determine which certs were manually enrolled

  • Last Post 16 February 2017
danj posted this 15 February 2017

Hi all

Is it possible to determine from querying AD CS whether an issued cert was auto-enrolled or manual? I want my automated expiry notification mechanism to only inform admins of certs that need manual intervention to renew.


Order By: Standard | Newest | Votes
SmitaCarneiro posted this 15 February 2017

You could look at the template permissions to see who has permissions to autoenroll. That should help narrow down the pool. Also check to see who is targeted

by the GPO that sets autoenrollment.


Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906



Anthony.Vandenbossche posted this 15 February 2017

Maybe you can reuse snippets from this script to see what you get returned from the DB? Maybe there is some property that identifies CEP certificates.



Technical Consultant

Hybrid Cloud

You can mail me


Call me at my UC number +32 2 801 54 59

RD Portal

This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected

by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have

received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility

to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.

Think green, keep it on your screen



danj posted this 16 February 2017

Yeah that script, plus one from Tom Nolan at Tiny int, was my starting point. I have gone through the certutil output and there are a few things which sound like they might be useful, but difficult to really tell. I might have to do a few test ones and see

if there is s discernible difference.

I am creating a list of heuristics which is intended to determine the cert's application owner (requester name, email, api call to servicenow CMDB using the cert's CN etc). I just don't want to send the owner a load of messages for things that will auto-renew.

Smita thanks I will add GPOs and template perms to the list.



bshwjt posted this 16 February 2017

As far as I know auto-enrolled or manual can be extracted from Certificate template only. After issuing the certificate there are no such attribute holding that information.
First extract the report for all certificate template & Second certificate expiry notification from servers.
You can use this for second purpose.
Template Permission you can extract using Vadim Podans Powerhesll script but I don't have that link. You can search here.


danj posted this 16 February 2017

OK thanks, more reading to do. 

Lots of the certs are on non-windows devices (linux, network devices), so looks like it will be a combination of methods.