Share via


More options with Re-Revocation solution

 

Controlling the date

In previous post I've shown how we can re-revoke all certificates that were revoked post certain date. Solution used to create certutil.exe command with hardcoded date. To automate this solution we need to generate dynamic date.

 

The following script will create input file with serial numbers of revoked certificates in the last 24 hours.

 

sInFile = "cert-SN-in.txt"

sOutBatchFile = "serialnumbers.cmd"

 

const ForReading = 1, ForWriting = 2, ForAppending = 8, SUCCESS = 1, FAILURE = 0

 

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _

 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from Win32_LocalTime")

 

set oFSO = wscript.createobject("scripting.filesystemobject")

set oOutFile = oFSO.CreateTextFile(sOutBatchFile,ForWriting,False)

 

For Each objItem in colItems

    PriorDay = objitem.Day - 1

    oOutFile.WriteLine("certutil -view -restrict " & """"& "RevokedWhen>=" & objItem.Month &"/" & PriorDay &"/" & objItem.Year &"""" & " -out SerialNumber > cert-SN-in.txt")

 

Next

 

oOutFile.Close

Set oShell = WScript.CreateObject("WScript.Shell")

oShell.Run(sOutBatchFile)

 

 

Controlling Re-Revocation by reason code

 

So far the solution is re-revoking  all revoked certificates. This behavior might be undesirable. We might want to keep revoked certificates with reason code "On Hold" untouched so we can later un-revoke them.

 

Fortunately certutil.exe is flexible enough to give us this output.

 

The following command will create an output file with serial numbers of revoked certificates with reason code "unspecified":

 

certutil -view -restrict "Revocation Reason=0x0" -out SerialNumber > cert-SN-in.txt