Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL:
Post name: How to determine all certificates that will expire within 30 days
Original author: MS2065 [MSFT]
Posting date: 2008-04-24T07:46:00+00:00

Woudn't it be interesting for the CA admin to know which certificates are expiring in the near future? If autoenrollment is not eanbled, certificate users should be informed in advance before they actually loose functionality.

A simple certutil command enables the CA admin to generate a list with all expiring certificates:

certutil –view –restrict "NotAfter<=May 5,2008 08:00AM,NotAfter>=April 24,2008 08:00AM" –out "RequestID,RequesterName"

Since I mentioned autoenrollment above, here is a trick how to determine if a certificate was enrolled manually or with autoenrollment.

certutil –view -v -out rawrequest | findstr Process

The above command can certainly be extended with the -restrict parameter to reduce the amount of output producted by the query.

The name of the task performing autoenrollment differs for different OS releases and possible for machine and user contexts. Manually requested certificates may show a process name like certreq or cscript.

To learn more how to notify users of certificate expiration, see

Share this article:


Comments are closed.