In Active Directory Certificate Services, the primary administration interface is the MMC snap-in Certification Authority exposed through Server Manager in Windows Server 2008 and Windows Server 2008 R2:
More advanced administration options is available through the command line utility certutil.exe.
I recently worked with an environment with an unusual amount of issued certificates (several hundreds of thousands), and working with the MMC-tools was not efficient.
I first started by exporting the issued certificates to a CSV-file by using certutil.exe
s csv option. This options seems to be new in Windows Server 2008 R2, although I havent found any documentation on this. Actually it`s possible to use certutil.exe from a Windows Server 2008 R2 member server against a Certification Authority running an earlier version of Windows Server to export issued certificates to CSV. It should also be noted that this can be accomplished using the Export List option in the Certification Authority MMC in both Windows Server 2008 R2 and earlier versions of Windows Server.
When the CSV-file are exported, we can import it to Windows PowerShell and do things like grouping and sorting:
Note that using CSV when working with very large data sets might consume large amounts of system resources (up to 2,5 GB in my case), so this might not be the best approach. Another option would be to work directly against the Certification Authority database, where we can set filters directly on the queries.
There are several Com-objects available for working with Active Directory Certificate Services, which makes it possible to work directly against the Certification Authority database from PowerShell.
Another Com-object to look into is the ICertAdmin2 Interface, which can be accessed from PowerShell like this: