Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, March 26, 2020 12:27 PM
Hi,
Using Windows 10's native command line tools, how can you fetch a CRL or CA certificate from an LDAP location and save it into a file? (so you can then look into it with 'certutil -dump' for example)
I've been searching for 'certutil' or 'curl' base solutions for hours but couldn't figure this out...
I'm looking for a command line / Powershell way to do it.
Sadly it doesn't seem as simple as a 'curl' or 'Invoke-WebRequest' to get a CRL/CA cert over HTTP.
Thanks,
Chris.
All replies (11)
Tuesday, April 7, 2020 6:37 AM ✅Answered
Hi Chris,
You are welcome and thank you so much for your feedback.
According to this article( https://theitbros.com/ldapsearch/), "the ldapsearch utility currently is mainly used in Linux systems. The Ldapsearch.exe utility was available in Windows 2000, but in Windows Server 2003 it was superseded by the dsquery tool.
However, even now you can use the Ldapsearch tool on Windows—all you need to do is download and install the OpenLDAP client for Windows (by default the ldapsearch is located in the C:\OpenLDAP\bin directory)."
For more information, we could refer to this article. Hope the information are helpful.
For any question, please feel free to contact us.
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Best regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 27, 2020 8:56 AM
Hello,
Thank you for posting in our TechNet forum.
According to your description, we would like to know how to fetch a CRL or CA certificate from the LDAP location and save it into a file.
1, We could logon the CA server, there is a CertEnroll folder under C:\windows\system32\certsrv. The CRL and CA certificates are saved in this folder.
For example:
2, We could manually save the certificates into a file.
1) Save the CRL into a file
Right click and choose "Save to File" as shown below.
Enter the File name and the it will show that "The export was successfully".
2) Save the AIA certificate into a file.
Right click and choose "View AIA certificate"
Open the Details, and choose "Copy to File". Once finished, the export is successfully.
Hope the information are helpful. For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 27, 2020 9:16 AM
Thanks Hannah,
But I'm really looking at a client-side way to do it.
If a Windows client is able to read a CRL through LDAP (as we can test using 'certutil -URL ldap://<etc...>'), then I was thinking there must be a way to download it and save it as a file.
I want to be able to do this regardless of the PKI or LDAP software on server-side. I cannot (or don't want to) log in to the CA/LDAP server.
Cheers,
Chris.
Monday, March 30, 2020 8:30 AM
Hi Chris,
You are welcome and thank you so much for your feedback.
According to my lab, there is a shared CertEnroll folder on the IIS server. So I could access this shared folder from the client side with server name\CertEnroll or IP address\CertEnroll.
For example:
Hope the information is helpful. We could have a check and try this way.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 1, 2020 1:24 AM
Hi Chris,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 3, 2020 1:36 AM
Hi Chris,
Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.
Best Regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, April 6, 2020 8:59 AM
Hi Hannah,
Thanks again, but this doesn't really answer my requirements.
I really need to test the mechanism of fetching/parsing CRLs and CA certs with LDAP protocol.
On Linux, this is possible with the ldapsearch command line:
ldapsearch -h directory.verisign.com -b "cn=<common name>,o=<Org Name>" "(o=*)" "certificaterevocationlist"
https://knowledge.digicert.com/solution/SO2121.html
I was hoping for a Microsoft/Windows equivalent of ldapsearch.
Thursday, April 9, 2020 1:20 AM
Hi Chris,
We would like to hear your feedback about whether our issue has been solved. If the issue has been solved, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.
Best regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 10, 2020 7:15 AM
Thanks Hannah, this answers my question.
Monday, April 13, 2020 1:24 AM
Hi Chris,
You are welcome. Thank you so much for sharing your experience and solution here. If there is anything else I can do for you, please do not hesitate to let me know and I will be very happy to help. Thanks.
Best regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, April 28, 2020 9:32 AM
For those who may not want to use a third-party solution and don't mind a bit of Powershell/.NET, I created this function for searching an LDAP directory (assuming anonymous authentication is allowed):
function psLDAPsearch { # Anonymous LDAP search function, returns a [System.DirectoryServices.Protocols.SearchResultEntryCollection]
Param(
[string]$server, # LDAP server hostname or IP address + [:port] if non-standard (389)
[string]$baseDir, # LDAP base directory or branch to search from
[string]$filter # LDAP search filter to apply
)
try{
# Loading the assemblies:
$null = [System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.Protocols')
$null = [System.Reflection.Assembly]::LoadWithPartialName('System.Net')
# Creating the LdapConnection object:
$LDAPserver = New-Object System.DirectoryServices.Protocols.LdapConnection $server
$LDAPserver.AuthType = [System.DirectoryServices.Protocols.AuthType]::Anonymous
# Preparing the search query:
$scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
$attributeList = @('*') # everything for now... specific attributes can be selected from the returned objectout
$query = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $baseDir,$filter,$scope,$attributeList
# Returning matching entries:
return ($LDAPserver.SendRequest($query)).Entries
}
catch{
Write-Host "ERROR: 'psLDAPsearch' function failure:" -ForegroundColor Red
Write-Host $_ -ForegroundColor Yellow
return
}
}
For example: getting the CRL from 'My CA', which is published on 'ldap.myorg.com':
psLDAPsearch -server 'ldap.myorg.com' -baseDir 'cn=My CA,o=My Organization,c=AQ' -filter '(&(certificateRevocationList=*))'
Assuming only one entry is returned (since we're specifically looking for a particular CA entry here), the CRL can be written as a file this way:
$entry = $entries[0]
$bytes = $entry.Attributes['certificateRevocationList;binary'].GetValues('byte[]')[0]
[IO.File]::WriteAllBytes("CRLfile.crl",$bytes)
The same can be used to fetch a published CA certificate over LDAP, using the 'cACertificate' attribute.