In our environment we have thousands of Macs that enrol for device certificates using SCEP from the Apple Configurator utility which then connects to our issuing Windows 2008 R2 CA through NDES.
We will shortly be using these certs to authenticate devices to our 802.1x environment with EAP/TLS. All is working fine until a MacBook goes missing and I need to revoke a cert to stop the missing device getting on the Wireless LAN.
In my issued certificates list all the certificates issued through NDES show the requester name as the NDES service account, and the Request DN is the Apple Configurator ID (which is generated randomly.)
The problem here is that I know the name of the missing MacBook, and the name is in the "DNS Name" attribute in the Subject Alternative Name of the issued cert, but I just can't find a way of querying the issued certificates store with a filter based on information in the SAN to find the cert I want to revoke, so it looks like we'll need to resort to trawling through the (very long) list opening each cert and clicking on the SAN extension to see the machine name there... very painful indeed.
I've looked at what information you can pipe out with certutil and have experimented with psPKI but have come up blank. Does anyone have any ideas?
I've got a screengrab from our test environment that shows how the issued cert screen looks with NDES issued certs and another showing the information that I want to search or filter by which I'll attach in a minute
All suggestions gratefully received!
Cheers,
Tim