Discussion:
Grabbing certificate information
(too old to reply)
geXen
2005-01-14 15:42:07 UTC
Permalink
Hello,
I'm looking for a way to programatically get certificate information
from the computer. To be more specific, I'm looking for a way to get
the expiration date of all the SSL certificates that are present on a
machine.
Torgeir Bakken (MVP)
2005-01-17 20:39:52 UTC
Permalink
Post by geXen
Hello,
I'm looking for a way to programatically get certificate information
from the computer. To be more specific, I'm looking for a way to get
the expiration date of all the SSL certificates that are present on a
machine.
Hi

WMI isn't able to help you out here as far as I know.

You either need to use a command line utility or an activex object for this.

A)
For the activex object part CAPICOM from Microsoft is an option (but a
DLL needs to be installed on the computers to use it).

Introducing CAPICOM
http://msdn.microsoft.com/library/en-us/dnsecure/html/intcapicom.asp?frame=true

See e.g. CAPICOM 2.0.0.3 sample Cstore.vbs for VBScript examples.

See the ValidToDate property here:

Cryptography Objects > Certificate
http://msdn.microsoft.com/library/en-us/seccrypto/security/certificate.asp


B)
You can use the command line utilities certmgr.exe or Certutil.exe to
list certificates and their expiration date.

Download certmgr.exe from:

Authenticode for Internet Explorer 5.0
http://www.microsoft.com/downloads/details.aspx?familyid=2b742795-d0f0-4a66-b27f-22a95fcd3425&displaylang=en

Certmgr.exe works on both Win2k and WinXP.


Certutil.exe is also an option (see below for a script that uses
Certutil to obtain expiration dates for certificates).

Certutil tasks for managing certificates
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_cs_certutil5.asp

Certutil.exe comes builtin with Win2k3 Server, and can be installed
on WinXP.

To obtain the WinXP version, install adminpak.msi from here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en

You can then copy out certadm.dll and certutil.exe from the
%windir%\system32 folder and copy it over to other WinXP computers.


Script example using Certutil.exe below.

Run it in a command prompt (cmd.exe), like this

cscript.exe "c:\some path\some file.vbs"

If you want to redirect the list to a file:

cscript.exe //NoLogo "c:\some path\some file.vbs" >C:\CertInfo.txt


'--------------------8<----------------------

' Context constants

' Uses the HKEY_LOCAL_MACHINE keys or certificate store.
Const CERT_MACHINE = "machine"
' Uses the HKEY_CURRENT_USER keys or certificate store.
Const CERT_USER = "user"

' CertificateStoreName constants

'Specifies certificates in the Intermediate Certification Authorities store.
CERT_CA = "ca"
' Specifies certificates issued to the current user.
CERT_MY = "my"
' Specifies certificates in the Trusted Root Certification Authorities store.
CERT_ROOT = "root"
' Specifies software publisher certificates.
CERT_SPC = "spc"

' Global array
ReDim aCert(2, -1)

' 1st parameter is context, 2nd is certificate store name
GetCertData CERT_MACHINE, CERT_CA

If UBound(aCert, 2) <> -1 Then
For k = 0 To UBound(aCert, 2)
WScript.Echo k & " Issuer: " & aCert(0, k)
WScript.Echo k & " Subject: " & aCert(1, k)
WScript.Echo k & " NotAfter: " & aCert(2, k)
Next
End If


Sub GetCertData(sContext, sStore)

Const OpenAsASCII = 0
Const FailIfNotExist = 0
Const ForReading = 1

Set oShell = CreateObject("WScript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")

If sContext = "user" Then
sContextParam = "-user"
Else
sContextParam = ""
End If

sFile1 = oFSO.GetSpecialFolder(2).ShortPath & "\" & oFSO.GetTempName
sFile2 = oFSO.GetSpecialFolder(2).ShortPath & "\" & oFSO.GetTempName

' no verbose information to easier parse out Issuer/Subject
oShell.Run "%comspec% /c certutil.exe -store " & sContextParam _
& " " & sStore & " >" & sFile1, 0 , True

' verbose information to obtain expire date
oShell.Run "%comspec% /c certutil.exe -store " & sContextParam _
& " -v " & sStore & " >" & sFile2, 0 , True

Set fFile1 = oFSO.OpenTextFile(sFile1, ForReading, _
FailIfNotExist, OpenAsASCII)

k = -1
Do While Not fFile1.AtEndOfStream
sLine = fFile1.ReadLine
If Left(sLine, 29) = "================ Certificate " Then
k = k + 1
ReDim Preserve aCert(2, k)
sSerialNr = fFile1.ReadLine ' not used in the rest of the code
sIssuer = fFile1.ReadLine
sSubject = fFile1.ReadLine
aCert(0, k) = Mid(sIssuer, 9)
aCert(1, k) = Mid(sSubject, 10)
End If
Loop
fFile1.Close

Set fFile2 = oFSO.OpenTextFile(sFile2, ForReading, _
FailIfNotExist, OpenAsASCII)

k = -1
Do While Not fFile2.AtEndOfStream
sLine = fFile2.ReadLine
If Left(sLine, 9) = "NotAfter:" Then
k = k + 1
If k > UBound(aCert, 2) Then Exit Do
aCert(2, k) = Mid(sLine, 11)
End If
Loop
fFile2.Close

End Sub

'--------------------8<----------------------
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Continue reading on narkive:
Loading...