Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: GitHub
This command requires installed Remote Server Administration Tools (RSAT)

Get-IssuedRequest

Synopsis

Retrieves issued certificate requests from Certification Authority (CA) database.

Syntax

Get-IssuedRequest [-CertificationAuthority] <CertificateAuthority[]> [[-RequestID] <Int32[]>] [[-Page] <Int32>] [[-PageSize] <Int32>] [[-Property] <String[]>] [[-Filter] <String[]>] [<CommonParameters>]

Description

Retrieves issued certificate requests from Certification Authority (CA) database. Issued certificate requests contain only valid and unrevoked issued certificates.

Since CA server may contain many issued certificates, you may specify various filters by using 'RequestID' or 'Filter' parameters.

Parameters

-CertificationAuthority <CertificateAuthority[]>

Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-RequestID <Int32[]>

Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.

If this parameter is used, 'Filter' parameter is ignored.

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Property <String[]>

By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.

In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.

Required? False
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Filter <String[]>

Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where:
<RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command.
<comparison operator> - specifies the logical operator of the data-query qualifier for the column.
<value> - specifies the data query qualifier applied to the certificate request property.

Possible operators are:
-eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property.
-le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers.
-lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers.
-ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers.
-gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.

There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC".
If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".

An example of the filter: Request.RequesterName -eq domain\username
this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.

You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.

Note: wildcard characters are not supported.

Note: if 'RequestID' parameter is specified, all filters are ignored.

Required? False
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Page <Int32>

Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.

Required? False
Position? 2
Default value 1
Accept pipeline input? false
Accept wildcard characters? False

-PageSize <Int32>

Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.

Required? False
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CertificateAuthority

Outputs

SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow

You can pipe this object to Remove-AdcsDatabaseRow to delete specified objects from CA database.

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name MyCA | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer", "CommonName -eq www.company.com"

Retrieves only requests issued based on 'WebServer' template and which are issued to 'www.company.com' subject.

Example 2

PS C:\> Get-CertificationAuthority -Name MyCA | Get-IssuedRequest -RequestID 4,65,107 -Property "CertificateTemplate", "RawCertificate"

Retrieves issued requests with RequestID equal to 4, 65 and 107. Also this command will add 'CertificateTemplate' and 'RawCertificate' properties. 'RawCertificate' contains issued certificate raw content and you can save it to a .cer file.

Example 3

PS C:\> Get-CertificationAuthority | Get-IssuedRequest -Property "Request.RawRequest" -Filter "UPN -eq someone@company.com"

Retieves issued requests that contains 'someone@company.com' in the Subject Alternative Names (SAN) extension. Also this command will add 'Request.RawRequest' property.

Example 4

PS C:\> Get-CertificationAuthority ca01.company.com | Get-IssuedRequest -Filter "NotAfter -ge $(Get-Date)", "NotAfter -le $((Get-Date).AddMonths(2))"

This command will retrieve certificates from CA server hosted on 'ca01.company.com' server, that will expire in next two months.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-CASchema
Get-RevokedRequest
Get-PendingRequest
Get-FailedRequest
Revoke-Certificate
Remove-AdcsDatabaseRow

Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions

Share this article:

Comments:

Paul T. Ireland
Paul T. Ireland 01.02.2019 18:55 (GMT+3) Get-IssuedRequest

How would I pull a list of every issued certificate that is not expired, denied, or revoked?

Vadims Podāns
Vadims Podāns 01.02.2019 18:59 (GMT+3) Get-IssuedRequest

Simple:

Get-CA -comp ca01.example.com | Get-IssuedRequest -Filter "NotAfter -ge $(Get-Date)"
Viktor
Viktor 08.02.2019 16:06 (GMT+3) Get-IssuedRequest

Could you please help?

Get-CertificationAuthority | Get-Issuedrequest -ID 938,939
Get-RequestRow : Произошла ошибка при перечислении элементов коллекции: Значение не попадает в ожидаемый диапазон..
C:\Program Files\WindowsPowerShell\Modules\PSPKI\3.4.1.0\Server\Get-AdcsDatabaseRow.ps1:79 знак:25
+                         Get-RequestRow `
+                         ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (SysadminsLV.PKI...+<GetView>d__36:<GetView>d__36) [Get-RequestRow], RuntimeException
    + FullyQualifiedErrorId : BadEnumeration,Get-RequestRow

Kurt
Kurt 29.03.2019 02:19 (GMT+3) Get-IssuedRequest

I'm looking to see the history of processes that requested EFS certificates, and I'd really like to automate it with the PSPKI module.

This is running against a Server 2008 R2 Issuing CA in our domain, and Get-IssuedRequest seems to want a template name of EFS, instead of "basic EFS". I was able to get the list of issued certs with this:

Get-CertificationAuthority -computername certissuer.example.com | Get-IssuedRequest | Where{$_.CertificateTemplate -eq 'EFS'}

but can't seem to get further.

I crafted this command:
     certutil -view -Restrict RequestId=6277 > row6277.txt && certutil row6277.txt > row6277Request.txt
after looking at this article:
https://social.technet.microsoft.com/Forums/Lync/en-US/c33dd6a9-4f90-4c84-a75e-7925354b5d16/trying-to-understand-root-ca-and-basic-efs-certificates?forum=winserversecurity

But that command is pretty manual. Part of the problem is that I don't understand what the 2nd certutil in that command string does, exactly - it's picking up data from the first text file, but I don't know how it's parsing the file to do what it's doing to get the data to output the 2nd text file.

However, that second text file contains the information I want. In the file, 56 lines down, as shown below is a line that starts with Process, like this:

Request Attributes: 5
  5 attributes:

  Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
    Value[0][0]:
        6.3.9600.2

  Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
    Value[1][0]:
    Unknown Attribute type
    Client Id: = 5
    ClientIdDefaultRequest -- 5
    User: EXAMPLE\AUser
    Machine: US-AUser.example.com
    Process: taskhost.exe

I'd love to get a history of these certificates so that I can see if I can figure out why they're being issued. I've checked a small number of machines manually with the cipher.exe utility (cipher -u -n -h), and come up negative for any EFS encrypted files or directories.

Is there a reasonable way to get the process name as shown above, using PSPKI?

Thanks,

Kurt

Stan
Stan 18.04.2019 10:45 (GMT+3) Get-IssuedRequest

Kurt:
$EFSTemplate = <OID of the template>
$certList = Get-IssuedRequest -CertificationAuthority <CA> -Filter "CertificateTemplate -eq $EFSTemplate" -Property *

$certList is an array of certificate information objects. This gets dump of all information about certificates.

What you're after is probably Request.RequestAttributes which provides info which PC ordered the cert and on whos behalf, then Request.RequesterName to find which user did that. The certificates are issued per user, not per computer.
Hope this helps.


Post your comment:

Please, solve this little equation and enter result below. Captcha