Since we are gluttons for punishment, we are attempting to do an enterprise-wide roll-out of s/MIME certificates without buying something like FIM or another certificate management tool. I am working on a .NET program that we plan to push out and execute via SCCM on each client's machine that I would like to do the following:
1) Run a certutil -view query on the CA to see if the client already has a non-expired, non-revoked s/MIME certificate
2) If the user has 1 or more valid certificates, exit
3) If the user does not have any valid certificates, go ahead and provision the cert.
The only part I am having trouble with is #1. Windows 7 does come with a version of certutil pre-installed, however, it does not have -view capabilities. When I run certutil on a machine that doesn't have the WS2008 Resources Toolkit installed I get:
CertUtil: -view command FAILED: 0x80040154 (-2147221164)
CertUtil: Class not registered
I would much rather not have to install the toolkit on all endpoints. Since I do have it on my own machine, I copied C:\windows\system32\certadm.dll from my machine to another and registered the DLL, but this did not work; same error.
So, my question, basically is whether or not its possible to make certutil behave on a Windows 7 machine as it does on a WS2008 machine without installing the full-fledged Toolkit.