Share via

PowerShell Script to Retrieve Issued Certificate Details from CA

Anant Bera 251 Reputation points
2025-11-28T12:30:13.69+00:00

Hi Team,

Is there any PowerShell command or script that can retrieve all issued certificate details from the CA, similar to what we see in the Certification Authority console?

I am specifically looking for a PowerShell script (.ps1) that can run from any domain-joined machine, or at least from a least-privileged workstation, instead of running directly on the Sub CA. If possible, I would like to extract details such as the requester's name, certificate template, serial number, validity period, and issuance status, similar to the Export List option in the CA console.

If you have any recommended commands or scripts to do this.User's image

Thanks!

Moved from: Sysinternals

Windows for business | Windows Client for IT Pros | Devices and deployment | System management components
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 68,535 Reputation points MVP Volunteer Moderator
    2025-11-28T12:43:53.4733333+00:00

    You can retrieve issued certificates remotely from any domain-joined workstation as long as the account has read permissions on the CA. The most convenient way to do this is through the PSPKI PowerShell module, which exposes the CA database through the same RPC interface the CA console uses.

    To install PSPKI from a standard workstation:

    Install-Module PSPKI -Scope CurrentUser

    Once installed, you can query all issued certificates like this:

    $CA = "YourCAHost\CAName"

Get-IssuedRequest -CertificationAuthority $CA |
    Select-Object RequestID, RequesterName, CertificateTemplate,
                  SerialNumber, NotBefore, NotAfter, RequestStatus

    If you want this in a file resembling the CA console’s Export List output:

    Get-IssuedRequest -CertificationAuthority $CA |
    Select RequestID, RequesterName, CertificateTemplate,
           SerialNumber, NotBefore, NotAfter, RequestStatus |
    Export-Csv "IssuedCertificates.csv" -NoTypeInformation

    This will give you requester account, certificate template, serial number, validity period, and status.

    If you do not want to install any modules, you can use certutil remotely. For issued certificates only:

    certutil -config "YourCAHost\CAName" -view -restrict "Disposition=20"

    To export in a useful form:

    certutil -config "YourCAHost\CAName" -view -restrict "Disposition=20" -out csv > issued.csv

    If you want to parse certutil XML output in PowerShell:

    $xml = certutil -config "YourCAHost\CAName" -view -out xml
[xml]$certs = $xml

$certs.ViewRow | Select-Object `
    RequestID,
    RequesterName,
    CertificateTemplate,
    SerialNumber,
    NotBefore,
    NotAfter,
    Disposition

    More at https://www.powershellgallery.com/packages/PSPKI/3.7.2

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.