0

Is there any way to get the Certification Authority, that issued a certificate by a certutil command or by some interface where I can put the serial number of a certificate into?

Our company has hundred thousands of certificates issued by 5 different issuing CA's. Whenever I pull the complete dump (example) via:

certutil -view -config "Issuing-CA01" -restrict "notbefore>22/09/2021" csv > C:\Users\XYZ\Desktop\dump.csv

I do not find the information about the issuing CA in this dump, which contains all possible columns that the certutil command can deliver. Same with the SAN entrys, those are not readable from any dump, except from the certificate itself - but this belongs to a different question.

Is there any way that I can extract the issuing CA via the command line?

SHA-256
  • 32
  • 6
  • issuing CA in your case is "Issuing-CA01". It is the same for all certificates returned by `certutil -view`. What exactly you want to know about your CA? – Crypt32 Sep 22 '21 at 13:49
  • The issuing CA is on the certificate chain, no point in querying one CA for another CA certificates. Examine the certifcate, not the CA. – Scepticalist Sep 22 '21 at 14:28
  • @Scepticalist As it is possible, and common e.g. KeyArchival, to import (foreign) certificates (and even private keys with them) you can have certificates issued by different CAs in the ADCS database. – Daniel Fisher lennybacon Sep 22 '21 at 14:42

1 Answers1

0

The Issuer is not a column in the ADCS database schema. So the only way would be to get the certificate itself out, parse it and print out the issuer name.

$tempFileName = "C:\Users\$env:UserName\AppData\Local\Temp\cert.cer";
& certutil -view -config "Issuing-CA01" -restrict "notbefore>22/09/2021" -out "RawCertificate" `
 | Out-File -FilePath $tempFileName;
[regex]::Matches( `
  (Get-Content $tempFileName), `
  "-----BEGIN CERTIFICATE-----[\s\r\n]{1}" + 
  "(?<cert>[a-z|A-Z|0-9|\+|\-|\\|\/|\s|\r|\n|=]*)" +
  "-----END CERTIFICATE-----", `
  [System.Text.RegularExpressions.RegexOptions]::Multiline) `
    | Foreach-Object {
      [System.IO.File]::WriteAllText(`
        $tempFileName, `
        $_.Groups["cert"].Value.Replace(" ", ""));
      $certificate = `
        New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(`
          $tempFileName);

     Write-Host $certificate.Issuer;
}
Remove-Item $tempFileName;
Daniel Fisher lennybacon
  • 3,865
  • 1
  • 30
  • 38