creative555
asked on
is there a way to run certutil for remote computer? switch -dc doesn't work
Hello,
I found this command that exports the certificates from computer personal store into text file. It is exactly what I need except is there is a way to query the remote servers to get the same info from computer personal store for the cert?
HEre is the command line that I need to work with remote computer:
certutil -store -v my > export.txt
WHen I run this command specifying the remote server I get this error:
certutil –store –v my –dc servername01 > >\output.txt
CertUtil: -store command FAILED: 0x80090011 (-2146893807)
CertUtil: Object was not found.
To display the certificates in the Local Machine certificate store:
CERTUTIL -store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc dc_name] certificate_store_name [certificate_id [output_file]]
I found this command that exports the certificates from computer personal store into text file. It is exactly what I need except is there is a way to query the remote servers to get the same info from computer personal store for the cert?
HEre is the command line that I need to work with remote computer:
certutil -store -v my > export.txt
WHen I run this command specifying the remote server I get this error:
certutil –store –v my –dc servername01 > >\output.txt
CertUtil: -store command FAILED: 0x80090011 (-2146893807)
CertUtil: Object was not found.
To display the certificates in the Local Machine certificate store:
CERTUTIL -store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc dc_name] certificate_store_name [certificate_id [output_file]]
ASKER
ASKER
Is this the Path?
HKLM\SOFTWARE\Microsoft\Sy stemCertif icates\My
HKLM\SOFTWARE\Microsoft\Sy
ASKER
I know i get personall store certificates if I run this command. but same problem here, it doesn't perform remotely. SO, if I do it with registry, I dont have to login to each server :)
certutil –store –v my > >\output.txt
Please help
certutil –store –v my > >\output.txt
Please help
ASKER
no....I get gibberish when I query registry with this script:
REG QUERY "\\%1\HKLM\SOFTWARE\Micros oft\System Certificat es\My" /s>>%1getcertificate.log
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\SystemCe rtificates \My\Certif icates
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\SystemCe rtificates \My\Certif icates\141 12D41A9203 4260857135 24253EA7E5 0D8F4DB
Blob REG_BINARY 0F0000000100000014000000EF B235E2DCFC 582433E28B 90F07EE61C A07CA60519 0000000100 0000100000 001AC126B4 D3233132F7 975A11FEAD 02D2030000 0001000000 1400000014 112D41A920 3426085713 524253EA7E 50D8F4DB02 0000000100 0000A40000 001C000000 4400000001 0000002000 0000000000 0000000000 010000004C 0049005600 4500570049 0052004500 43004F004E 0054004100 49004E0045 0052000000 000000004D 0069006300 72006F0073 006F006600 7400200045 006E006800 61006E0063 0065006400 2000430072 0079007000 74006F0067 0072006100 7000680069 0063002000 500072006F 0076006900 6400650072 0020007600 31002E0030 0000000000 1400000001 0000001400 0000BC3162 CA9B196DD4 F45D67F878 2169D208BC DBB3040000 0001000000 1000000046 B003A6BF11 9874E13F91 ED7950D974 5C00000001 0000000400 0000000400 0020000000 01000000BD 0100003082 01B9308201 26A0030201 0202100D06 5305586BBB BE4B45DC71 46124E3130 0906052B0E 03021D0500 301F311D30 1B06035504 0313144C69 7665776972 6520436572 7469666963 617465301E 170D313330 3732353231 303732365A 170D323330 3732353231 303732365A 301F311D30 1B06035504 0313144C69 7665776972 6520436572 7469666963 6174653081 9F300D0609 2A864886F7 0D01010105 0003818D00 3081890281 810097E545 AA4C55371A D90EC37270 D3ECDC134F A13BF99EB5 49AFECC497 2F10B6337E F377912107 3D3461A1C7 843120F0F1 AAB492DB60 26D26D0A63 61B3BF9DC8 ED4AF2EA50 F7BA3001D2 4A06536BF3 BFF991F5F2 4C8E6BC188 B9DB43BE91 B41A31252D 7C0CBBBD79 EFDF127439 05CD488C7F 20AA76F6F3 54C1C6F172 BA797B3903 0203010001 300906052B 0E03021D05 0003818100 3A9FA0B5E7 0339D91090 0647C070F6 9935E3A158 222BBA2331 F57116C74C 041C000CDD 26FD1A4E6E 3789877AE3 1F44A719DC 1F9B05DE20 7F10CEAD07 6C17B24432 EE4910CFEA 0B7FD78536 F3C9A3DC8A 4C60159BB1 3E94CC5104 94F07C071C 9220D73EB5 81E067DF15 888A5234C9 566E71A5D4 3665D65FEC 834F6B9BA4 22C397
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\SystemCe rtificates \My\Certif icates\1AA 85C08A2A1B BFD021776E 7059E7AFF1 91CC49C
Blob REG_BINARY 5C000000010000000400000000 0400001900 0000010000 0010000000 0B5D4AD1F3 11A3CF9641 ED7EC6737C 0114000000 0100000014 000000A44F EF08569EA3 313B4930AD 7228DB72FA 53B4A00B00 0000010000 0060000000 53004D0053 0020005300 690067006E 0069006E00 6700200043 0065007200 7400690066 0069006300 6100740065 0000005300 4D00530020 0045006E00 6300720079 0070007400 69006F006E 0020004300 6500720074 0069006600 6900630061 0002000000 010000007C 0000001C00 0000240000 0001000000 6100000000 0000000000 0000020000 0053004D00 530000004D 0069006300 72006F0073 006F006600 7400200042 0061007300 6500200043 0072007900 700074006F 0067007200 6100700068 0069006300 2000500072 006F007600 6900640065 0072002000 760031002E 0030000000 0000030000 0001000000 140000001A A85C08A2A1 BBFD021776 E7059E7AFF 191CC49C04 0000000100 0000100000 00758650FD AB29DD6558 4D4D49D9D0 E82B0F0000 0001000000 14000000B9 EA97D8EED7 CBA8F5FE89 00A5EEA8FA FB04DF9C20 0000000100 0000DE0100 00308201DA 30820147A0 0302010202 108CAC8D1B C29F358842 88E3D01C03 0B31300906 052B0E0302 1D05003022 3112301006 0355040313 094E415044 434D303146 310C300A06 0355040313 03534D5330 20170D3035 3131303330 3133343235 5A180F3231 3035313031 3030313334 32355A3022 3112301006 0355040313 094E415044 434D303146 310C300A06 0355040313 03534D5330 819F300D06 092A864886 F70D010101 050003818D 0030818902 818100A53D E5A6777A9F E599F669F1 A2D33BFBE8 CDC80E45E8 464918BF90 B61355194B 352481B9C0 449F97B28F 5E39C2D453 1665CCE40F 99332EF2A5 809DA92684 2E5BB47114 E9DEAE85DC A1CA24D758 36F46FB8A1 2FA282CD80 C0A9890428 9366EC9E4E 6C796440E5 8B3AC28C78 78955854B0 2A1E7796AF 8D925AD6AF 546FB6043A 5F02030100 01A3173015 3013060355 1D25040C30 0A06082B06 0104018237 6530090605 2B0E03021D 0500038181 0044B35460 238DF1955A 2E2BDA95EB 0B7016715D F52F2FFA19 55C8229808 AC28400688 A8CED645EC 2B109F4B6E 8CB1C3C86E 3736CB2EA7 895C51A31B 62C1047F3D CB1E55581C 6CDC8E4B03 A23FF1D686 F6AC706FED 57089509EF 6CF5325422 12861E5B3C 6BDC946D64 DD2E0C7356 14DD0966E6 5C9C4E6C6F B497A574E3 A14424FE
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\SystemCe rtificates \My\Certif icates\271 BA51FE56B5 F9977EA392 2E86EC8DFD D779908
Blob REG_BINARY 5C000000010000000400000000 0800001800 0000010000 0010000000 480B86E94F E3E1A15D18 F3EEF8DEB4 CA04000000 0100000010 000000BC1D 51B54698ED A46ED04DDF 79A5E8B914 0000000100 0000140000 00D1656DC0 9E68E4C3D2 9B013E7695 3FE1F0B606 1502000000 010000000C 0100001C00 0000AC0000 000C000000 2000000000 0000000000 0000010000 0062003000 6100340031 0033003600 6100330035 0032003200 6200630038 0064003200 3600650061 0032003600 3400660066 0030003400 3400660036 0039003100 5F00610031 0033006400 3700630032 0033002D00 3400360036 0065002D00 3400370039 0065002D00 3900360039 0034002D00 6500310032 0061006600 3900370033 0062006400 6600310000 0000000000 4D00690063 0072006F00 73006F0066 0074002000 5200530041 0020005300 4300680061 006E006E00 65006C0020 0043007200 7900700074 006F006700 7200610070 0068006900 6300200050 0072006F00 7600690064 0065007200 0000000000 0003000000 0100000014 000000271B A51FE56B5F 9977EA3922 E86EC8DFDD 7799081900 0000010000 0010000000 69633D93B2 A9A62669F8 34A98E852E 9C0F000000 0100000014 000000AF99 AFCA5929D9 2DBE4D2658 119F0E6E78 73C9052000 0000010000 0067060000 3082066330 82054BA003 0201020210 36FEDAC83E 7164E0AA48 86AE2298B3 90300D0609 2A864886F7 0D01010505 003081BE31 0B30090603 5504061302 5553311730 1506035504 0A130E5665 7269536967 6E2C20496E 632E311F30 1D06035504 0B13165665 7269536967 6E20547275 7374204E65 74776F726B 313B303906 0355040B13 325465726D 73206F6620 7573652061 7420687474 70733A2F2F 7777772E76 6572697369 676E2E636F 6D2F727061 2028632930 3631383036 0603550403 132F566572 695369676E 20436C6173 7320332045 7874656E64 6564205661 6C69646174 696F6E2053 534C205347 4320434130 1E170D3130 3131313030 3030303030 5A170D3131 3131313032 3335393539 5A30820116 3113301106 0B2B060104 0182373C02 0103130255 5331193017 060B2B0601 040182373C 0201021308 44656C6177 617265311D 301B060355 040F131450 7269766174 65204F7267 616E697A61 74696F6E31 10300E0603 5504051307 3036373338 3039310B30 0906035504 0613025553 310E300C06 0355041114 0539303234 3531133011 0603550408 130A43616C 69666F726E 6961311330 1106035504 07140A456C 2053656775 6E646F311E 301C060355 0409141533 333320436F 6E74696E65 6E74616C20 426C76642E 3114301206 0355040A14 0B4D617474 656C20496E 632E311230 1006035504 0B1409474C 4F42414C20 4954312230 2006035504 0314194E41 5044434D30 31462E434F 52502E4D41 5454454C2E 434F4D3082 0122300D06 092A864886 F70D010101 0500038201 0F00308201 0A02820101 00C8E94DC9 E4B0EADFEA 56111C1973 9480F6F431 CD0905D800 58DB488266 7C9CBBDA84 9CBE3C0E30 C55444FC97 F42AFAA23E 72BCF4C1DD 42C8DEA459 E2B9374FA5 36831BF466 2BEBC0FD93 243ED80AE6 565CE38A45 3C8BA83816 1B78F7ED01 E1EB619F3E BB3C1B1AEF 0803811584 A3AA9B5BAF 99BC635891 C74B8B8A5E 30EC789123 DACD0F0EE0 173842BA66 D42EBBA457 6F96D3AB37 6CFA8B3043 7979ADD709 F6216D4DA9 4FFDE15D5C 0DB7768E4A 750C911B96 9544E9AE67 8002C7EFD4 FB440BB756 C562A53FB4 886B36AEFD 7E4380F214 7A196F4483 DB8DD60976 7059B11061 E17EA901E1 A69970F6DD 3B45EC396F 900EE485D2 C0CBC7D5C0 1768E470B4 7361020301 0001A38202 00308201FC 3009060355 1D13040230 00301D0603 551D0E0416 0414D1656D C09E68E4C3 D29B013E76 953FE1F0B6 0615300B06 03551D0F04 04030205A0 3044060355 1D20043D30 3B3039060B 6086480186 F845010717 06302A3028 06082B0601 0505070201 161C687474 70733A2F2F 7777772E76 6572697369 676E2E636F 6D2F727061 303E060355 1D1F043730 353033A031 A02F862D68 7474703A2F 2F4556496E 746C2D6372 6C2E766572 697369676E 2E636F6D2F 4556496E74 6C32303036 2E63726C30 340603551D 25042D302B 06082B0601 0505070301 06082B0601 0505070302 0609608648 0186F84204 01060A2B06 0104018237 0A0303301F 0603551D23 0418301680 144E43C81D 76EF37537A 4FF2586F94 F338E2D5BD DF30760608 2B06010505 070101046A 3068302B06 082B060105 0507300186 1F68747470 3A2F2F4556 496E746C2D 6F6373702E 7665726973 69676E2E63 6F6D303906 082B060105 0507300286 2D68747470 3A2F2F4556 496E746C2D 6169612E76 6572697369 676E2E636F 6D2F455649 6E746C3230 30362E6365 72306E0608 2B06010505 07010C0462 3060A15EA0 5C305A3058 3056160969 6D6167652F 6769663021 301F300706 052B0E0302 1A04144B6B B92896060C BBD052389B 29AC4B078B 2105183026 1624687474 703A2F2F6C 6F676F2E76 6572697369 676E2E636F 6D2F76736C 6F676F312E 676966300D 06092A8648 86F70D0101 0505000382 0101004060 1100E0FE65 CF6715B738 EDCCBF6D00 FCB1EB1045 8DDD37F64A 34B39059B0 9731C74238 C8C3DEC83D FF0F820B37 7BFACB7D4E F401D6EED8 6AB8DFAF78 237209DECE 7820321B5E 036CE8C410 92B90F054F 148CB8B21E DDB0554A38 FBC60ACC72 2CFA33B5D8 F20F2A4D94 2534A188C1 E2F18C9DF4 7EE8B13A93 A84CA4E7BA 1F44B9ECD4 0EF07A55FD 96480D17B4 CC157DCB2F 6480A286AD 8FA4D11FEE 75DC81C46A 32BC08FEF8 941D02F03B F5D9730D98 5B2880043B 8A7EA2828B 1B2D9BEDCA B07416F530 F3B8DAB704 2A94C000F7 5DD53FCCEE 2624D4863F 956A41EA65 EC5EB4B714 69739AF6F4 F89B5760AA 1AF22CA8D8 ED9DCAC1BA 1DA6F80C5F 3230FB7E
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\SystemCe rtificates \My\Certif icates\5D3 4CDB7FB75B E7AB37EDA3 4A83217F90 733A6AC
Blob REG_BINARY 5C000000010000000400000000 0400001900 0000010000 0010000000 6C35CEC481 76108916DA 47DBA5861E 6A14000000 0100000014 0000006962 1C338E05AB 7C784B0D2A F16914E3D2 5620610B00 0000010000 006C000000 53004D0053 0020004500 6E00630072 0079007000 740069006F 006E002000 4300650072 0074006900 6600690063 0061007400 6500000000 00745F1518 000000002E 3F41564872 6573756C74 4578636570 74696F6E40 4572726F72 4043434D40 4000000000 BF44FFFFF2 1C00000200 0000010000 0074000000 1C00000024 0000000100 0000610000 0000000000 0000000001 0000005300 4D00530000 004D006900 630072006F 0073006F00 6600740020 0053007400 72006F006E 0067002000 4300720079 0070007400 6F00670072 0061007000 6800690063 0020005000 72006F0076 0069006400 6500720000 0003000000 0100000014 0000005D34 CDB7FB75BE 7AB37EDA34 A83217F907 33A6AC0400 0000010000 0010000000 BB93479077 8EADCD6B1E 7256C1D6A6 E80F000000 0100000014 00000064C2 5B8C3A9DAA 7CF56D7D21 524E5F30B5 74AA0C2000 0000010000 00DF010000 308201DB30 820148A003 0201020210 F4E91089BA 8C9E9E4171 F8CCB0A1A9 6E30090605 2B0E03021D 0500302231 1230100603 5504031309 4E41504443 4D30314631 0C300A0603 5504031303 534D533020 170D303531 3130333031 333432365A 180F323130 3531303130 3031333432 365A302231 1230100603 5504031309 4E41504443 4D30314631 0C300A0603 5504031303 534D533081 9F300D0609 2A864886F7 0D01010105 0003818D00 3081890281 8100C0EAEB 5BF84B80C3 9C10C2AA37 24AE2C7CC4 05B6BF977E 55C8003931 F2E99AD93D 41948F4F96 AB3FE90DDC 11AC8D105B D6A3F86746 BD6CE8C1F0 68D5B550A1 DD335527FB 8A59986C14 891AE49555 846F09285B 047BB203FE A1A19F03D0 DCB67FAB36 3482AA78E0 466244BC44 07903828EB DEC4273C73 73BAA5510F A2AD3A23DB 0203010001 A318301630 140603551D 25040D300B 06092B0601 0401823765 0230090605 2B0E03021D 0500038181 005E95DDEE AFADE08B47 2AB3D43C45 AC098E7848 E1F1572574 D0E4D6A756 81D3B90204 8C2F86661B 8D6D6B6478 1D1FE0BB93 5E6DAEA264 5F9B8E393F 97DB36D57F 422C8A8A45 37D55C28A2 03868F8A8A 462A7C33D6 859DDA3DEF 7BC15D4FC5 6CDB70CA0B C62AA202D1 C663AD2D1E 0453201363 28C45DEF1D E56A52A04E 1586CDD4
REG QUERY "\\%1\HKLM\SOFTWARE\Micros
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
Blob REG_BINARY 0F0000000100000014000000EF
HKEY_LOCAL_MACHINE\SOFTWAR
Blob REG_BINARY 5C000000010000000400000000
HKEY_LOCAL_MACHINE\SOFTWAR
Blob REG_BINARY 5C000000010000000400000000
HKEY_LOCAL_MACHINE\SOFTWAR
Blob REG_BINARY 5C000000010000000400000000
The certificates are in binary (blob) form; the key names however are the fingerprints for the certs. So, for instance, the cert "VeriSign Trust Network" (1998-2028) has the fingerprint
85 37 1C A6 E5 50 14 3D CE 28 03 47 1B DE 3A 09 E8 F8 77 0F
and a quick check in the registry finds me:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\SystemCe rtificates \AuthRoot\ Certificat es\85371CA 6E550143DC E2803471BD E3A09E8F87 70F
it is possible to convert the binary blob back into a usable DER file, but its not really required; re-adding the registry key restores the certificate to the keystore, which is all you usually want from a backup :)
85 37 1C A6 E5 50 14 3D CE 28 03 47 1B DE 3A 09 E8 F8 77 0F
and a quick check in the registry finds me:
HKEY_LOCAL_MACHINE\SOFTWAR
it is possible to convert the binary blob back into a usable DER file, but its not really required; re-adding the registry key restores the certificate to the keystore, which is all you usually want from a backup :)
ASKER
hi,
THank you so much for your answer. The purpose of exporting certificates data is to inventory and determine if the applications are using those certs and not the backup. So, we do need to get the output like the one performed with this command:
certutil -store -v my
I guess I don't have a choice and have to login to each server - over 100 servers??
I tried powershell too and it gave me error unrecognizable output. We are using all 2003 DCs, so the powershell is not going to work for 2003 DC I guess? or I should be able to make powershell script do it with 2003 certificate local store?
THank you so much for your answer. The purpose of exporting certificates data is to inventory and determine if the applications are using those certs and not the backup. So, we do need to get the output like the one performed with this command:
certutil -store -v my
I guess I don't have a choice and have to login to each server - over 100 servers??
I tried powershell too and it gave me error unrecognizable output. We are using all 2003 DCs, so the powershell is not going to work for 2003 DC I guess? or I should be able to make powershell script do it with 2003 certificate local store?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
# To get certificate information
cls
# Windows 2012 / 2008R2 local
certutil -view -out "RequestID,RequesterName,R equestType ,NotAfter, CommonName ,Certifica te Template" LOG CSV >C:\temp\certutil.txt
# Windows 2008 Local
certutil -view -out "RequestID,RequesterName,R equestType ,NotAfter, CommonName ,Certifica te Template" LOG >C:\temp\certutil.txt
# To get information remote because Windows 2008 does not support[ csv]
# Windows 2008 R2 Remote
certutil -dump # to get –config string
certutil -view -config "host.domain.com\Company Issuing CA 1" -out "RequestID,RequesterName,R equestType ,NotAfter, CommonName ,Certifica te Template" LOG csv >C:\temp\certutil.txt
cls
# Windows 2012 / 2008R2 local
certutil -view -out "RequestID,RequesterName,R
# Windows 2008 Local
certutil -view -out "RequestID,RequesterName,R
# To get information remote because Windows 2008 does not support[ csv]
# Windows 2008 R2 Remote
certutil -dump # to get –config string
certutil -view -config "host.domain.com\Company Issuing CA 1" -out "RequestID,RequesterName,R
a) keystores are actually only registry keys and
b) you can remotely access the registry
to pull those keys directly :)
take a look at HKEY_LOCAL_MACHINE\SOFTWAR