This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 99%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi guys, What is the best way (script) to pull out export (whole list or just a count) of all CAs issued certificates, same as that can be done with right-click on Issued Certs and export, from CA windows. Ive tried with certutil -view log to CSV file, but that exports issued, revoked, and failed requests together.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 74%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
References to the PSPKI module are no longer as valid as they once were. When I installed and checked that module on 31/10/2023, it only had two commandlets in it, not the full set it once did.
I'll look into the COM object approach and will post a separate comment if I figure out a simple (or more useful) approach using it. [Entering just 'certutil -dump' at the cmd will give you the servername\CAName you need for using the COM Object... if you are pursuing those scripts. Look for the line "Config:".]
When executed on the CA, certutil will export a list of issued certificates but filtering it down can be a bit of a pain. The -restrict flag can help with this... but certutil on 2022 Server was throwing an error about receiving too many flags when I tried to use it in combination with -out and -view. Fortunately, PowerShell can help filter the list down a bit.
The following one-liner does the following:
$issuedCerts = (certutil -out "Request Disposition,Revocation Date,Certificate Expiration Date,Certificate Effective Date,Certificate Template,Issued Common Name,Issued Email Address" -view csv) | ConvertFrom-Csv | Where-Object {$_."Request Disposition" -eq "20 -- Issued" -and $_."Revocation Date" -eq "EMPTY" -and $_."Certificate Template" -ne "CAExchange"} | Where-Object {[DateTime]$_."Certificate Expiration Date" -gt (Get-Date)}
The $issuedCerts var can now be exported to file, piped to ConverTo-Html and emailed, or just output to console. e.g. $issuedCerts | fl
$issuedCerts.Count gives a total count of issued certificates. e.g. Write-Host "Total Issued Certs: $($issuedCerts.Count)"
Some notes:
I have the same question as the OP and would just like to comment that asking "would you please tell us why you want to export them by using script?" tells me the person responding does not understand the purpose of automation. The reasons WHY they want to do that are irrelevant. The question was HOW.
I am trying to do the same task because management of certificate renewals is a nightmare. I have PowerShell code that remotely connects to my CA and does a dump. Then using the DNS Name we identify from our naming convention what group needs to manage the upgraded certificate and we send out an email alerting them of what they need to address. We don't want a person to have to click anything within the CA. The people responsible for the certificate renewals don't have access to the CA and we don't want the people that do to be tied down by what should be an automated process. All of this needs to be scheduled, we can't have unscheduled down time in production, so we cannot allow for auto renewal. Instead we have written script code in PowerShell that will perform the request, install it and then bind it within IIS, all without human intervention. We just schedule our jobs for the specific maintenance window approved for that application.
To the OP anonymous usersSkoko , I would recommend you do what I have done and run the following:
CertUtil -deleterow 04/01/2021 Cert
CertUtil -deleterow 04/01/2021 Request
The first will remove all Revoked and Expired Certificates. The second will remove all Failed Requests. The date you put will delete anything OLDER than the date given.
So there will at least be less extra and unneeded data exported. It would really be great if MS would release a comprehensive PowerShell module for the CA server software so we could be more granular. CertUtil SHOULD have the ability to specify what to export.
CertUtil -deleterow 04/01/2021 Cert
CertUtil -deleterow 04/01/2021 Request
these commands will REMOVE rows from CA database, not export as OP asks. If you delete them just to reduce export amount, then you maybe understand in automation, but do not understand in PKI and misuse it.
It would really be great if MS would release a comprehensive PowerShell module for the CA server software so we could be more granular.
I can't speak for Microsoft, but there is one decent community PowerShell PKI module that includes granular queries to CA database, for example: Get-IssuedRequest.
CertUtil -deleterow 04/01/2021 Cert
CertUtil -deleterow 04/01/2021 Request
these commands will REMOVE rows from CA database, not export as OP asks. If you delete them just to reduce export amount, then you maybe understand in automation, but do not understand in PKI and misuse it.
It would really be great if MS would release a comprehensive PowerShell module for the CA server software so we could be more granular.
I don't think they have this in their plans for any near future. However, there is one decent community PowerShell PKI module that includes granular queries to CA database, for example: Get-IssuedRequest.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 40%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Thank you @Laird Mark D. MacLachlan
I hate when someone doesn't know the answer to a question and therefore
1) provides a workaround that doesn't answer the question
2) wastes time going down unnecessary rabbit holes
Just answer the question or don't. Those of us asking the question later have to wade through too much nonsense when people do this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 17%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi Folks. Not sure if you've already resolved this. You can view the Certificate Authority store using the COM object called CertificateAuthority.View.
This gentleman has written out the powershell around it: https://www.sysadmins.lv/retired-msft-blogs/alejacma/how-to-export-issued-certificates-from-a-ca-programatically-powershell.aspx
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello anonymous usersSkoko,
Thank you for posting here.
I have done a test in my lab.
I can export certificates in "Issued Certificates" containers by right clicking "Issued Certificates" and selecting "Export List".
Then I can see the contexts in the exported file as below.
I think this is what you want, but would you please tell us why you want to export them by using script?
And based on "I`ve tried with certutil -view log to CSV file, but that exports issued, revoked, and failed requests together.", what command have you tried?
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Hello @Daisy Zhou ,
Many thanks for your reply.
Yes, this is the exact way Im currently using. Since Im doing this kind of export manually every month, would like to automate it using some command/script in combination with the task scheduler. I don`t need details, a simple count of a total number of issued certificates is all I need in this case.
The command I`ve tried from PS:
certutil -view -log csv > C:\Temp\Issued.csv
Also, what I tried is :
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,CertificateTemplate,SerialNumber" csv > C:\temp\Issued.csv
Besides this, currently having issue with export, and need to solve that first:
The handle is invalid. 0x80070006 (WIN32: 6 ERROR_INVALID_HANDLE)
Hello anonymous usersSkoko,
Thank you for your update.
I am sorrry, I can not find one proper command to export the certs in Issued Certificates container.
Thank you for your understanding and support.
Best Regards,
Daisy Zhou
Hello anonymous usersSkoko,
Thank you for your update.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Best Regards,
Daisy Zhou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 88%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
The code exports binary certificates. No need for this (for me)
I just need a list with certificate subject, SAN & serial fields
Anybody has anything useful?
Script from here just errors out for me:
Exception calling "Substring" with "2" argument(s): "Length cannot be less than zero.
Parameter name: length"
At C:\PSScripts\getcerts.ps1:71 char:13
+ $CAs += $configString.SubString($configString.IndexOf("`` ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentOutOfRangeException
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 79%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hello! I wanted to do the same, so played around with certutil first
I think you cannot get SAN directly from CA database
If you run "certutil -schema" it will output CA's database schema, there is no SAN field in it, so you can get only subject (common name) and serial from the database itself, for other fields you'll need to somehow get each certificate individually and parse it