Friday, December 07, 2012 10:54 PM
I'm playing around with a small ADCS lab setup which consists of 2 virtual machines. One is a Windows 2008 R2 Standard Edition which hosts the PKI and is also domain controller for a local domain called "vm.net" (NetBIOS "VM"). The other is a Windows XP SP3 machine which is joined to the VM domain. Their respective hostnames are W2008R201 and WXP3IE6.
The PKI machine received 3 certificate requests for computer-level certificate autoenrollment of (a derivative of) the "Workstation" v2003 template. Two of them were unsuccessful because I had not yet set the CRLF_REVCHECK_IGNORE_OFFLINE flag on the PKI machine at that time, and "the revocation function" complained. Once I did that, the third request succeeded, and the issued certificate was successfully installed in the computer-level "Personal" certificate store of the XP3 machine along with its private key.
In the PKI certificate database, I thus have two failed requests and one succeeded request for the requestor "VM\WXP3IE6$" -- the computer account name of the XP3 machine. There are also several certificates in the database issued to other (older) virtual machines, and hence correspondingly requested by other accounts. There are no revoked certificates or pending requests.
With certutil -view, I can successfully query the CA DB for all requests from the XP3 machine as such:
certutil -config "W2008R201.vm.net\CA" -restrict "Request.RequesterName = VM\WXP3IE6$" -out CommonName,SerialNumber,Request.RequesterName -view
This works fine, no issues -- I get all three certificates, as expected.
However, I would've expected the following command to show me only the failed requests for this requester:
certutil -config "W2008R201.vm.net\CA" -restrict "Request.RequesterName = VM\WXP3IE6$" -out CommonName,SerialNumber,Request.RequesterName -view LogFail
(Observe the extra table name at the end). Despite the fact that I know for certain that only two of them have failed, I still get all three certificates in the results. It apparently did not limit the query to only the failed requests table as indicated by the documentation. In fact, I can do this with the Revoked table as well and still get all three certificates, even though there are no revoked certificates at all in my database:
certutil -config "W2008R201.vm.net\CA" -restrict "Request.RequesterName = VM\WXP3IE6$" -out CommonName,SerialNumber,Request.RequesterName -view Revoked
Once I leave out the -restrict parameter though, the results are properly limited to only the specified table names again. This is borderline useless however, as I am no longer able to filter them.
I verified this behaviour with on both the W2008 machine (using the certutil version that comes with ADCS), as well as on the WinXP machine (using the certutil that's included in the Windows Server 2003 Administration Tools Pack).
Is this intended behaviour? If so, please explain the rationale, and if not, please confirm that you can reproduce? Is there a way to work around this?
Wednesday, December 12, 2012 2:56 AMModeratorHi,
Thanks for posting in Microsoft TechNet forums.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Wednesday, December 12, 2012 1:44 PM
I think you can change the -restrict syntax for a try. Run the command below again:
certutil -config "W2008R201.vm.net\CA" -restrict "RequesterName=WXP3IE6$" -out CommonName,SerialNumber,RequesterName -view LogFail
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Friday, December 21, 2012 4:37 AM