Query Certificates for SHA1 / SHA2 / SHA256












0















I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA
sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA
certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
NotBefore: 10/22/2014 1:05 PM
NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
O=VeriSign, Inc.
O=VeriSign, Inc.
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)









share|improve this question

























  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51


















0















I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA
sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA
certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
NotBefore: 10/22/2014 1:05 PM
NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
O=VeriSign, Inc.
O=VeriSign, Inc.
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)









share|improve this question

























  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51
















0












0








0


1






I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA
sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA
certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
NotBefore: 10/22/2014 1:05 PM
NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
O=VeriSign, Inc.
O=VeriSign, Inc.
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)









share|improve this question
















I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA
sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA
certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
NotBefore: 10/22/2014 1:05 PM
NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
O=VeriSign, Inc.
O=VeriSign, Inc.
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)






batch-file certutil






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 20 '18 at 21:59







Leptonator

















asked Oct 31 '18 at 22:16









LeptonatorLeptonator

2,2952739




2,2952739













  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51





















  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51



















Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

– Drew
Oct 31 '18 at 22:55





Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

– Drew
Oct 31 '18 at 22:55













It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

– Leptonator
Nov 1 '18 at 14:03





It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

– Leptonator
Nov 1 '18 at 14:03




1




1





Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 9 '18 at 17:24





Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 9 '18 at 17:24













@JosefZ - I appreciate your help. Please see my edit to the original post.

– Leptonator
Nov 14 '18 at 15:43





@JosefZ - I appreciate your help. Please see my edit to the original post.

– Leptonator
Nov 14 '18 at 15:43




1




1





Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 14 '18 at 20:51







Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 14 '18 at 20:51














1 Answer
1






active

oldest

votes


















1














The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof

:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
set "_Line=%%G"
if "!_Line:~0,14!"=="Serial Number:" (
set "_NextCert=!_Line:~15!"
) else (
if "!_Line:~0,7!"=="Issuer:" (
set "_Line=!_Line:~8!"
set "_NextIssuer="
for %%g in (!_line!) do (
set "_Elin=%%g"
set "_Part=!_Elin:%_Issuer%=!"
if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
)
if defined _NextCert if defined _NextIssuer (
echo %_Issuer%: %_user% -store "%~1" !_NextCert!
set "_NextCert="
)
)
)
)
goto :eof





share|improve this answer
























  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38













Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53092715%2fquery-certificates-for-sha1-sha2-sha256%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof

:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
set "_Line=%%G"
if "!_Line:~0,14!"=="Serial Number:" (
set "_NextCert=!_Line:~15!"
) else (
if "!_Line:~0,7!"=="Issuer:" (
set "_Line=!_Line:~8!"
set "_NextIssuer="
for %%g in (!_line!) do (
set "_Elin=%%g"
set "_Part=!_Elin:%_Issuer%=!"
if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
)
if defined _NextCert if defined _NextIssuer (
echo %_Issuer%: %_user% -store "%~1" !_NextCert!
set "_NextCert="
)
)
)
)
goto :eof





share|improve this answer
























  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38


















1














The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof

:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
set "_Line=%%G"
if "!_Line:~0,14!"=="Serial Number:" (
set "_NextCert=!_Line:~15!"
) else (
if "!_Line:~0,7!"=="Issuer:" (
set "_Line=!_Line:~8!"
set "_NextIssuer="
for %%g in (!_line!) do (
set "_Elin=%%g"
set "_Part=!_Elin:%_Issuer%=!"
if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
)
if defined _NextCert if defined _NextIssuer (
echo %_Issuer%: %_user% -store "%~1" !_NextCert!
set "_NextCert="
)
)
)
)
goto :eof





share|improve this answer
























  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38
















1












1








1







The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof

:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
set "_Line=%%G"
if "!_Line:~0,14!"=="Serial Number:" (
set "_NextCert=!_Line:~15!"
) else (
if "!_Line:~0,7!"=="Issuer:" (
set "_Line=!_Line:~8!"
set "_NextIssuer="
for %%g in (!_line!) do (
set "_Elin=%%g"
set "_Part=!_Elin:%_Issuer%=!"
if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
)
if defined _NextCert if defined _NextIssuer (
echo %_Issuer%: %_user% -store "%~1" !_NextCert!
set "_NextCert="
)
)
)
)
goto :eof





share|improve this answer













The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof

:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
set "_Line=%%G"
if "!_Line:~0,14!"=="Serial Number:" (
set "_NextCert=!_Line:~15!"
) else (
if "!_Line:~0,7!"=="Issuer:" (
set "_Line=!_Line:~8!"
set "_NextIssuer="
for %%g in (!_line!) do (
set "_Elin=%%g"
set "_Part=!_Elin:%_Issuer%=!"
if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
)
if defined _NextCert if defined _NextIssuer (
echo %_Issuer%: %_user% -store "%~1" !_NextCert!
set "_NextCert="
)
)
)
)
goto :eof






share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 21 '18 at 1:43









JosefZJosefZ

16k42140




16k42140













  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38





















  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38



















Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

– Leptonator
Nov 21 '18 at 14:47





Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

– Leptonator
Nov 21 '18 at 14:47













Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

– Leptonator
Nov 21 '18 at 16:58







Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

– Leptonator
Nov 21 '18 at 16:58















The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

– Leptonator
Nov 21 '18 at 17:38







The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

– Leptonator
Nov 21 '18 at 17:38






















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53092715%2fquery-certificates-for-sha1-sha2-sha256%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Florida Star v. B. J. F.

Danny Elfman

Lugert, Oklahoma