Exclude autoenroll certificates

Oct 12, 2012 at 7:23 AM

I would like to list all issued certificates except autoenrollment ones.
My script shows all issued. How to change this code that autoenrollment ones are excluded?
$caname = $computername.ToLower()

$domaindns = $ENV:USERDNSDOMAIN.ToLower()

$todaysdate = Get-Date$

enddate = $todaysdate.AddMonths(2)

$issuedcerts = Get-CertificationAuthority “$caname.$domaindns” | Get-IssuedRequest -property * -Filter "NotAfter -ge $todaysdate", "NotAfter -le $enddate" | sort-object NotAfter, NotBefore

Oct 12, 2012 at 8:23 AM

unfortunately, there is no way to determine whether the certificate was issued during autoenrollment or manual request process.

BTW, depending on your DNS configuration, you can use short CA host name (NetBIOS name).

Feb 25, 2014 at 10:07 PM
I know you can check the enrollment flags using CertUtil, and then filter out "0x20" (or CT_FLAG_AUTO_ENROLLMENT) ... is there not some way to update the PSPKI modele to explose more of the certifcate / CA schema ? Are there any plans to ?

I would LOVE to have more granular control over my scripts by being able to work with more properties/noteproperties of the certificates.

Thanks !
Feb 26, 2014 at 12:13 PM
you can include EnrollmentFlags column in the view and then use Where-Object to filter autoenrolled certs:
Get-CA ca01* | Get-IssuedRequest -Property EnrollmentFlags | where {$_ -band 0x20}
Unfortunately, CA database engine does not support bitwise operators, therefore they must be applied out of band (in PowerShell you can use Where-Object cmdlet).
Feb 26, 2014 at 5:28 PM
Thanks for that. And I presume, to exclude those auto-enrolled certificates, we would use the -bnot operator ?

However, when I use that, PS carps that the token ( -bnot ) is unexpected.
Feb 26, 2014 at 5:31 PM
Get-CA ca01* | Get-IssuedRequest -Property EnrollmentFlags | where {($_ -band 0x20) -eq 0}
Get-CA ca01* | Get-IssuedRequest -Property EnrollmentFlags | where {!($_ -band 0x20)}