I’ve been working with our support folks helping one of our customers. One of the things we wanted to learn about the environment is how many requests have been made for each certificate template that they issue. We have come up with this PowerShell script that you can run against a CA to find out.

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind.

Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose.

The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt
$FileContents = gc out.txt
write-host "Total rows:" $FileContents.length
$GroupedCounts = $FileContents | group | sort count –Descending
$GroupedCounts | format-table Count,Name -auto

The output will look something like this:

Total rows: 10
Count Name
----- ----
4 "1.3.6.1.4.1.311...X
3 "1.3.6.1.4.1.311...Y
1 "8/20/2009 12:00 AM""Certificate Template"
1 "DomainController"
1 "EMPTY"

Let’s take a look at the script closely and also talk about what can be tweaked.

First, we run a certutil.exe to dump the template’s name or OID. The V1 templates are recorded by their name and V2/V3 templates are recorded by their OID. You can see template OIDs with the certutil.exe -template command. You can’t see it in the template snapin UI.

Note that we restrict the output by date. Some other filters that could be useful are CertificateTemplate and Request.StatusCode if you want to get counts for only template or if you’re only interested in failed requests for example. We pipe the output into a text file. We also use the -csv option so that our output is easier to consume for automation.

We then group the output by the template name/OID and sort it based on the count in the descending order. Finally we output it as a table.

Now let’s take a look at the output. Note that the last and third line from the bottom contains garbage. If you’re going to use the output of this script in some automation, you would need to get rid of those entries. They are simply an artifact of the certutil.exe output.