Is there a way to report on certificates?

Posted on 2008-11-18
Last Modified: 2012-05-05
Is there a simple way to report on PKI certificates in my domain?  Things such as when it was created, when it expires, and whatever other available info?

Joey Bugeyes
Question by:JoeyBugeyes
    LVL 31

    Expert Comment

    This site has a pretty good overview and how-to for code signing.

    For PKI in general - certificates assert authenticity.  Whether you should trust a company is irrelevant to PKI - the certificate shows that the company has been validated according to the practices of the root CA provider.  If a company issues their own root certificate, you are putting your trust in them, and through that trusting their end certificate - be it email, web server, or code signing.  Typically the best route is to go with a commercial CA vendor (e.g. Verisign, Comodo, etc.) as they are trusted by the public at large via the WebTrust standard for operational processes.  Through that, they are able to assert their validity as a trust provider, and will typically submit to be in root certificate programs of common softwares, e.g. Firefox, IE, etc. so the trust will be automatically done.  In terms of code signing this does not mean that the code is secure, well written, etc. - just merely that it comes from CompanyX.  So if a virus was in it, it could  not be denied by CompanyX that it was their code that someone else spoofed.  Typically this means that the company is confidant that it IS well written and secure, hence willing to put their name on it in an unmodifiable sense (the "stamp of approval" so to speak) and uses the certificate to assert that it is theirs.  Since you trust the company, you can trust that the code is really theirs - not something that a hacker put up on their site, etc.  That's the 'why'.

    The how is basically a chain of signing events.  The trusted root signs CA certs for issuing CA servers, who then issue the end certificates of whatever type to the requestor.  These are cryptographically signed using algrorithms that would take decades or more to crack.  The certificate is associated with a public and private keypair - the public goes to the public, the private key you protect like keys to your house.  You might want a backup copy, but you keep that secure as well.  Using this same process, you sign the code so that if it was modified it would break the algrorithm when using the signing certificate to validate that it was not modified.

    The commercial CA will have some validation requirements so you can prove who you say you are, or for your company to prove that you represent them.  Each one handles things a little differently, but generally use public records and/or government issed ID's, depending on the certificate type.  They will not check your code or care what it is for - they just care that you are who you say you are and that you are authorized to represent your company, and that the company actually exists.

    This is pretty high level, but hopefully puts things in perspective a little bit for you.
    LVL 31

    Expert Comment

    So Sorry - had multiple windows open for things to handle - this got posted in the wrong one... I'll post something relevant to you in a few minutes!
    LVL 31

    Accepted Solution

    Hah - looks like it was relevant to you anyways, just your wrong posting.

    OK, so it depends on what you are trying to accomplish here.   The easiest way is to use the utilities from the CA.  If your own CA, you can look in the Certification Authority MMC and look under Published Certs, Revoked Certs, etc. and it will give you all you need to know about what was issued.  However, just because it was issued doesn't mean that it was installed, but working off of assumptions this is pretty good.  You can filter the results, but getting used to the filter can be a little frustrating, especially filtering out a single template - to do this you need to get the object identifier (OID) of the template - you can find the OID in certtmpl.msc - open the template - Extensions tab - Certificate Template Information - (look for the really big long number and copy that).

    If using a commercial CA, they usually have an area where you can run a report against the orders you have placed.

    There's the old fashioned spreadsheet method, but this is prone to not getting updated...

    A Certicificate Management System (CMS) (or Card Management System in relation to smart cards) - can be useful, if you issue through that then you have better management, alerting, and such of important certs.  There really aren't that many players in the market - most companies sellng such a product are resellers of one of these: Microsoft ILM / ILM2, ActivIdentity ActivID, Intercede MyID.  Sometimes a reseller can give you added value, sometimes they are just trying to offer a product that they probably don't have a clue about - these are all well developed and getting to really know them gets more complicated than your average salesperson is going to know.  The main companies will be more rock solid in their support knowledge.  Yes - these will be expensive and are usually meant for tracking large deployments, although some of our customers from a reseller company I worked for were smaller, down to 100 clients, although most of the few customers were very large.

    There is manually checking the certificate store by logging in and opening up certsrv.msc and viewing the Personal store.

    Lastly, there would be the scripting method.  For scripting against your CA using certutil and a link to some powershell examples, check here:

    For some info with checking using OCS - this is the best thing I've been able to find so far as far as checking what is actually installed vs. what was issued:

    It seems like there should be a way to do this well with VBS, but I have not found much for resources and this has been asked a number of times.  I don't know VBS well enough to do much, so I would try looking at the powershell examples maybe if you are looking for a server script.
    LVL 31

    Expert Comment

    Ack - I forgot about a link that i had come across for some scripting - I forgot to add it to my bookmarks...  here you go for checking for expiry:

    Author Closing Comment

    Thank you very much!

    Featured Post

    Too many email signature updates to deal with?

    Are you constantly visiting users’ desks making changes to email signatures? Feel like it’s taking up all of your time? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

    Join & Write a Comment

    Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
    On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now