0

I know we can do this in PowerShell.

(Get-ChildItem Cert:\Currentuser\My\ | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName

Results:

sha256RSA
sha256RSA

Ref.. https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/

However, corporate will not allow us to run PowerShell in the field.

I can run the following and get the certs installed for the Intermediate and Root Stores.

certutil -store CA
certutil -store Root

And, these produce results. However, when looking at the: Cert Hash(sha1): It only shows SHA1 and no SHA256?

Sample results one of the entries:

Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
 NotBefore: 10/22/2014 1:05 PM
 NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed

Ultimately, I want to query by company like VeriSign.

Thanks for any insight.

From @JosefZ, I appreciate the insights given: OK.. I think I have most of this working, but I am getting extra information from other certificate providers.

The script is currently:

@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

And, the results are - note the extra certificate here:

X509 Certificate:
Serial Number: <removed>
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>

And, should only show VeriSign:

X509 Certificate:
Serial Number: <removed>
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    O=VeriSign, Inc.
    O=VeriSign, Inc.
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>

Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.

Part III, we are now seeing - we are so close: This works and shows every VeriSign..

for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g

This shows every certificate serial number..

for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g

We need something like:

for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g

In pseudocode: For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.

Thanks to the post at (Note - The sixth response): How many certs? https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity

This works, but want to trim it down to show only VeriSign Certificates:

for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")

Looking to the final script, however the output is a bit odd:

for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)
Leptonator
  • 3,379
  • 2
  • 38
  • 51
  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script? – Drew Oct 31 '18 at 22:55
  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task. – Leptonator Nov 01 '18 at 14:03
  • 1
    Try parsing `certutil -v -user -store "MY"`, `certutil -v -store CA` etc. IMHO, it's sufficient to parse output narrowed using `…|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"` – JosefZ Nov 09 '18 at 17:24
  • @JosefZ - I appreciate your help. Please see my edit to the original post. – Leptonator Nov 14 '18 at 15:43
  • Filtering `certutil -store` output by issuer name isn't an easy task for me. However, I know `CertUtil [Options] -store [CertificateStoreName [CertId [OutputFile]]]` syntax pattern (known from `CertUtil -store -?`. I'd apply `CertID`s (taken from PowerShell's `(Get-ChildItem Cert:\LocalMachine\Root\ | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber`) to `certutil -v -store Root CertID`. – JosefZ Nov 14 '18 at 19:08
  • 1
    Example. ``for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:\LocalMachine\Root\ | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"`` – JosefZ Nov 14 '18 at 20:51
  • @JosefZ - Wow, wow, wow.. I can use the script on my local machine and it works great! However, I cannot use PowerShell out in the field. I know you have spent a ton of time on this, but I need to continue down the path you have laid for me. – Leptonator Nov 20 '18 at 14:44
  • I have updated the post. We are very close. – Leptonator Nov 20 '18 at 22:00

1 Answers1

1

The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.

Usage: 53092715.bat option [Issuer] where

  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");
  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).

Usage examples:

  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store
  • 53092715.bat -gp   to query Group Policy certificate store
  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store
  • 53092715.bat "" Apple
  • 53092715.bat -user Thawte

The script:

@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof

:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
    certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
    set "_Line=%%G"
    if "!_Line:~0,14!"=="Serial Number:" (
      set "_NextCert=!_Line:~15!"
    ) else (
      if "!_Line:~0,7!"=="Issuer:" (
        set "_Line=!_Line:~8!"
        set "_NextIssuer="
        for %%g in (!_line!) do ( 
          set "_Elin=%%g"
          set "_Part=!_Elin:%_Issuer%=!"
          if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
        )
        if defined _NextCert if defined _NextIssuer (
            echo %_Issuer%: %_user% -store "%~1" !_NextCert!
            set "_NextCert="
        )
      )
    )
  ) 
goto :eof
JosefZ
  • 28,460
  • 5
  • 44
  • 83
  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates. – Leptonator Nov 21 '18 at 14:47
  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever.. – Leptonator Nov 21 '18 at 16:58
  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment. – Leptonator Nov 21 '18 at 17:38