Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Disposition values for certutil –view –restrict (and some creative samples)

Disposition values for certutil –view –restrict (and some creative samples)

  • Comments 3
  • Likes

A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include file in the Windows SDK.

The following two tables show the disposition ID’s for the request queue and the log.

Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate

Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

Show the SerialNumber of all issued and revoked certificates:

certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

Show the most recently issued certificate that is not revoked. To view the certificate copy everything between the line “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“ into a file with the file extension CER and open the file. The expression RequestID=$ instructs certutil to sort the database query from high to low and stop after the first entry is displayed.

certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate

Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Show the SerialNumber and the Request Status Code for all certificate requests that have been submitted by CONTOSO\user1:

certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode

Show all CRL attributes for the CRL that was published before the current CRL:

certutil -restrict "CRLRowID=$-1" –view CRL

Note: If you don’t know how to restrict the query by a certain attribute dump all certificate or request attributes by not specifying the –out parameter. Then take the output as a sample to build the query with the attributes that you are looking for.

Comments
  • I need to work out an audit/maintenance of our neglected CA and this helped me so much in figuring out how certutil works...THANKS!

  • Can you -restrict commonname, or other fields using a wildcard? -restrict "Request.CommonName = *Hudson*"

  • Is there anyway once you parse the issued certificates to only export the certificate serial numbers into a flat txt file? I am trying to get it where the serial numbers are the only things listed in the out put.

    Thanks.

    I used the below command:

    certutil -view -restrict "Disposition>=20" -out SerialNumber > c:\serial.txt

    The out put is:

    Schema:

     Column Name                   Localized Name                Type    MaxLength

     ----------------------------  ----------------------------  ------  ---------

     SerialNumber                  Serial Number                 String  128 -- Indexed

    Row 1:

     Serial Number: "611a7474000000000003"

    Row 2:

     Serial Number: "611ab74d000000000004"

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment