0

我知道我们可以在 PowerShell 中做到这一点。

(Get-ChildItem Cert:\Currentuser\My\ | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName

结果:

sha256RSA
sha256RSA

参考.. https://blogs.technet.microsoft.com/poshchap/2017/10/20/one-liner-get-signing-algorithm-for-personal-store-certificates/

但是,公司不允许我们在现场运行 PowerShell。

我可以运行以下命令并为中间存储和根存储安装证书。

certutil -store CA
certutil -store Root

并且,这些会产生结果。但是,当查看: Cert Hash(sha1): 它只显示 SHA1 而没有 SHA256?

样本结果条目之一:

Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
 NotBefore: 10/22/2014 1:05 PM
 NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed

最终,我想通过像 VeriSign 这样的公司进行查询。

感谢您的任何见解。

来自@JosefZ,我很欣赏给出的见解:好的..我认为我已经完成了大部分工作,但是我从其他证书提供者那里获得了额外的信息。

该脚本目前是:

@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"

而且,结果是 - 请注意此处的额外证书:

X509 Certificate:
Serial Number: <removed>
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>

而且,应该只显示 VeriSign:

X509 Certificate:
Serial Number: <removed>
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    O=VeriSign, Inc.
    O=VeriSign, Inc.
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>

注意:VeriSign(或 Entrust 等其他供应商)是我们希望看到的唯一证书。

第三部分,我们现在看到 - 我们是如此接近:这有效并展示了每个 VeriSign..

for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g

这显示了每个证书序列号..

for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g

我们需要类似的东西:

for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g

在伪代码中: 对于每个 VeriSign 证书,获取序列号,以便我们可以评估 sha 级别。

感谢(注 - 第六次回复)的帖子:有多少证书? https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity

这可行,但想将其缩减为仅显示 VeriSign 证书:

for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")

查看最终脚本,但输出有点奇怪:

for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)
4

1 回答 1

1

以下53092715.bat脚本返回所需的序列号,请参阅命令中的_NextCert变量echo %_Issuer%: %_user% -store "%~1" !_NextCert!

用法:53092715.bat option [Issuer]哪里

  • option(可选,默认为"";如果存在参数,则为强制Issuer;然后使用 eg "");
  • Issuer(可选,默认为"Verisign");不能包含=(等号);可能不包含空格(这些限制可以通过一些努力消除)。

使用示例:

  • 53092715.bat      查询HKEY_LOCAL_MACHINE密钥或证书存储
  • 53092715.bat -gp  查询组策略证书存储
  • 53092715.bat -user查询HKEY_CURRENT_USER密钥或证书存储
  • 53092715.bat "" Apple
  • 53092715.bat -user Thawte

剧本:

@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof

:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
    certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
    set "_Line=%%G"
    if "!_Line:~0,14!"=="Serial Number:" (
      set "_NextCert=!_Line:~15!"
    ) else (
      if "!_Line:~0,7!"=="Issuer:" (
        set "_Line=!_Line:~8!"
        set "_NextIssuer="
        for %%g in (!_line!) do ( 
          set "_Elin=%%g"
          set "_Part=!_Elin:%_Issuer%=!"
          if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
        )
        if defined _NextCert if defined _NextIssuer (
            echo %_Issuer%: %_user% -store "%~1" !_NextCert!
            set "_NextCert="
        )
      )
    )
  ) 
goto :eof
于 2018-11-21T01:43:33.140 回答