Link to home
Start Free TrialLog in
Avatar of creative555
creative555

asked on

is there a way to run certutil for remote computer? switch -dc doesn't work

Hello,
I found this command that exports the certificates from computer personal store into text file. It is exactly what I need except is there is a way to query the remote servers to get the same info from computer personal store for the cert?

HEre is the command line that I need to work with remote computer:

certutil -store -v my > export.txt

WHen I run this command specifying the remote server I get this error:
certutil –store –v my –dc servername01 > >\output.txt

CertUtil: -store command FAILED: 0x80090011 (-2146893807)
CertUtil: Object was not found.


To display the certificates in the Local Machine certificate store:
CERTUTIL -store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc dc_name] certificate_store_name [certificate_id [output_file]]
Avatar of Dave Howe
Dave Howe
Flag of United Kingdom of Great Britain and Northern Ireland image

no, you can't, however, you *can* take advantage of the fact that
a) keystores are actually only registry keys and
b) you can remotely access the registry
to pull those keys directly :)

take a look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates and the matching subkeys under HKEY_USERS for the actual data.
Avatar of creative555
creative555

ASKER

I dont see HKEY_Users. I need certificates in the Personal Computer Store (like the one you access choosing Local computer through certificates MMC)

User generated image
Is this the Path?

HKLM\SOFTWARE\Microsoft\SystemCertificates\My
I know i get personall store certificates if I run this command. but same problem here, it doesn't perform remotely. SO, if I do it with registry, I dont have to login to each server :)
certutil –store –v my > >\output.txt
Please help
no....I get gibberish when I query registry with this script:

REG QUERY "\\%1\HKLM\SOFTWARE\Microsoft\SystemCertificates\My" /s>>%1getcertificate.log

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\14112D41A9203426085713524253EA7E50D8F4DB
    Blob    REG_BINARY    0F0000000100000014000000EFB235E2DCFC582433E28B90F07EE61CA07CA6051900000001000000100000001AC126B4D3233132F7975A11FEAD02D203000000010000001400000014112D41A9203426085713524253EA7E50D8F4DB0200000001000000A40000001C0000004400000001000000200000000000000000000000010000004C00490056004500570049005200450043004F004E005400410049004E00450052000000000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E00300000000000140000000100000014000000BC3162CA9B196DD4F45D67F8782169D208BCDBB304000000010000001000000046B003A6BF119874E13F91ED7950D9745C0000000100000004000000000400002000000001000000BD010000308201B930820126A00302010202100D065305586BBBBE4B45DC7146124E31300906052B0E03021D0500301F311D301B060355040313144C69766577697265204365727469666963617465301E170D3133303732353231303732365A170D3233303732353231303732365A301F311D301B060355040313144C6976657769726520436572746966696361746530819F300D06092A864886F70D010101050003818D003081890281810097E545AA4C55371AD90EC37270D3ECDC134FA13BF99EB549AFECC4972F10B6337EF3779121073D3461A1C7843120F0F1AAB492DB6026D26D0A6361B3BF9DC8ED4AF2EA50F7BA3001D24A06536BF3BFF991F5F24C8E6BC188B9DB43BE91B41A31252D7C0CBBBD79EFDF12743905CD488C7F20AA76F6F354C1C6F172BA797B39030203010001300906052B0E03021D0500038181003A9FA0B5E70339D910900647C070F69935E3A158222BBA2331F57116C74C041C000CDD26FD1A4E6E3789877AE31F44A719DC1F9B05DE207F10CEAD076C17B24432EE4910CFEA0B7FD78536F3C9A3DC8A4C60159BB13E94CC510494F07C071C9220D73EB581E067DF15888A5234C9566E71A5D43665D65FEC834F6B9BA422C397

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\1AA85C08A2A1BBFD021776E7059E7AFF191CC49C
    Blob    REG_BINARY    5C0000000100000004000000000400001900000001000000100000000B5D4AD1F311A3CF9641ED7EC6737C01140000000100000014000000A44FEF08569EA3313B4930AD7228DB72FA53B4A00B000000010000006000000053004D00530020005300690067006E0069006E006700200043006500720074006900660069006300610074006500000053004D005300200045006E006300720079007000740069006F006E00200043006500720074006900660069006300610002000000010000007C0000001C00000024000000010000006100000000000000000000000200000053004D00530000004D006900630072006F0073006F0066007400200042006100730065002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E003000000000000300000001000000140000001AA85C08A2A1BBFD021776E7059E7AFF191CC49C040000000100000010000000758650FDAB29DD65584D4D49D9D0E82B0F0000000100000014000000B9EA97D8EED7CBA8F5FE8900A5EEA8FAFB04DF9C2000000001000000DE010000308201DA30820147A00302010202108CAC8D1BC29F35884288E3D01C030B31300906052B0E03021D0500302231123010060355040313094E415044434D303146310C300A06035504031303534D533020170D3035313130333031333432355A180F32313035313031303031333432355A302231123010060355040313094E415044434D303146310C300A06035504031303534D5330819F300D06092A864886F70D010101050003818D0030818902818100A53DE5A6777A9FE599F669F1A2D33BFBE8CDC80E45E8464918BF90B61355194B352481B9C0449F97B28F5E39C2D4531665CCE40F99332EF2A5809DA926842E5BB47114E9DEAE85DCA1CA24D75836F46FB8A12FA282CD80C0A98904289366EC9E4E6C796440E58B3AC28C7878955854B02A1E7796AF8D925AD6AF546FB6043A5F0203010001A317301530130603551D25040C300A06082B06010401823765300906052B0E03021D05000381810044B35460238DF1955A2E2BDA95EB0B7016715DF52F2FFA1955C8229808AC28400688A8CED645EC2B109F4B6E8CB1C3C86E3736CB2EA7895C51A31B62C1047F3DCB1E55581C6CDC8E4B03A23FF1D686F6AC706FED57089509EF6CF532542212861E5B3C6BDC946D64DD2E0C735614DD0966E65C9C4E6C6FB497A574E3A14424FE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\271BA51FE56B5F9977EA3922E86EC8DFDD779908
    Blob    REG_BINARY    5C000000010000000400000000080000180000000100000010000000480B86E94FE3E1A15D18F3EEF8DEB4CA040000000100000010000000BC1D51B54698EDA46ED04DDF79A5E8B9140000000100000014000000D1656DC09E68E4C3D29B013E76953FE1F0B6061502000000010000000C0100001C000000AC0000000C00000020000000000000000000000001000000620030006100340031003300360061003300350032003200620063003800640032003600650061003200360034006600660030003400340066003600390031005F00610031003300640037006300320033002D0034003600360065002D0034003700390065002D0039003600390034002D006500310032006100660039003700330062006400660031000000000000004D006900630072006F0073006F00660074002000520053004100200053004300680061006E006E0065006C002000430072007900700074006F0067007200610070006800690063002000500072006F0076006900640065007200000000000000030000000100000014000000271BA51FE56B5F9977EA3922E86EC8DFDD77990819000000010000001000000069633D93B2A9A62669F834A98E852E9C0F0000000100000014000000AF99AFCA5929D92DBE4D2658119F0E6E7873C905200000000100000067060000308206633082054BA003020102021036FEDAC83E7164E0AA4886AE2298B390300D06092A864886F70D01010505003081BE310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313B3039060355040B13325465726D73206F66207573652061742068747470733A2F2F7777772E766572697369676E2E636F6D2F727061202863293036313830360603550403132F566572695369676E20436C617373203320457874656E6465642056616C69646174696F6E2053534C20534743204341301E170D3130313131303030303030305A170D3131313131303233353935395A3082011631133011060B2B0601040182373C0201031302555331193017060B2B0601040182373C020102130844656C6177617265311D301B060355040F131450726976617465204F7267616E697A6174696F6E3110300E0603550405130730363733383039310B3009060355040613025553310E300C060355041114053930323435311330110603550408130A43616C69666F726E6961311330110603550407140A456C20536567756E646F311E301C0603550409141533333320436F6E74696E656E74616C20426C76642E31143012060355040A140B4D617474656C20496E632E31123010060355040B1409474C4F42414C20495431223020060355040314194E415044434D3031462E434F52502E4D415454454C2E434F4D30820122300D06092A864886F70D01010105000382010F003082010A0282010100C8E94DC9E4B0EADFEA56111C19739480F6F431CD0905D80058DB4882667C9CBBDA849CBE3C0E30C55444FC97F42AFAA23E72BCF4C1DD42C8DEA459E2B9374FA536831BF4662BEBC0FD93243ED80AE6565CE38A453C8BA838161B78F7ED01E1EB619F3EBB3C1B1AEF0803811584A3AA9B5BAF99BC635891C74B8B8A5E30EC789123DACD0F0EE0173842BA66D42EBBA4576F96D3AB376CFA8B30437979ADD709F6216D4DA94FFDE15D5C0DB7768E4A750C911B969544E9AE678002C7EFD4FB440BB756C562A53FB4886B36AEFD7E4380F2147A196F4483DB8DD609767059B11061E17EA901E1A69970F6DD3B45EC396F900EE485D2C0CBC7D5C01768E470B473610203010001A3820200308201FC30090603551D1304023000301D0603551D0E04160414D1656DC09E68E4C3D29B013E76953FE1F0B60615300B0603551D0F0404030205A030440603551D20043D303B3039060B6086480186F84501071706302A302806082B06010505070201161C68747470733A2F2F7777772E766572697369676E2E636F6D2F727061303E0603551D1F043730353033A031A02F862D687474703A2F2F4556496E746C2D63726C2E766572697369676E2E636F6D2F4556496E746C323030362E63726C30340603551D25042D302B06082B0601050507030106082B0601050507030206096086480186F8420401060A2B0601040182370A0303301F0603551D230418301680144E43C81D76EF37537A4FF2586F94F338E2D5BDDF307606082B06010505070101046A3068302B06082B06010505073001861F687474703A2F2F4556496E746C2D6F6373702E766572697369676E2E636F6D303906082B06010505073002862D687474703A2F2F4556496E746C2D6169612E766572697369676E2E636F6D2F4556496E746C323030362E636572306E06082B0601050507010C04623060A15EA05C305A305830561609696D6167652F6769663021301F300706052B0E03021A04144B6BB92896060CBBD052389B29AC4B078B21051830261624687474703A2F2F6C6F676F2E766572697369676E2E636F6D2F76736C6F676F312E676966300D06092A864886F70D0101050500038201010040601100E0FE65CF6715B738EDCCBF6D00FCB1EB10458DDD37F64A34B39059B09731C74238C8C3DEC83DFF0F820B377BFACB7D4EF401D6EED86AB8DFAF78237209DECE7820321B5E036CE8C41092B90F054F148CB8B21EDDB0554A38FBC60ACC722CFA33B5D8F20F2A4D942534A188C1E2F18C9DF47EE8B13A93A84CA4E7BA1F44B9ECD40EF07A55FD96480D17B4CC157DCB2F6480A286AD8FA4D11FEE75DC81C46A32BC08FEF8941D02F03BF5D9730D985B2880043B8A7EA2828B1B2D9BEDCAB07416F530F3B8DAB7042A94C000F75DD53FCCEE2624D4863F956A41EA65EC5EB4B71469739AF6F4F89B5760AA1AF22CA8D8ED9DCAC1BA1DA6F80C5F3230FB7E

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\5D34CDB7FB75BE7AB37EDA34A83217F90733A6AC
    Blob    REG_BINARY    5C0000000100000004000000000400001900000001000000100000006C35CEC48176108916DA47DBA5861E6A14000000010000001400000069621C338E05AB7C784B0D2AF16914E3D25620610B000000010000006C00000053004D005300200045006E006300720079007000740069006F006E0020004300650072007400690066006900630061007400650000000000745F1518000000002E3F415648726573756C74457863657074696F6E404572726F724043434D404000000000BF44FFFFF21C00000200000001000000740000001C00000024000000010000006100000000000000000000000100000053004D00530000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000000300000001000000140000005D34CDB7FB75BE7AB37EDA34A83217F90733A6AC040000000100000010000000BB934790778EADCD6B1E7256C1D6A6E80F000000010000001400000064C25B8C3A9DAA7CF56D7D21524E5F30B574AA0C2000000001000000DF010000308201DB30820148A0030201020210F4E91089BA8C9E9E4171F8CCB0A1A96E300906052B0E03021D0500302231123010060355040313094E415044434D303146310C300A06035504031303534D533020170D3035313130333031333432365A180F32313035313031303031333432365A302231123010060355040313094E415044434D303146310C300A06035504031303534D5330819F300D06092A864886F70D010101050003818D0030818902818100C0EAEB5BF84B80C39C10C2AA3724AE2C7CC405B6BF977E55C8003931F2E99AD93D41948F4F96AB3FE90DDC11AC8D105BD6A3F86746BD6CE8C1F068D5B550A1DD335527FB8A59986C14891AE49555846F09285B047BB203FEA1A19F03D0DCB67FAB363482AA78E0466244BC4407903828EBDEC4273C7373BAA5510FA2AD3A23DB0203010001A318301630140603551D25040D300B06092B0601040182376502300906052B0E03021D0500038181005E95DDEEAFADE08B472AB3D43C45AC098E7848E1F1572574D0E4D6A75681D3B902048C2F86661B8D6D6B64781D1FE0BB935E6DAEA2645F9B8E393F97DB36D57F422C8A8A4537D55C28A203868F8A8A462A7C33D6859DDA3DEF7BC15D4FC56CDB70CA0BC62AA202D1C663AD2D1E045320136328C45DEF1DE56A52A04E1586CDD4
The certificates are in binary (blob) form; the key names however are the fingerprints for the certs. So, for instance, the cert "VeriSign Trust Network" (1998-2028) has the fingerprint
85 37 1C A6 E5 50 14 3D CE 28 03 47 1B DE 3A 09 E8 F8 77 0F

and a quick check in the registry finds me:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F

it is possible to convert the binary blob back into a usable DER file, but its not really required; re-adding the registry key restores the certificate to the keystore, which is all you usually want from a backup :)
hi,
THank you so much for your answer. The purpose of exporting certificates data is to inventory and determine if the applications are using those certs and not the backup. So, we do need to get the output like the one performed with this command:

certutil -store -v my

I guess I don't have a choice and have to login to each server - over 100 servers??

I tried powershell too and it gave me error unrecognizable output. We are using all 2003 DCs, so the powershell is not going to work for 2003 DC I guess? or I should be able to make powershell script do it with 2003 certificate local store?
ASKER CERTIFIED SOLUTION
Avatar of Dave Howe
Dave Howe
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
# To get certificate information
cls

# Windows 2012 / 2008R2 local
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" LOG CSV >C:\temp\certutil.txt

# Windows 2008  Local
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" LOG >C:\temp\certutil.txt

# To get information remote because  Windows 2008 does not support[ csv]
# Windows 2008 R2 Remote
certutil -dump  # to get –config string

certutil -view -config "host.domain.com\Company Issuing CA 1" -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" LOG csv >C:\temp\certutil.txt