查询 SHA1 / SHA2 / SHA256 证书
Query Certificates for SHA1 / SHA2 / SHA256
我知道我们可以在 PowerShell 中做到这一点。
(Get-ChildItem Cert:\Currentuser\My\ | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName
结果:
sha256RSA
sha256RSA
但是,公司不允许我们在现场使用 运行 PowerShell。
我可以 运行 以下内容并为中间存储和根存储安装证书。
certutil -store CA
certutil -store Root
而且,这些产生了结果。
但是,在查看时:
证书哈希(sha1):
它只显示 SHA1 而没有 SHA256?
条目之一的示例结果:
Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
NotBefore: 10/22/2014 1:05 PM
NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed
最后我想按VeriSign这样的公司查询
感谢您的任何见解。
感谢@JosefZ 提供的见解:
好的..我想我已经完成了大部分工作,但我正在从其他证书提供商那里获得额外信息。
脚本当前为:
@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
而且,结果是 - 请注意此处的额外证书:
X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>
而且,应该只显示 VeriSign:
X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
O=VeriSign, Inc.
O=VeriSign, Inc.
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>
注意:VeriSign(或其他供应商,如 Entrust)是我们希望看到的唯一证书。
第三部分,我们现在看到了 - 我们是如此接近:
这有效并显示每个 VeriSign..
for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g
这显示每个证书序列号..
for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g
我们需要这样的东西:
for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g
在伪代码中:
对于每个 VeriSign 证书,获取序列号,以便我们评估 sha 级别。
感谢 post 在(注意 - 第六次回复):
多少证书?
https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity
这有效,但想要 trim 它只显示 VeriSign 证书:
for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
查看最终脚本,但是输出有点奇怪:
for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)
以下 53092715.bat 脚本 returns 所需的序列号,请参阅 echo %_Issuer%: %_user% -store "%~1" !_NextCert! 命令中的 _NextCert 变量。
用法:53092715.bat option [Issuer] 其中
option(可选,默认为 "";如果存在 Issuer 参数则为必填项;然后使用例如 "");Issuer(可选,默认为"Verisign"); 不能包含=(等号);可能不包含 space(这些 限制可以通过一些努力消除 )。
使用示例:
53092715.bat 查询 HKEY_LOCAL_MACHINE 密钥或证书存储53092715.bat -gp 查询组策略证书存储53092715.bat -user 查询 HKEY_CURRENT_USER 密钥或证书存储53092715.bat "" Apple53092715.bat -user Thawte
脚本:
@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof
:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
set "_Line=%%G"
if "!_Line:~0,14!"=="Serial Number:" (
set "_NextCert=!_Line:~15!"
) else (
if "!_Line:~0,7!"=="Issuer:" (
set "_Line=!_Line:~8!"
set "_NextIssuer="
for %%g in (!_line!) do (
set "_Elin=%%g"
set "_Part=!_Elin:%_Issuer%=!"
if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
)
if defined _NextCert if defined _NextIssuer (
echo %_Issuer%: %_user% -store "%~1" !_NextCert!
set "_NextCert="
)
)
)
)
goto :eof
我知道我们可以在 PowerShell 中做到这一点。
(Get-ChildItem Cert:\Currentuser\My\ | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName
结果:
sha256RSA
sha256RSA
但是,公司不允许我们在现场使用 运行 PowerShell。
我可以 运行 以下内容并为中间存储和根存储安装证书。
certutil -store CA
certutil -store Root
而且,这些产生了结果。 但是,在查看时: 证书哈希(sha1): 它只显示 SHA1 而没有 SHA256?
条目之一的示例结果:
Serial Number: removed
Issuer: CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
NotBefore: 10/22/2014 1:05 PM
NotAfter: 10/23/2024 3:33 AM
Subject: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
Non-root Certificate
Cert Hash(sha1): removed
最后我想按VeriSign这样的公司查询
感谢您的任何见解。
感谢@JosefZ 提供的见解: 好的..我想我已经完成了大部分工作,但我正在从其他证书提供商那里获得额外信息。
脚本当前为:
@echo off
echo personal
certutil -v -user -store "MY"|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Intermediate
certutil -v -store CA|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
echo Root
certutil -v -store Root|findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: O=VeriSign"
而且,结果是 - 请注意此处的额外证书:
X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>
而且,应该只显示 VeriSign:
X509 Certificate:
Serial Number: <removed>
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
O=VeriSign, Inc.
O=VeriSign, Inc.
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Cert Hash(md5): <removed>
Cert Hash(sha1): <removed>
注意:VeriSign(或其他供应商,如 Entrust)是我们希望看到的唯一证书。
第三部分,我们现在看到了 - 我们是如此接近: 这有效并显示每个 VeriSign..
for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign"') do echo %%g
这显示每个证书序列号..
for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do echo %%g
我们需要这样的东西:
for /f "delims=" %%g in ('certutil.exe -v -store Root^|findstr "OU=VeriSign Serial.Number"') do echo %%g
在伪代码中: 对于每个 VeriSign 证书,获取序列号,以便我们评估 sha 级别。
感谢 post 在(注意 - 第六次回复): 多少证书? https://social.technet.microsoft.com/Forums/en-US/3314021d-ad2a-4748-a93a-69e213845195/certutil-command-line-to-delete-local-personal-certificates?forum=w7itprosecurity
这有效,但想要 trim 它只显示 VeriSign 证书:
for /f "tokens=1,2 delims=:" %%g in ('certutil.exe -v -store Root^|findstr "Serial.Number"') do (certutil -v -store Root "%%h" | findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
查看最终脚本,但是输出有点奇怪:
for %a in (CA Root AuthRoot) do (
for /f "tokens=1,2 delims=:" %g in ('certutil.exe -v -store %a^|findstr "Serial.Number"') do (
certutil.exe -v -store %a "%h" | echo %a & findstr "Serial.Number Algorithm.ObjectId Cert.Hash( X509.Certificate: NotBefore NotAfter OU= CN=")
)
以下 53092715.bat 脚本 returns 所需的序列号,请参阅 echo %_Issuer%: %_user% -store "%~1" !_NextCert! 命令中的 _NextCert 变量。
用法:53092715.bat option [Issuer] 其中
option(可选,默认为"";如果存在Issuer参数则为必填项;然后使用例如"");Issuer(可选,默认为"Verisign"); 不能包含=(等号);可能不包含 space(这些 限制可以通过一些努力消除 )。
使用示例:
53092715.bat查询HKEY_LOCAL_MACHINE密钥或证书存储53092715.bat -gp查询组策略证书存储53092715.bat -user查询HKEY_CURRENT_USER密钥或证书存储53092715.bat "" Apple53092715.bat -user Thawte
脚本:
@ECHO OFF
SETLOCAL EnableExtensions EnableDelayedExpansion
if "%~2"=="" (set "_Issuer=VeriSign") else set "_Issuer=%~2"
if /I "%~1"=="" (set "_user=") else set "_user=%~1"
call :findCertSN "Root"
call :findCertSN "AuthRoot"
call :findCertSN "CA"
rem call :findCertSN "My"
ENDLOCAL
goto :eof
:findCertSN
set "_NextCert="
for /F "delims=" %%G in ('
certutil %_user% -store "%~1"^|findstr "^Serial.Number: ^Issuer:"') do (
set "_Line=%%G"
if "!_Line:~0,14!"=="Serial Number:" (
set "_NextCert=!_Line:~15!"
) else (
if "!_Line:~0,7!"=="Issuer:" (
set "_Line=!_Line:~8!"
set "_NextIssuer="
for %%g in (!_line!) do (
set "_Elin=%%g"
set "_Part=!_Elin:%_Issuer%=!"
if not "!_Part!"=="!_Elin!" set "_NextIssuer=Match"
)
if defined _NextCert if defined _NextIssuer (
echo %_Issuer%: %_user% -store "%~1" !_NextCert!
set "_NextCert="
)
)
)
)
goto :eof