Certificate Scripting

Anything VBScript-related, including Windows Script Host, WMI, ADSI, and more.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
bfisher78
Posts: 2
Joined: Thu Jun 14, 2007 4:42 am

Certificate Scripting

Post by bfisher78 » Thu Jun 14, 2007 5:11 am

I hope the part about being friendly is true!! and patient.

I am brand new to scripting, have always had an interest, now I am being thrown abruptly into it. I downloaded PrimalScript Pro 45 day eval which is how I ended up here. I tried to do a search to see if my topic has been discussed, but did not see anything. If it has been addressed before, please just lead me to the correct place.

I need to come up with a script that will revoke a certificate. Specifically I need to revoke certificates from my CA that belong to certain servers (MS Windows).

I am pretty sure I can figure out how to write a script that will call the CertUtil utility and revoke the cert by serial number (based on the following).

To revoke the certificate by serial number
Syntax
certutil-revoke [-gmt] [-seconds] [-v] [-config CAMachineNameCAName] SerialNumber [Reason]

What I am stuck on is how to either scan through my CA and obtain the serial numbers in question, or query the servers directly for the SN of their Cert. Then use that list of serial numbers to revoke each. The good news is that all of the servers I will have to do this for have a common naming convention. Let's just say for example they all begin with AServer. . Aserver1, AServer2, etc.

I would appreciate any and all help with this post. Thank you very much,

Brad

User avatar
bfisher78
Posts: 2
Joined: Thu Jun 14, 2007 4:42 am

Certificate Scripting

Post by bfisher78 » Thu Jun 14, 2007 5:11 am

I hope the part about being friendly is true!! and patient.

I am brand new to scripting, have always had an interest, now I am being thrown abruptly into it. I downloaded PrimalScript Pro 45 day eval which is how I ended up here. I tried to do a search to see if my topic has been discussed, but did not see anything. If it has been addressed before, please just lead me to the correct place.

I need to come up with a script that will revoke a certificate. Specifically I need to revoke certificates from my CA that belong to certain servers (MS Windows).

I am pretty sure I can figure out how to write a script that will call the CertUtil utility and revoke the cert by serial number (based on the following).

To revoke the certificate by serial number
Syntax
certutil-revoke [-gmt] [-seconds] [-v] [-config CAMachineNameCAName] SerialNumber [Reason]

What I am stuck on is how to either scan through my CA and obtain the serial numbers in question, or query the servers directly for the SN of their Cert. Then use that list of serial numbers to revoke each. The good news is that all of the servers I will have to do this for have a common naming convention. Let's just say for example they all begin with AServer. . Aserver1, AServer2, etc.

I would appreciate any and all help with this post. Thank you very much,

Brad

User avatar
donj
Posts: 416
Joined: Thu Nov 16, 2006 9:02 pm

Certificate Scripting

Post by donj » Thu Jun 14, 2007 11:51 pm

WIsh I could help more on this but I've never, ever had to work with a CA's store. Are you using Microsoft's Certificate Server? I might be able to point you to an API reference to use from within VBScript, if the prior example jvierra posted isn't sufficient...

User avatar
jvierra
Posts: 13687
Joined: Tue May 22, 2007 9:57 am
Contact:

Certificate Scripting

Post by jvierra » Fri Jun 15, 2007 2:38 am

bfisher -

It sounds to me like you want to list teh certs by serial number on member servers and then use that to remove the certs from the CA.

CAPICOM is the automationinterface for use with "client" repositories - "stores". There is a separate scriptable object for a central CA. server. Everything can be done on the CA usig the certutil and also against any client stores.

There is actually an easier way to manage all of this assuming you have a Cert Server installed. Use AD to control where the certs are stored. This will force all servers to use the AD store. I believe in this case the local stores just become caches for the AD info. This should remve all non-AD certs from all servers with the exception of a few required certs.

Cert Server is designed to hand out AND revoke certs. If you revoke a cert then CA will report back that the cert is revoked and it won't be usable. Couple this along with GP and AD integrated cert stores and you have complete central management from a GUI and, to some degree, with command line utilities.

PS. GP will allow you to define the behavior of clients when certs are revoked or updated. GP allows for blocking or auto accepting updates and revokes.

The code I posted along with it's API will allow listing certs in any crtificate store including cert server but will not allow certs to be deleted when the DLL is loaded under a scripting subsytem. This, I suspect, was done for security purposes.

jvierra2007-06-15 09:40:46

User avatar
jvierra
Posts: 13687
Joined: Tue May 22, 2007 9:57 am
Contact:

Certificate Scripting

Post by jvierra » Fri Jun 15, 2007 4:17 am

I am also going to assume that the cert name you refer to is the dns name of the local machine and teh cert is stored in teh local machine store.
If that is tru then the certificate.IssuedTo value is what you are looking for and it nees to match the old machine name.

Assuming this you should be able to fashion a script that finds the cert using teh script and then hand the cert sn to the certutil functionalong with the new machine name and have it delete the cert.

I don't know how you can do this remotely using script. CAPICOM doesn't appear to work remotely. CERTUTIL uses API calls and can work remotely.

An alternative is to use certutil to dump all machine certs to a file and then parse the file for the cert serial numbers.

This should be possible but will requireabout three or four fairly complex steps.

If you hav efewer than 50 servers then doind it with the GUI would be the easiest and most reliable method. More than 50 would call for an automated solution.

If you just revoke the certs you will accomplish the same objective with much less trouble. It sosn't matter if they are still stored on the machines. Revoking them will disable their use.


User avatar
jvierra
Posts: 13687
Joined: Tue May 22, 2007 9:57 am
Contact:

Certificate Scripting

Post by jvierra » Fri Jun 15, 2007 6:52 am

bfisher -

Again - let me note that, if the certs are from your own cert server then you need only REVOKe them.

If you really want to remove them then it would be fairly easy to devise a script that would remove all revoked certificates that were registered with yuor CA. This would eliminate the need to match them with teh computers old and new names.

If the CA that handed out the certs was decommisioned then the certs would all be identifiable because they are from the old, decommisioned, CA. This would make them easy to find.


Locked