blog.powershell.no

On Windows PowerShell and other admin-related topics

Working with Active Directory Certificate Services from Windows PowerShell

In Active Directory Certificate Services, the primary administration interface is the MMC snap-in Certification Authority exposed through Server Manager in Windows Server 2008 and Windows Server 2008 R2:

image

More advanced administration options is available through the command line utility certutil.exe.

I recently worked with an environment with an unusual amount of issued certificates (several hundreds of thousands), and working with the MMC-tools was not efficient.

I first started by exporting the issued certificates to a CSV-file by using certutil.exe`s csv option. This options seems to be new in Windows Server 2008 R2, although I haven`t found any documentation on this. Actually it`s possible to use certutil.exe from a Windows Server 2008 R2 member server against a Certification Authority running an earlier version of Windows Server to export issued certificates to CSV. It should also be noted that this can be accomplished using the Export List option in the Certification Authority MMC in both Windows Server 2008 R2 and earlier versions of Windows Server.

When the CSV-file are exported, we can import it to Windows PowerShell and do things like grouping and sorting:

001
002
003
004
005
006
007
008
009
010
011
#Export certificates to CSV
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" csv > c:\temp\certs.csv

#Import CSV
$csv = Import-Csv C:\Temp\certs.csv

#Group by requester name, and sort by count
$csv | Select-Object "requester name" | Group-Object -Property "requester name" | Sort-Object -Property count

#Work further with a specific computer based on the above results
$computer = $csv | Where-Object {$_."requester name" -eq "computer01"}

 

Note that using CSV when working with very large data sets might consume large amounts of system resources (up to 2,5 GB in my case), so this might not be the best approach. Another option would be to work directly against the Certification Authority database, where we can set filters directly on the queries.

There are several Com-objects available for working with Active Directory Certificate Services, which makes it possible to work directly against the Certification Authority database from PowerShell.

PowerShell MVP Vadim Podans has written a blog-post showing how this can be accomplished.

Another Com-object to look into is the ICertAdmin2 Interface, which can be accessed from PowerShell like this:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
#Create Com-object
$certadmin = new-object -com "CertificateAuthority.Admin.1"

#Explore Com-object
$certadmin | Get-Member

#Sample usage for one of the available methods
$certadmin.DeleteRow(
"lab-dc-01\Issuing CA 01", #Config-string
 0x0, #Flags, not set
 0x0, #Date, not set when using RowID
 0x0, #Table, set to 3 for CVRC_TABLE_REQCERT
 21 #RowId
 )

Advertisements

January 9, 2011 - Posted by | Active Directory management, PKI, Windows PowerShell | ,

2 Comments »

  1. […] that had been issued to users from our ADCS Subordinate Issuing CA.  I saw, as explained on the powershell.no blog, that could use the certutil.exe command included in Windows Server 2008 R2 to get a CSV export of […]

    Pingback by Export a CSV file of active certificates from your ADCS PKI – Tech Swamp | August 10, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: