The modified certutil command looks a bit like this:

certutil -view -restrict "NotAfter>=8/9/2010,NotAfter<=9/9/2010" -out "Request ID, Request Submission Date, Request Common Name, Requester Name, Request Email Address, Request Distinguished Name, CertificateTemplate, NotAfter" -config "<CA_SERVER_NAME>\<CA_NAME>"

This will return to you all of the certificates that are scheduled to expire between today (August 9th, 2010) and 30 days from now (September 9th, 2010)

You can download the new script here: Download monitor_ca_expiry.ps1

Update: Thanks to Aaron (from New Mexico? the original reader) who noticed I forgot one really useful bit of information from the status report that displays when you run the command: the date of expiration for the certificate.  I have updated the script and the sample above to reflect the change.

One thing that is a bit frustrating is that even when you have the logging options fully enabled for the CA, events aren’t logged for new certificate requests so you have to manually check the server on a regular basis for outstanding requests. Usually this is a low priority kind of service in your enterprise and can get neglected, which has happened in my case a few times.

This neglect prompted me to write the following Powershell script which very simply uses certutil to check if there are any pending requests, and then fire off an email to a list of users if there are. This script could also be easily modified to check for revoked certificates or to generate a weekly report on existing certificates to monitor expiration dates, among a bunch of other things, however I really only needed this for requests so that’s all it does for right now. If anyone has any interest in something else, let me know and I’ll see about updating the script to include additional features.

To use this script, all you need to do is ensure you have a copy of certutil on the machine running this, update the configurable pieces of the script, then create a scheduled task to run it every hour or so, or whatever time-frame is appropriate for you and your organization.

More information and a download link is after the break…

The script uses a very simple function of certutil to check for pending requests. You can execute the following code from a command prompt or powershell prompt to see a list of existing pending requests.

certutil -view -out "Request ID, Request Submission Date, Request Common Name, Requester Name, Request Email Address, Request Distinguished Name, CertificateTemplate, Request Disposition" -Restrict "Request Disposition=9" -config "<CA_SERVER_NAME>\<CA_NAME>"

Basically what this is doing is it is telling certutil to check for any certificates where the request dispoition is 9, in other words, any pending certificate requests. It then outputs a few usefull properties related to the certificates. All you need to change is the part with “\” to include the valid server and name.

Note: You can omit the entire “-config “<CA_SERVER_NAME>\<CA_NAME>”" piece if you are running this locally from the CA server and only want to retrieve the local information.

For the full powershell script, click the download link here: Download monitor_ca_requests.ps1