Background
Let us view certs information from the command line using certutil.exe
Script
Scenario
Scenario :- Certificate in Store
Outline
Using certutil.exe access specific Certificate store and return information for the specified certificate.
Syntax
certutil.exe -v -store [store] [certificateID]
Sample
Sample :- Display Cert info on console
@echo off setlocal set "_certID=dbHRDB.lab.org" certutil.exe -v -store my "%_certID%" endlocal
Sample :- Display Cert info and send output to a file
@echo off setlocal set "_certID=dbHRDB.lab.org" if not exist log mkdir log certutil.exe -v -store my "%_certID%" > log\certinfo.log endlocal
Scenario :- Certificate in File System
Outline
Using certutil.exe read file in File System and return file info.
- Reach into the File System and get certificate information.
- Pass along certificate password if secured using -p
- Pass along -v for verbose mode
Syntax
certutil.exe -p [certPassword] -v [certificateFile]
Sample
@echo off setlocal set "_certFolder=D:\Microsoft\SQLServer\certificates\SSL\20180412" set "_certificate=hrdbLocal.pfx" set "_certificateFullname=%_certFolder%\%_certificate%" set "_certPassword=lovelyDay" certutil.exe -p "%_certPassword%" -v "%_certificateFullname%" endlocal
Output
Sample Output
my "Personal" ================ Certificate 2 ================ X509 Certificate: Version: 3 Issuer: CN=InCommon RSA Server CA OU=InCommon O=Internet2 L=Ann Arbor S=MI C=US Name Hash(sha1): 69836d535691d9fcb786abfb77e139c40a56f422 Name Hash(md5): b2b952036d94176073a235e65f5e308e NotBefore: 4/12/2018 12:00 AM NotAfter: 4/11/2020 11:59 PM Subject: CN=dbHRDB.lab.org 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Key Encipherment (a0) 2.5.29.37: Flags = 0, Length = 16 Enhanced Key Usage Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2) 2.5.29.17: Flags = 0, Length = 54 Subject Alternative Name DNS Name=dbHRDBExternal.lab.org CERT_KEY_PROV_INFO_PROP_ID(2): Key Container = {8BE90DBA-B43E-49A8-9000-8B4E5D8CF47E} Unique container name: a0feaa75dadd8b70e2c24fb889f45701_f9e27b6e-7c79-4f5d-abaa-b270baf4ddc6 Provider = Microsoft Enhanced Cryptographic Provider v1.0 ProviderType = 1 Flags = 20 (32) CRYPT_MACHINE_KEYSET -- 20 (32) KeySpec = 1 -- AT_KEYEXCHANGE D:AI(A;;GAGR;;;BA)(A;;GAGR;;;SY)(A;;GR;;;S-1-5-5-0-2933760447) Allow Full Control BUILTIN\Administrators Allow Full Control NT AUTHORITY\SYSTEM Allow Read NT AUTHORITY\LogonSessionId_0_2933760447 Private Key: PRIVATEKEYBLOB Version: 2 aiKeyAlg: 0xa400 CALG_RSA_KEYX Algorithm Class: 0xa000(5) ALG_CLASS_KEY_EXCHANGE Algorithm Type: 0x400(2) ALG_TYPE_RSA Algorithm Sub-id: 0x0(0) ALG_SID_RSA_ANY 0000 52 53 41 32 RSA2 0000 ... 048c Encryption test passed CertUtil: -store command completed successfully.
Explanation
- Issuer
- InCommon RSA Server CA
- Date Range
- NotBefore
- NotAfter
- Subject
- CN=dbHRDB.lab.org
- Key Usage
- Digital Signature, Key Encipherment
- Digital Signature
- Sign code, documents, etc
- Key Encipherment
- Encrypt data
- Digital Signature
- Digital Signature, Key Encipherment
- Enhanced Key Usage
- Server Authentication (1.3.6.1.5.5.7.3.1)
- Client Authentication (1.3.6.1.5.5.7.3.2)
- Subject Alternative Name
- DNS Name=dbHRDBExternal.lab.org
- Other acceptable/published names that clients can use to refer to server and server will not fail name validation
- DNS Name=dbHRDBExternal.lab.org
- Cryto Machine keyset
- KeySpec = 1 — AT_KEYEXCHANGE
- Private Key
- We have private key
- Encryption test passed