In order to use certutil to list certificates issued from a specific certificate template as shown below, you have to know the templates OID.
1 | certutil -view -restrict 'Certificate Template=<certificate_template_OID>' |
The following PowerShell script returns a hashtable with the template name as the key and the OID as the value for each template found either on the Active Directory (-adtemplate switch) or on the local Certification Authority (CA) (-catemplates switch).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # Prepare variables $certutil = "$($env:SystemRoot)\system32\certutil.exe" $templateHash = @{} $currentTemplateName = $false # Get certutil stdout, select the displayname and msPKI-Cert-Template-OID strings and walk through them in a loop Invoke-Expression "$certutil -adtemplate -v" | select-string displayname, msPKI-Cert-Template-OID | foreach { # Check if the template name variable is set and the current value is an OID if($currentTemplateName -ne $false -and $_ -match 'msPKI-Cert-Template-OID'){ $oid = $_ -replace '([\w|-]*)\s=\s([\d|.]*)(.*)','$2' $templateHash.add($currentTemplateName, $oid) $currentTemplateName = $false } # Check if the current value is a template name elseif($_ -match 'displayname'){ $currentTemplateName = $_ -replace 'displayname = ','' } } # Print Hastable $templateHash | fl |