Is there a way to report on certificates?

Is there a simple way to report on PKI certificates in my domain?  Things such as when it was created, when it expires, and whatever other available info?

Joey Bugeyes
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
This site has a pretty good overview and how-to for code signing.

For PKI in general - certificates assert authenticity.  Whether you should trust a company is irrelevant to PKI - the certificate shows that the company has been validated according to the practices of the root CA provider.  If a company issues their own root certificate, you are putting your trust in them, and through that trusting their end certificate - be it email, web server, or code signing.  Typically the best route is to go with a commercial CA vendor (e.g. Verisign, Comodo, etc.) as they are trusted by the public at large via the WebTrust standard for operational processes.  Through that, they are able to assert their validity as a trust provider, and will typically submit to be in root certificate programs of common softwares, e.g. Firefox, IE, etc. so the trust will be automatically done.  In terms of code signing this does not mean that the code is secure, well written, etc. - just merely that it comes from CompanyX.  So if a virus was in it, it could  not be denied by CompanyX that it was their code that someone else spoofed.  Typically this means that the company is confidant that it IS well written and secure, hence willing to put their name on it in an unmodifiable sense (the "stamp of approval" so to speak) and uses the certificate to assert that it is theirs.  Since you trust the company, you can trust that the code is really theirs - not something that a hacker put up on their site, etc.  That's the 'why'.

The how is basically a chain of signing events.  The trusted root signs CA certs for issuing CA servers, who then issue the end certificates of whatever type to the requestor.  These are cryptographically signed using algrorithms that would take decades or more to crack.  The certificate is associated with a public and private keypair - the public goes to the public, the private key you protect like keys to your house.  You might want a backup copy, but you keep that secure as well.  Using this same process, you sign the code so that if it was modified it would break the algrorithm when using the signing certificate to validate that it was not modified.

The commercial CA will have some validation requirements so you can prove who you say you are, or for your company to prove that you represent them.  Each one handles things a little differently, but generally use public records and/or government issed ID's, depending on the certificate type.  They will not check your code or care what it is for - they just care that you are who you say you are and that you are authorized to represent your company, and that the company actually exists.

This is pretty high level, but hopefully puts things in perspective a little bit for you.
ParanormasticCryptographic EngineerCommented:
So Sorry - had multiple windows open for things to handle - this got posted in the wrong one... I'll post something relevant to you in a few minutes!
ParanormasticCryptographic EngineerCommented:
Hah - looks like it was relevant to you anyways, just your wrong posting.

OK, so it depends on what you are trying to accomplish here.   The easiest way is to use the utilities from the CA.  If your own CA, you can look in the Certification Authority MMC and look under Published Certs, Revoked Certs, etc. and it will give you all you need to know about what was issued.  However, just because it was issued doesn't mean that it was installed, but working off of assumptions this is pretty good.  You can filter the results, but getting used to the filter can be a little frustrating, especially filtering out a single template - to do this you need to get the object identifier (OID) of the template - you can find the OID in certtmpl.msc - open the template - Extensions tab - Certificate Template Information - (look for the really big long number and copy that).

If using a commercial CA, they usually have an area where you can run a report against the orders you have placed.

There's the old fashioned spreadsheet method, but this is prone to not getting updated...

A Certicificate Management System (CMS) (or Card Management System in relation to smart cards) - can be useful, if you issue through that then you have better management, alerting, and such of important certs.  There really aren't that many players in the market - most companies sellng such a product are resellers of one of these: Microsoft ILM / ILM2, ActivIdentity ActivID, Intercede MyID.  Sometimes a reseller can give you added value, sometimes they are just trying to offer a product that they probably don't have a clue about - these are all well developed and getting to really know them gets more complicated than your average salesperson is going to know.  The main companies will be more rock solid in their support knowledge.  Yes - these will be expensive and are usually meant for tracking large deployments, although some of our customers from a reseller company I worked for were smaller, down to 100 clients, although most of the few customers were very large.

There is manually checking the certificate store by logging in and opening up certsrv.msc and viewing the Personal store.

Lastly, there would be the scripting method.  For scripting against your CA using certutil and a link to some powershell examples, check here:

For some info with checking using OCS - this is the best thing I've been able to find so far as far as checking what is actually installed vs. what was issued:

It seems like there should be a way to do this well with VBS, but I have not found much for resources and this has been asked a number of times.  I don't know VBS well enough to do much, so I would try looking at the powershell examples maybe if you are looking for a server script.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ParanormasticCryptographic EngineerCommented:
Ack - I forgot about a link that i had come across for some scripting - I forgot to add it to my bookmarks...  here you go for checking for expiry:
JoeyBugeyesAuthor Commented:
Thank you very much!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.