Query Certificates for SHA1 / SHA2 / SHA256












0















I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA

sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA

certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed

Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

 NotBefore: 10/22/2014 1:05 PM

 NotAfter: 10/23/2024 3:33 AM

Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

Non-root Certificate

Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off

echo personal

certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Intermediate

certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Root

certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    O=VeriSign, Inc.

    O=VeriSign, Inc.

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (

for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (

certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")

)





batch-file certutil







share|improve this question

























  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51


















0















I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA

sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA

certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed

Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

 NotBefore: 10/22/2014 1:05 PM

 NotAfter: 10/23/2024 3:33 AM

Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

Non-root Certificate

Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off

echo personal

certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Intermediate

certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Root

certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    O=VeriSign, Inc.

    O=VeriSign, Inc.

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (

for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (

certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")

)





batch-file certutil







share|improve this question

























  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51
















0












0








0


1






I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA

sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA

certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed

Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

 NotBefore: 10/22/2014 1:05 PM

 NotAfter: 10/23/2024 3:33 AM

Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

Non-root Certificate

Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off

echo personal

certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Intermediate

certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Root

certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    O=VeriSign, Inc.

    O=VeriSign, Inc.

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (

for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (

certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")

)





batch-file certutil







share|improve this question
















I know we can do this in PowerShell.



(Get-ChildItem Cert:CurrentuserMy | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName


Results:



sha256RSA

sha256RSA


Ref..
https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/



However, corporate will not allow us to run PowerShell in the field.



I can run the following and get the certs installed for the Intermediate and Root Stores.



certutil -store CA

certutil -store Root


And, these produce results.
However, when looking at the:
Cert Hash(sha1):
It only shows SHA1 and no SHA256?



Sample results one of the entries:



Serial Number: removed

Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

 NotBefore: 10/22/2014 1:05 PM

 NotAfter: 10/23/2024 3:33 AM

Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

Non-root Certificate

Cert Hash(sha1): removed


Ultimately, I want to query by company like VeriSign.



Thanks for any insight.



From @JosefZ, I appreciate the insights given:
OK.. I think I have most of this working, but I am getting extra information from other certificate providers.



The script is currently:



@echo off

echo personal

certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Intermediate

certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

echo Root

certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"


And, the results are - note the extra certificate here:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


And, should only show VeriSign:



X509 Certificate:

Serial Number: <removed>

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

    O=VeriSign, Inc.

    O=VeriSign, Inc.

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Cert Hash(md5): <removed>

Cert Hash(sha1): <removed>


Note: VeriSign (or another vendor like Entrust) are the only certificates we want to see.



Part III, we are now seeing - we are so close:
This works and shows every VeriSign..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g


This shows every certificate serial number..



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g


We need something like:



for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g


In pseudocode:
For every VeriSign certficate, obtain the serial number so that we can evaluate the sha level.



Thanks to the post at (Note - The sixth response):
How many certs?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity



This works, but want to trim it down to show only VeriSign Certificates:



for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")


Looking to the final script, however the output is a bit odd:



for %a in (CA Root AuthRoot) do (

for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (

certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")

)





batch-file certutil




batch-file certutil






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 20 '18 at 21:59







Leptonator

















asked Oct 31 '18 at 22:16









LeptonatorLeptonator

2,2952739




2,2952739













  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51





















  • Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

    – Drew
    Oct 31 '18 at 22:55











  • It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

    – Leptonator
    Nov 1 '18 at 14:03






  • 1





    Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 9 '18 at 17:24











  • @JosefZ - I appreciate your help. Please see my edit to the original post.

    – Leptonator
    Nov 14 '18 at 15:43






  • 1





    Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

    – JosefZ
    Nov 14 '18 at 20:51



















Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

– Drew
Oct 31 '18 at 22:55





Do you require this to be by CertUtil or would you accept a filtered PowerShell script?

– Drew
Oct 31 '18 at 22:55













It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

– Leptonator
Nov 1 '18 at 14:03





It has to be certutil type of solution. PowerShell, unfortunately is "off the table." I really wish I could use PowerShell as it would be far simpler to accomplish the task.

– Leptonator
Nov 1 '18 at 14:03




1




1





Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 9 '18 at 17:24





Try parsing certutil -v -user -store "MY", certutil -v -store CA etc. IMHO, it's sufficient to parse output narrowed using …|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 9 '18 at 17:24













@JosefZ - I appreciate your help. Please see my edit to the original post.

– Leptonator
Nov 14 '18 at 15:43





@JosefZ - I appreciate your help. Please see my edit to the original post.

– Leptonator
Nov 14 '18 at 15:43




1




1





Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 14 '18 at 20:51







Example. for /F "usebackq" %F in (`powershell -c "(Get-ChildItem Cert:LocalMachineRoot | Where-Object {$_.IssuerName.Name -Match 'VeriSign'}).SerialNumber"`) do @(certutil -v -store Root %F & certutil -v -store AuthRoot %F) | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate:"

– JosefZ
Nov 14 '18 at 20:51














1 Answer
1






active

oldest

votes


















1














The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF

SETLOCAL EnableExtensions EnableDelayedExpansion

if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"

if /I "%~1"=="" (set "_user=") else set "_user=%~1"

call :findCertSN "Root"

call :findCertSN "AuthRoot"

call :findCertSN "CA"

rem call :findCertSN "My"

ENDLOCAL

goto :eof



:findCertSN

set "_NextCert="

for /F "delims=" %%G in ('

    certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (

    set "_Line=%%G"

    if "!_Line:~0,14!"=="Serial Number:" (

      set "_NextCert=!_Line:~15!"

    ) else (

      if "!_Line:~0,7!"=="Issuer:" (

        set "_Line=!_Line:~8!"

        set "_NextIssuer="

        for %%g in (!_line!) do ( 

          set "_Elin=%%g"

          set "_Part=!_Elin:%_Issuer%=!"

          if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"

        )

        if defined _NextCert if defined _NextIssuer (

            echo %_Issuer%: %_user% -store "%~1" !_NextCert!

            set "_NextCert="

        )

      )

    )

  ) 

goto :eof





share|improve this answer
























  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38













Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53092715%2fquery-certificates-for-sha1-sha2-sha256%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF

SETLOCAL EnableExtensions EnableDelayedExpansion

if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"

if /I "%~1"=="" (set "_user=") else set "_user=%~1"

call :findCertSN "Root"

call :findCertSN "AuthRoot"

call :findCertSN "CA"

rem call :findCertSN "My"

ENDLOCAL

goto :eof



:findCertSN

set "_NextCert="

for /F "delims=" %%G in ('

    certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (

    set "_Line=%%G"

    if "!_Line:~0,14!"=="Serial Number:" (

      set "_NextCert=!_Line:~15!"

    ) else (

      if "!_Line:~0,7!"=="Issuer:" (

        set "_Line=!_Line:~8!"

        set "_NextIssuer="

        for %%g in (!_line!) do ( 

          set "_Elin=%%g"

          set "_Part=!_Elin:%_Issuer%=!"

          if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"

        )

        if defined _NextCert if defined _NextIssuer (

            echo %_Issuer%: %_user% -store "%~1" !_NextCert!

            set "_NextCert="

        )

      )

    )

  ) 

goto :eof





share|improve this answer
























  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38


















1














The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF

SETLOCAL EnableExtensions EnableDelayedExpansion

if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"

if /I "%~1"=="" (set "_user=") else set "_user=%~1"

call :findCertSN "Root"

call :findCertSN "AuthRoot"

call :findCertSN "CA"

rem call :findCertSN "My"

ENDLOCAL

goto :eof



:findCertSN

set "_NextCert="

for /F "delims=" %%G in ('

    certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (

    set "_Line=%%G"

    if "!_Line:~0,14!"=="Serial Number:" (

      set "_NextCert=!_Line:~15!"

    ) else (

      if "!_Line:~0,7!"=="Issuer:" (

        set "_Line=!_Line:~8!"

        set "_NextIssuer="

        for %%g in (!_line!) do ( 

          set "_Elin=%%g"

          set "_Part=!_Elin:%_Issuer%=!"

          if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"

        )

        if defined _NextCert if defined _NextIssuer (

            echo %_Issuer%: %_user% -store "%~1" !_NextCert!

            set "_NextCert="

        )

      )

    )

  ) 

goto :eof





share|improve this answer
























  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38
















1












1








1







The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF

SETLOCAL EnableExtensions EnableDelayedExpansion

if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"

if /I "%~1"=="" (set "_user=") else set "_user=%~1"

call :findCertSN "Root"

call :findCertSN "AuthRoot"

call :findCertSN "CA"

rem call :findCertSN "My"

ENDLOCAL

goto :eof



:findCertSN

set "_NextCert="

for /F "delims=" %%G in ('

    certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (

    set "_Line=%%G"

    if "!_Line:~0,14!"=="Serial Number:" (

      set "_NextCert=!_Line:~15!"

    ) else (

      if "!_Line:~0,7!"=="Issuer:" (

        set "_Line=!_Line:~8!"

        set "_NextIssuer="

        for %%g in (!_line!) do ( 

          set "_Elin=%%g"

          set "_Part=!_Elin:%_Issuer%=!"

          if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"

        )

        if defined _NextCert if defined _NextIssuer (

            echo %_Issuer%: %_user% -store "%~1" !_NextCert!

            set "_NextCert="

        )

      )

    )

  ) 

goto :eof





share|improve this answer













The following 53092715.bat script returns desired Serial Numbers, see the _NextCert variable in echo %_Issuer%: %_user% -store "%~1" !_NextCert! command.



Usage: 53092715.bat option [Issuer] where





  • option (optional, default is ""; mandatory if present the Issuer parameter; then use e.g. "");


  • Issuer (optional, default is "Verisign"); may not contain = (an equal sign); may not contain a space (these restrictions could be eliminated with some effort).


Usage examples:





  • 53092715.bat       to query HKEY_LOCAL_MACHINE keys or certificate store


  • 53092715.bat -gp   to query Group Policy certificate store


  • 53092715.bat -user to query HKEY_CURRENT_USER keys or certificate store

  • 53092715.bat "" Apple

  • 53092715.bat -user Thawte


The script:



@ECHO OFF

SETLOCAL EnableExtensions EnableDelayedExpansion

if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"

if /I "%~1"=="" (set "_user=") else set "_user=%~1"

call :findCertSN "Root"

call :findCertSN "AuthRoot"

call :findCertSN "CA"

rem call :findCertSN "My"

ENDLOCAL

goto :eof



:findCertSN

set "_NextCert="

for /F "delims=" %%G in ('

    certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (

    set "_Line=%%G"

    if "!_Line:~0,14!"=="Serial Number:" (

      set "_NextCert=!_Line:~15!"

    ) else (

      if "!_Line:~0,7!"=="Issuer:" (

        set "_Line=!_Line:~8!"

        set "_NextIssuer="

        for %%g in (!_line!) do ( 

          set "_Elin=%%g"

          set "_Part=!_Elin:%_Issuer%=!"

          if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"

        )

        if defined _NextCert if defined _NextIssuer (

            echo %_Issuer%: %_user% -store "%~1" !_NextCert!

            set "_NextCert="

        )

      )

    )

  ) 

goto :eof






share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 21 '18 at 1:43









JosefZJosefZ

16k42140




16k42140













  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38





















  • Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

    – Leptonator
    Nov 21 '18 at 14:47











  • Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

    – Leptonator
    Nov 21 '18 at 16:58













  • The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

    – Leptonator
    Nov 21 '18 at 17:38



















Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

– Leptonator
Nov 21 '18 at 14:47





Perfect! This works fantastic and I have made a couple of modifications to return our vendor data for certificates.

– Leptonator
Nov 21 '18 at 14:47













Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

– Leptonator
Nov 21 '18 at 16:58







Need to do some more debugging. Running this through CA IT Client Manager, and if the vendor cert does not exist, it seems to run forever..

– Leptonator
Nov 21 '18 at 16:58















The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

– Leptonator
Nov 21 '18 at 17:38







The issue seen maybe related to the machine I was running this on. Disregard to the previous comment.

– Leptonator
Nov 21 '18 at 17:38






















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53092715%2fquery-certificates-for-sha1-sha2-sha256%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Florida Star v. B. J. F.

Image
Florida Star v. B. J. F. From Wikipedia, the free encyclopedia Jump to navigation Jump to search United States Supreme Court case Florida Star v. B. J. F. Supreme Court of the United States Argued March 21, 1989 Decided June 21, 1989 Full case name The Florida Star v. B. J. F. Citations 491 U.S. 524 ( more ) 109 S. Ct. 2603; 105 L. Ed. 2d 443; 1989 U.S. LEXIS 3120; 57 U.S.L.W. 4816; 16 Media L. Rep. 1801 Prior history The Florida Star v. B.J.F., 530 So.2d 286 (1988) Supreme Court of Florida; Florida Star v. B.J.F., 499 So.2d 883 (1986) Fla. Dist. Court of Appeals Holding Florida Stat. § 794.03 is unconstitutional to the extent it makes the truthful reporting of information that was a matter of public record unlawful, as it violates the First Amendment. Court membership Chief Justice William Rehnquist Associate Justices William J. Brennan Jr.  · Byron White Thurgood Marshall  · Harry Blac
Read more

Error while running script in elastic search , gateway timeout

Image
0 while running script in elastic search, I got 504 Gateway timeout error. { "query": { "bool": { "filter": { "script": { "script": " doc['creted_date'].date.getMonthOfYear() == 12 " } } } }, "aggs": { "test": { "date_histogram": { "field": "creted_date", "interval": "month", "format": "MMM" }, "aggs": { "cost": { "sum": { "field": "cost" } } }
Read more

Adding quotations to stringified JSON object values

Image
0 My stringified object data doesn't include quotation marks around object values, which errors when attempting JSON.parse() : '{ "affiliation": CORPORATE, "userId": 75c35d1c-5d12-4485-8fa8-b2f1551a3e6e }' I need the string to be: '{ "affiliation": "CORPORATE", "userId": "75c35d1c-5d12-4485-8fa8-b2f1551a3e6e" }' I'm using this regex to add quotes to the object keys: var newStr = str.replace(/(['"])?([a-z0-9A-Z_]+)(['"])?:/g, '"$2": '); For instance: '{ affiliation: CORPORATE }' to '{ "affiliation": CORPORATE }' There are only string values in my data, so I don't need to check value types. How can I alter my regex expression to add quotations to
Read more