Is there any way to get the Certification Authority, that issued a certificate by a certutil command or by some interface where I can put the serial number of a certificate into?
Our company has hundred thousands of certificates issued by 5 different issuing CA's. Whenever I pull the complete dump (example) via:
certutil -view -config "Issuing-CA01" -restrict "notbefore>22/09/2021" csv > C:\Users\XYZ\Desktop\dump.csv
I do not find the information about the issuing CA in this dump, which contains all possible columns that the certutil command can deliver. Same with the SAN entrys, those are not readable from any dump, except from the certificate itself - but this belongs to a different question.
Is there any way that I can extract the issuing CA via the command line?
The Issuer is not a column in the ADCS database schema. So the only way would be to get the certificate itself out, parse it and print out the issuer name.
$tempFileName = "C:\Users\$env:UserName\AppData\Local\Temp\cert.cer";
& certutil -view -config "Issuing-CA01" -restrict "notbefore>22/09/2021" -out "RawCertificate" `
| Out-File -FilePath $tempFileName;
[regex]::Matches( `
(Get-Content $tempFileName), `
"-----BEGIN CERTIFICATE-----[\s\r\n]{1}" +
"(?<cert>[a-z|A-Z|0-9|\+|\-|\\|\/|\s|\r|\n|=]*)" +
"-----END CERTIFICATE-----", `
[System.Text.RegularExpressions.RegexOptions]::Multiline) `
| Foreach-Object {
[System.IO.File]::WriteAllText(`
$tempFileName, `
$_.Groups["cert"].Value.Replace(" ", ""));
$certificate = `
New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(`
$tempFileName);
Write-Host $certificate.Issuer;
}
Remove-Item $tempFileName;