Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, September 19, 2013 1:35 PM
In our environment we have thousands of Macs that enrol for device certificates using SCEP from the Apple Configurator utility which then connects to our issuing Windows 2008 R2 CA through NDES.
We will shortly be using these certs to authenticate devices to our 802.1x environment with EAP/TLS. All is working fine until a MacBook goes missing and I need to revoke a cert to stop the missing device getting on the Wireless LAN.
In my issued certificates list all the certificates issued through NDES show the requester name as the NDES service account, and the Request DN is the Apple Configurator ID (which is generated randomly.)
The problem here is that I know the name of the missing MacBook, and the name is in the "DNS Name" attribute in the Subject Alternative Name of the issued cert, but I just can't find a way of querying the issued certificates store with a filter based on information in the SAN to find the cert I want to revoke, so it looks like we'll need to resort to trawling through the (very long) list opening each cert and clicking on the SAN extension to see the machine name there... very painful indeed.
I've looked at what information you can pipe out with certutil and have experimented with psPKI but have come up blank. Does anyone have any ideas?
I've got a screengrab from our test environment that shows how the issued cert screen looks with NDES issued certs and another showing the information that I want to search or filter by which I'll attach in a minute
All suggestions gratefully received!
Cheers,
Tim
All replies (3)
Friday, September 20, 2013 2:21 AM âś…Answered | 1 vote
Hi Tim
You can report against the Extensions table instead!
certutil -view -restrict "ExtensionName=2.5.29.17" Ext
This will output something like:
Row 1:
Extension Request ID: 0x4c2 (1218)
Extension Name: "2.5.29.17" Subject Alternative Name
Extension Flags: ...
Extension Raw Value:
Subject Alternative Name
DNS Name=<FQDN>
Row 2:
...
etc
If you combine with Powershell Select-String:
certutil -view -restrict "ExtensionName=2.5.29.17" Ext | Select-String -Pattern '<FQDN>' -Context 5
you will get the DNS Name and the Request ID above it.
You may need to tweak the Context parameter above, depending on how many SANs you are including in the extension.
This could take a while to run, depending on the number of requests that you have had in your environment. If you know the range of request IDs you can restrict against those using ExtensionRequestID=<>.
Thursday, September 19, 2013 3:25 PM
Sorry, but I'm not able to upload images - waiting for account validation.
Friday, September 20, 2013 7:04 AM
Amazing - works a treat!
Thanks very much indeed.
Tim