Pulling Subject Alternative Names from certificates in Issuing CA.

Mar 10, 2015 at 4:37 PM
I am creating a script which will notify users when their certificates are about to expire. In the notification email, I would like to have all Subject Alternative Names listed if they exist in the email. My question is how can I see the SAN's in each certificate when running Get-CertificationAuthority -ComputerName "xxx" | Get-IssuedRequest -RequestID xx? When I look at the certificate via ADCS console, I can see the extension with the names.

Currently I am running PSPKI 3.0 with in 2012 R2 environment.

Thanks for your help.
Coordinator
Mar 10, 2015 at 4:56 PM
you can use -Property parameter to include desired columns in the output.
Mar 10, 2015 at 7:21 PM
I'm sorry, as I should have been slightly more specific. I have done __-property *__ to pull all data and in no place am I able to see the subject alternative names in the output. Below is everything reported with the __-property *__. Again nothing regarding subject alternative names.

Request.RequestID :
Request.RawRequest :
Request.RawArchivedKey :
Request.KeyRecoveryHashes :
Request.RawOldCertificate :
Request.RequestAttributes :
Request.RequestType :
Request.RequestFlags :
Request.StatusCode :
Request.Disposition :
Request.DispositionMessage :
Request.SubmittedWhen :
Request.ResolvedWhen :
Request.RevokedWhen :
Request.RevokedEffectiveWhen :
Request.RevokedReason :
Request.RequesterName :
Request.CallerName :
Request.SignerPolicies :
Request.SignerApplicationPolicies :
Request.Officer :
Request.DistinguishedName :
Request.RawName :
Request.Country :
Request.Organization :
Request.OrgUnit :
Request.CommonName :
Request.Locality :
Request.State :
Request.Title :
Request.GivenName :
Request.Initials :
Request.SurName :
Request.DomainComponent :
Request.EMail :
Request.StreetAddress :
Request.UnstructuredName :
Request.UnstructuredAddress :
Request.DeviceSerialNumber :
Request.AttestationChallenge :
Request.EndorsementKeyHash :
Request.EndorsementCertificateHash :
RequestID :
RawCertificate :

CertificateHash :
CertificateTemplate :
EnrollmentFlags :
GeneralFlags :
PrivatekeyFlags :
SerialNumber :
IssuerNameID :
NotBefore :
NotAfter :
SubjectKeyIdentifier :
RawPublicKey :

PublicKeyLength :
PublicKeyAlgorithm :
RawPublicKeyAlgorithmParameters :

PublishExpiredCertInCRL :
UPN :
DistinguishedName :
RawName :

Country :
Organization :
OrgUnit :
CommonName :
Locality :
State :
Title :
GivenName :
Initials :
SurName :
DomainComponent :
EMail :
StreetAddress :
UnstructuredName :
UnstructuredAddress :
DeviceSerialNumber :
RowId :
ConfigString :
Table :
Coordinator
Mar 10, 2015 at 7:23 PM
Can you show where you see SAN value in the ADCS console?
Mar 10, 2015 at 8:27 PM
It's not allowing me to attach the screen shot. However, on a certificate that has SAN(s), double click to view the certificate, then go to the details tab, and then I show extensions. Under extensions I see Subject Alternative Name under the Field column.

Thanks
Coordinator
Mar 11, 2015 at 10:20 AM
Extensions are stored in a different table. So you will need to use a bit different approach:
# retrieve extensions associated with the request in the DB
$e = Get-CertificationAuthority -ComputerName "xxx" | Get-DatabaseRow -Table Extension -RowID xx | ?{$_.ExtensionName -eq "2.5.29.17"}
$asn = New-Object System.Security.Cryptography.AsnEncodedData @(,([convert]::frombase64string($e.ExtensionRawValue)))
$ext = New-Object System.Security.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $asn,0
Mar 17, 2015 at 2:41 PM
Camelot,

Sorry for the slow response.

I greatly appreciate your help and that worked like a champ! Due to your assistance, I will be able to report SAN's in the email report of expiring certificates.

Thanks!