Hi Chris,
You could give it a try with a Certutil -View command, suitably tailored with -Restrict and -Out parameters.
An Example for a -Restrict Parameter, having a certificate issued at a specific date would add the -Restrict "NotBefore<=<Start Date+Time>",NotBefore>=<End Date+Time>".
An example for -Out parameter would be the -Out RawCertificate parameter, which gives you the base64 encoded certificate (all you have to do is copy-paste all between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into notepad and save the file
as .cer. The following article may give you a hint (https://blogs.technet.microsoft.com/pki/2008/04/24/how-to-determine-all-certificates-that-will-expire-within-30-days/).
But if you have many repeating or versatile queries, there is a somewhat cumbersome but highly effective API. It's called iCertView2 (https://msdn.microsoft.com/en-us/library/windows/desktop/aa385417(v=vs.85).aspx). It allows you to access the entire CA
database, row by row, column by column. The rest is a matter or parsing once you get the hang of it. Especially since you need to send different parts of the output to different CertReq commands, this may be more handy, as you get all the parts as individual
properties.