutil -restrict "NotAfter<=01/01/2016,NotAfter>=01/31/2014" -out "RequestID,RequesterName" -view
CertUtil: The system cannot find the file specified.
Can someone, in the name of God, tell me how to use this "blessed" tool?
I am googling for it for hours. I've tried so many combinations but no luck so far.
I just want to get all the expiring certificates from the Personal location.
D:\certutil -store My
================ Certificate 0 ================
Serial Number: 1f40239517fb8490fb0adafd78c8ca8d
Cert Hash(sha1): c0 0b 41 4f 10 26 0a 25 73 3a e3 19 19 c2 e2 d8 a6 1c bf 7a
Key Container = myapps.whirlpool.com-e2f82f54-879d-4c81-b0b7-bbb467bc4ed0
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
================ Certificate 1 ================
Serial Number: af9e181020c0bb60
Cert Hash(sha1): 65 28 72 14 51 f8 84 b2 40 e9 0f 4c e0 25 25 f0 d3 c1 fd df
Key Container = {36501564-0749-4569-98FE-AEDE2762E361}
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
================ Certificate 2 ================
Serial Number: 98ce8371f9cb9f75
Cert Hash(sha1): 31 f1 ce 1e cc 0d ac f1 85 25 14 00 eb 51 52 47 b6 43 37 08
Key Container = {44379770-1678-48B0-B9FF-F95638CD0A57}
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -store command completed successfully.
Why is this .exe such a pain in the neck?
All replies (4)
Saturday, August 9, 2014 9:07 AM ✅Answered
Mark, VBS is dead (thanks God). CAPICOM too (thanks God). Who needs tons of code lines to solve simple task?
> Why is this .exe such a pain in the neck?
it is a very good question. Certutil is very powerful and it implies sort of complexity.
> I just want to get all the expiring certificates from the Personal location.
simple as that:
dir cert:\currentuser\my | ?{$_.notafter -le $((Get-Date).AddMonths(3))} | ft Subject, Issuer, NotBefore, NotAfter, SerialNumber
on-liner in PowerShell returns all certificates from personal store (for current user) which expire in 3 months. You can modify AddMonths parameter to manipulate expiration treshold.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
Friday, August 8, 2014 5:27 PM
That syntax is only for dumping information from the CA database - it will not work for dumping information from a local computer/user store.
For example:
REM
Option Explicit
on error resume next
Const CAPICOM_MY_STORE = "My"
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CURRENT_USER_STORE = 2
Const CAPICOM_STORE_OPEN_READ_ONLY = 0
Const CAPICOM_EKU_CLIENT_AUTH = 2
Const CAPICOM_EKU_CODE_SIGNING = 3
Const CAPICOM_EKU_EMAIL_PROTECTION = 4
Const CAPICOM_EKU_SERVER_AUTH = 1
Const CAPICOM_EKU_OTHER = 0
Const CR_DISP_ISSUED = &H3
Const CR_OUT_CHAIN = &H100
Const CR_OUT_BASE64 = &H1
Const CERT_SYSTEM_STORE_LOCAL_MACHINE = &H20000
Const CR_IN_BASE64 = &H1
Const CR_IN_PKCS10 = &H100
Dim oCert, oStore
Set oStore = CreateObject ("CAPICOM.Store")
if Err.Number <> 0 Then
wscript.echo "CAPICOM NOT detected"
Wscript.Quit(1)
End if
oStore.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_ONLY
For Each oCert in oStore.Certificates
WScript.Echo " Subject Name: " & oCert.SubjectName
WScript.Echo " Issuer Name: " & oCert.IssuerName
WScript.Echo " SHA-1 Thumbprint: " & oCert.Thumbprint
WScript.Echo " Serial Number: " & oCert.SerialNumber
WScript.Echo " Version: " & oCert.Version
WScript.Echo " Valid From: " & oCert.ValidFromDate
WScript.Echo " Valid To: " & oCert.ValidToDate
Next
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.
Friday, August 8, 2014 5:41 PM
Is there a way to get a list of expiring certificates from a local computer using nothing but the utilities/resources installed by default on every Windows system?
I am planning to use it on many servers so this is a very important constraint.
Friday, August 8, 2014 5:48 PM
Were the certificates issued from your own CA? Why not perform the query/scripting on the CA - it's much more efficient. Otherwise, the following dumps certs from the local machine store (need to be at an elevated command prompt if UAC is enabled).
certutil -store MY
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.