certutil – Generate a Certificate Template to OID Hashtable

In order to use certutil to list certificates issued from a specific certificate template as shown below, you have to know the templates OID.

1
certutil -view -restrict 'Certificate Template=<certificate_template_OID>'

The following PowerShell script returns a hashtable with the template name as the key and the OID as the value for each template found either on the Active Directory (-adtemplate switch) or on the local Certification Authority (CA) (-catemplates switch).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Prepare variables
$certutil = "$($env:SystemRoot)\system32\certutil.exe"
$templateHash = @{}
$currentTemplateName = $false
 
# Get certutil stdout, select the displayname and msPKI-Cert-Template-OID strings and walk through them in a loop
Invoke-Expression "$certutil -adtemplate -v" | select-string displayname, msPKI-Cert-Template-OID | foreach {
 
    # Check if the template name variable is set and the current value is an OID
    if($currentTemplateName -ne $false -and $_ -match 'msPKI-Cert-Template-OID'){
 
        $oid = $_ -replace '([\w|-]*)\s=\s([\d|.]*)(.*)','$2'
        $templateHash.add($currentTemplateName, $oid)
        $currentTemplateName = $false
    }
 
    # Check if the current value is a template name
    elseif($_ -match 'displayname'){
 
        $currentTemplateName = $_ -replace 'displayname = ',''
    }
}
 
# Print Hastable
$templateHash | fl

Leave a Reply

Your email address will not be published. Required fields are marked *