How to determine all certificates that will expire within 30 days
Woudn't it be interesting for the CA admin to know which certificates are expiring in the near future? If autoenrollment is not eanbled, certificate users should be informed in advance before they actually loose functionality.
A simple certutil command enables the CA admin to generate a list with all expiring certificates:
certutil –view –restrict "NotAfter<=May 5,2008 08:00AM,NotAfter>=April 24,2008 08:00AM" –out "RequestID,RequesterName"
Since I mentioned autoenrollment above, here is a trick how to determine if a certificate was enrolled manually or with autoenrollment.
certutil –view -v -out rawrequest | findstr Process
The above command can certainly be extended with the -restrict parameter to reduce the amount of output producted by the query.
The name of the task performing autoenrollment differs for different OS releases and possible for machine and user contexts. Manually requested certificates may show a process name like certreq or cscript.
To learn more how to notify users of certificate expiration, see https://blogs.msdn.com/spatdsg/archive/2007/07/19/notify-users-of-cert-expiration.aspx
Comments
Anonymous
January 01, 2003
If you want to get all expiring certificates for 2 different templates, can you ask that in the same question? I dont get it to work. certutil -config - -view -restrict "NotAfter<=07/30/2012 08:00AM,NotAfter>=07/18/2012 08:00AM,CertificateTemplate = WebServer,CertificateTemplate = Machine" -out "RequesterName,CommonName,NotAfter,Email" Or do I have to seperate them into 2 different queries?Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
A while ago I explained how to determine all certificates that will expire within a given period. NowAnonymous
May 29, 2014
The comment has been removedAnonymous
April 01, 2015
The parameter is incorrectAnonymous
April 01, 2015
The certutil command does not workAnonymous
April 09, 2015
Jim, I hit the same snag. Use this date format 5/5/2015Anonymous
September 28, 2016
Does this works fine on server 2012 R2?- Anonymous
February 23, 2017
It should.
- Anonymous