Certutil view restrict description:


Disposition values for requests in the queue:

Disposition Description
8 request is being processed
9 request is taken under submission
12 certificate is an archived foreign certificate
15 certificate is a CA certificate
16 parent CA certificates of the CA certificate
17 certificate is a key recovery agent certificate

Disposition values for requests in the log:

Disposition Description
20 certificate was issued
21 certificate is revoked
30 certificate request failed
31 certificate request is denied

use the sign “=”


Export list of issued certificates from a CA:

certutil -view -restrict “Certificate Template=TempNameOrOID” -out “requestername,requestid” | find “Requester Name:” | sort >output.csv

certutil -view -restrict “notbefore=>1/1/2015” -out “RequestID,NotBefore,NotAfter,CertificateTemplate”

Export list of issued certificates from a specific user:

certutil -view -restrict “Disposition=20,RequesterName=domain\user1” -out “RequestID,RequesterName,CommonName,NotBefore,NotAfter”


Show the SerialNumber of all issued and revoked certificates:

certutil -view -restrict “Disposition=20,Disposition=21” -out SerialNumber

Show all certificate requests that failed for the certificate template with the common name “EnrollmentAgent” after September 24th 2008:

certutil -view -restrict “Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent” -out RawCertificate