How to determine all certificates that will expire within 30 days

Woudn't it be interesting for the CA admin to know which certificates are expiring in the near future? If autoenrollment is not eanbled, certificate users should be informed in advance before they actually loose functionality.

A simple certutil command enables the CA admin to generate a list with all expiring certificates:

certutil –view –restrict "NotAfter<=May 5,2008 08:00AM,NotAfter>=April 24,2008 08:00AM" –out "RequestID,RequesterName"

Since I mentioned autoenrollment above, here is a trick how to determine if a certificate was enrolled manually or with autoenrollment.

certutil –view -v -out rawrequest | findstr Process

The above command can certainly be extended with the -restrict parameter to reduce the amount of output producted by the query.

The name of the task performing autoenrollment differs for different OS releases and possible for machine and user contexts. Manually requested certificates may show a process name like certreq or cscript.

To learn more how to notify users of certificate expiration, see https://blogs.msdn.com/spatdsg/archive/2007/07/19/notify-users-of-cert-expiration.aspx

Comments

  • Anonymous
    January 01, 2003
    If you want to get all expiring certificates for 2 different templates, can you ask that in the same question? I dont get it to work. certutil -config - -view -restrict "NotAfter<=07/30/2012 08:00AM,NotAfter>=07/18/2012 08:00AM,CertificateTemplate = WebServer,CertificateTemplate = Machine" -out "RequesterName,CommonName,NotAfter,Email" Or do I have to seperate them into 2 different queries?

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    A while ago I explained how to determine all certificates that will expire within a given period. Now

  • Anonymous
    May 29, 2014
    The comment has been removed

  • Anonymous
    April 01, 2015
    The parameter is incorrect

  • Anonymous
    April 01, 2015
    The certutil command does not work

  • Anonymous
    April 09, 2015
    Jim, I hit the same snag. Use this date format 5/5/2015

  • Anonymous
    September 28, 2016
    Does this works fine on server 2012 R2?

    • Anonymous
      February 23, 2017
      It should.