From: Andreas Moroder on
Hello,

is it possible to get from the commandline a list of the certificates
that are installed for the user that is logged in ?

Thanks
Andreas
From: MowGreen on
Andreas Moroder wrote:
> Hello,
>
> is it possible to get from the commandline a list of the certificates
> that are installed for the user that is logged in ?
>
> Thanks
> Andreas


For the logged in User you can open Internet Options > Content >
Certificates

Here's all the command for certutil -

certutil /?

Verbs:
-dump -- Dump configuration information or files
-asn -- Parse ASN.1 file

-decodehex -- Decode hexadecimal-encoded file
-decode -- Decode Base64-encoded file
-encode -- Encode file to Base64

-deny -- Deny pending request
-resubmit -- Resubmit pending request
-setattributes -- Set attributes for pending request
-setextension -- Set extension for pending request
-revoke -- Revoke Certificate
-isvalid -- Display current certificate disposition

-getconfig -- Get default configuration string
-ping -- Ping Active Directory Certificate Services
Request interf
ace
-pingadmin -- Ping Active Directory Certificate Services Admin
interfac
e
-CAInfo -- Display CA Information
-ca.cert -- Retrieve the CA's certificate
-ca.chain -- Retrieve the CA's certificate chain
-GetCRL -- Get CRL
-CRL -- Publish new CRLs [or delta CRLs only]
-shutdown -- Shutdown Active Directory Certificate Services

-installCert -- Install Certification Authority certificate
-renewCert -- Renew Certification Authority certificate

-schema -- Dump Certificate Schema
-view -- Dump Certificate View
-db -- Dump Raw Database
-deleterow -- Delete server database row

-backup -- Backup Active Directory Certificate Services
-backupDB -- Backup Active Directory Certificate Services
database
-backupKey -- Backup Active Directory Certificate Services
certificate
and private key
-restore -- Restore Active Directory Certificate Services
-restoreDB -- Restore Active Directory Certificate Services
database
-restoreKey -- Restore Active Directory Certificate Services
certificate
and private key
-importPFX -- Import certificate and private key
-dynamicfilelist -- Display dynamic file List
-databaselocations -- Display database locations
-hashfile -- Generate and display cryptographic hash over a file

-store -- Dump certificate store
-addstore -- Add certificate to store
-delstore -- Delete certificate from store
-verifystore -- Verify certificate in store
-repairstore -- Repair key association or update certificate
properties o
r key security descriptor
-viewstore -- Dump certificate store
-viewdelstore -- Delete certificate from store

-dsPublish -- Publish certificate or CRL to Active Directory

-ADTemplate -- Display AD templates
-Template -- Display Enrollment Policy templates
-TemplateCAs -- Display CAs for template
-CATemplates -- Display templates for CA
-enrollmentServerURL -- Display, add or delete enrollment server URLs
associat
ed with a CA
-ADCA -- Display AD CAs
-CA -- Display Enrollment Policy CAs
-Policy -- Display Enrollment Policy
-PolicyCache -- Display or delete Enrollment Policy Cache entries
-CredStore -- Display, add or delete Credential Store entries
-InstallDefaultTemplates -- Install default certificate templates
-URLCache -- Display or delete URL cache entries
-pulse -- Pulse autoenrollment events
-MachineInfo -- Display Active Directory machine object information
-DCInfo -- Display domain controller information
-EntInfo -- Display enterprise information
-TCAInfo -- Display CA information
-SCInfo -- Display smart card information

-SCRoots -- Manage smart card root certificates

-verifykeys -- Verify public/private key set
-verify -- Verify certificate, CRL or chain
-sign -- Re-sign CRL or certificate

-vroot -- Create/delete web virtual roots and file shares
-vocsproot -- Create/delete web virtual roots for OCSP web proxy
-addEnrollmentServer -- Add an Enrollment Server application
-deleteEnrollmentServer -- Delete an Enrollment Server application
-oid -- Display ObjectId or set display name
-error -- Display error code message text
-getreg -- Display registry value
-setreg -- Set registry value
-delreg -- Delete registry value

-ImportKMS -- Import user keys and certificates into server
database fo
r key archival
-ImportCert -- Import a certificate file into the database
-GetKey -- Retrieve archived private key recovery blob
-RecoverKey -- Recover archived private key
-MergePFX -- Merge PFX files
-ConvertEPF -- Convert PFX files to EPF file
-? -- Display this usage message


CertUtil -? -- Display a verb list (command list)
CertUtil -dump -? -- Display help text for the "dump" verb
CertUtil -v -? -- Display all help text for all verbs

CertUtil: -? command completed successfully.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
From: VanguardLH on
MowGreen wrote:

> Andreas Moroder wrote:
>
>> is it possible to get from the commandline a list of the certificates
>> that are installed for the user that is logged in ?
>
> Here's all the command for certutil -
>
> certutil /?
>
<snipped the command syntax listing>
>
> CertUtil: -? command completed successfully.
>
<snipped the non-signature signature>

certutil is part of Certificate Services which is available with a
*server* version of Windows, not a workstation version, like XP (the
topic of this newsgroup). I didn't see it available as one of the free
utils from the W2K ResKit at ftp://ftp.microsoft.com/ResKit/win2000/ but
maybe it is available in the full ResKit (which you pay for).

If the OP has a server version of Windows available (and that's where
they actually want to get a list of their certs), or they have a Reskit
(if it includes this utility), or the executable can be copied from a
server version of Windows to the XP version and still work there
(without the cert server running on their XP host) then it might work
for the OP. One possiblity would be to run certutil on Windows Server
but specify that it interrogate a different host than on which it
executes (but I didn't see a "hostname" parameter to specify a non-local
host).

http://technet.microsoft.com/en-us/library/cc738780(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc732443(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc772898(WS.10).aspx
From: Andreas Moroder on
> For the logged in User you can open Internet Options > Content >
> Certificates
>
> Here's all the command for certutil -
>
> certutil /?
>
> Verbs:
> -dump -- Dump configuration information or files
> -asn -- Parse ASN.1 file
....
> -CredStore -- Display, add or delete Credential Store entries
.....

Hello,

the version I have on my XP machine does not know the parameter -credstore
The version on our Win2008 and Win2008R2 know this parameter but don't
run on my XP because they are X64.

Bye
Andreas




From: MowGreen on
Andreas Moroder wrote:
>> For the logged in User you can open Internet Options > Content >
>> Certificates
>>
>> Here's all the command for certutil -
>>
>> certutil /?
>>
>> Verbs:
>> -dump -- Dump configuration information or files
>> -asn -- Parse ASN.1 file
> ...
>> -CredStore -- Display, add or delete Credential Store entries
> ....
>
> Hello,
>
> the version I have on my XP machine does not know the parameter -credstore
> The version on our Win2008 and Win2008R2 know this parameter but don't
> run on my XP because they are X64.
>
> Bye
> Andreas
>
>
>
>

Andreas,

From: http://support.microsoft.com/kb/934576

" The only version of Certutil.exe that Windows XP supports is available
in the Microsoft Windows Server 2003 Administration Pack. To download
the Windows Server 2003 Administration Pack, visit the following
Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en



If you have update 907247 installed on Windows XP SP2, the version of
Certutil.exe that supports the -pulse command is available in the SP1
version of the Windows Server 2003 Administration Pack. To download it,
visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885-f0c7-436a-a392-25793a25bad7&DisplayLang=en
"



MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked