Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Is there a way to report on certificates?

Posted on 2008-11-18
Medium Priority
Last Modified: 2012-05-05
Is there a simple way to report on PKI certificates in my domain?  Things such as when it was created, when it expires, and whatever other available info?

Joey Bugeyes
Question by:JoeyBugeyes
  • 4
LVL 31

Expert Comment

ID: 22994041
This site has a pretty good overview and how-to for code signing.

For PKI in general - certificates assert authenticity.  Whether you should trust a company is irrelevant to PKI - the certificate shows that the company has been validated according to the practices of the root CA provider.  If a company issues their own root certificate, you are putting your trust in them, and through that trusting their end certificate - be it email, web server, or code signing.  Typically the best route is to go with a commercial CA vendor (e.g. Verisign, Comodo, etc.) as they are trusted by the public at large via the WebTrust standard for operational processes.  Through that, they are able to assert their validity as a trust provider, and will typically submit to be in root certificate programs of common softwares, e.g. Firefox, IE, etc. so the trust will be automatically done.  In terms of code signing this does not mean that the code is secure, well written, etc. - just merely that it comes from CompanyX.  So if a virus was in it, it could  not be denied by CompanyX that it was their code that someone else spoofed.  Typically this means that the company is confidant that it IS well written and secure, hence willing to put their name on it in an unmodifiable sense (the "stamp of approval" so to speak) and uses the certificate to assert that it is theirs.  Since you trust the company, you can trust that the code is really theirs - not something that a hacker put up on their site, etc.  That's the 'why'.

The how is basically a chain of signing events.  The trusted root signs CA certs for issuing CA servers, who then issue the end certificates of whatever type to the requestor.  These are cryptographically signed using algrorithms that would take decades or more to crack.  The certificate is associated with a public and private keypair - the public goes to the public, the private key you protect like keys to your house.  You might want a backup copy, but you keep that secure as well.  Using this same process, you sign the code so that if it was modified it would break the algrorithm when using the signing certificate to validate that it was not modified.

The commercial CA will have some validation requirements so you can prove who you say you are, or for your company to prove that you represent them.  Each one handles things a little differently, but generally use public records and/or government issed ID's, depending on the certificate type.  They will not check your code or care what it is for - they just care that you are who you say you are and that you are authorized to represent your company, and that the company actually exists.

This is pretty high level, but hopefully puts things in perspective a little bit for you.
LVL 31

Expert Comment

ID: 22994975
So Sorry - had multiple windows open for things to handle - this got posted in the wrong one... I'll post something relevant to you in a few minutes!
LVL 31

Accepted Solution

Paranormastic earned 1000 total points
ID: 22996363
Hah - looks like it was relevant to you anyways, just your wrong posting.

OK, so it depends on what you are trying to accomplish here.   The easiest way is to use the utilities from the CA.  If your own CA, you can look in the Certification Authority MMC and look under Published Certs, Revoked Certs, etc. and it will give you all you need to know about what was issued.  However, just because it was issued doesn't mean that it was installed, but working off of assumptions this is pretty good.  You can filter the results, but getting used to the filter can be a little frustrating, especially filtering out a single template - to do this you need to get the object identifier (OID) of the template - you can find the OID in certtmpl.msc - open the template - Extensions tab - Certificate Template Information - (look for the really big long number and copy that).

If using a commercial CA, they usually have an area where you can run a report against the orders you have placed.

There's the old fashioned spreadsheet method, but this is prone to not getting updated...

A Certicificate Management System (CMS) (or Card Management System in relation to smart cards) - can be useful, if you issue through that then you have better management, alerting, and such of important certs.  There really aren't that many players in the market - most companies sellng such a product are resellers of one of these: Microsoft ILM / ILM2, ActivIdentity ActivID, Intercede MyID.  Sometimes a reseller can give you added value, sometimes they are just trying to offer a product that they probably don't have a clue about - these are all well developed and getting to really know them gets more complicated than your average salesperson is going to know.  The main companies will be more rock solid in their support knowledge.  Yes - these will be expensive and are usually meant for tracking large deployments, although some of our customers from a reseller company I worked for were smaller, down to 100 clients, although most of the few customers were very large.

There is manually checking the certificate store by logging in and opening up certsrv.msc and viewing the Personal store.

Lastly, there would be the scripting method.  For scripting against your CA using certutil and a link to some powershell examples, check here:

For some info with checking using OCS - this is the best thing I've been able to find so far as far as checking what is actually installed vs. what was issued:

It seems like there should be a way to do this well with VBS, but I have not found much for resources and this has been asked a number of times.  I don't know VBS well enough to do much, so I would try looking at the powershell examples maybe if you are looking for a server script.
LVL 31

Expert Comment

ID: 22996406
Ack - I forgot about a link that i had come across for some scripting - I forgot to add it to my bookmarks...  here you go for checking for expiry:

Author Closing Comment

ID: 31518084
Thank you very much!

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question