Determine CA Role
jsp...@gmail.com
determine what role a Certificate Authority is running as? I inherited
some servers and I need to know if the CA is a "Stand Alone" or
"Enterprise" CA.
![Jorge de Almeida Pinto [MVP - DS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Jorge de Almeida Pinto [MVP - DS]
****For example by using: certutil -CAInfo
-------
[RFSMBSV2] C:\>certutil -CAInfo
Exit module count: 2
CA name: ROOT-CA-FOR-ILM1
Sanitized CA short name (DS name): ROOT-CA-FOR-ILM1
CA type: 0 -- Enterprise Root CA
<<<------------------------------------------------------------------------
ENUM_ENTERPRISE_ROOTCA -- 0
<<<------------------------------------------------------------------------
CA cert count: 1
KRA cert count: 1
KRA cert used count: 1
CA cert[0]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert verify status[0]: 0
CRL[0]: 3 -- Valid
KRA cert[0]: 4 -- Invalid
DNS Name: RFSMBSV2.ADCORP.LAB
Advanced Server: 1
CertUtil: -CAInfo command completed successfully.
22-Aug-2008 22:42:50.80
[RFSMBSV2] C:\>
-------
****For example by using: Certutil -TCAInfo
-----
[RFSMBSV2] C:\>certutil -TCAInfo
================================================================
CA Name: ROOT-CA-FOR-ILM1
Machine Name: RFSMBSV2.ADCORP.LAB
DS Location: CN=ROOT-CA-FOR-ILM1,CN=Enrollment Services,CN=Public Key
Services,C
N=Services,CN=Configuration,DC=ADCORP,DC=LAB
Cert DN: CN=ROOT-CA-FOR-ILM1, DC=ADCORP, DC=LAB
CA Expiration (Years): 1
Connecting to RFSMBSV2.ADCORP.LAB\ROOT-CA-FOR-ILM1 ...
Server "ROOT-CA-FOR-ILM1" ICertRequest2 interface is alive
Enterprise Root CA
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=ROOT-CA-FOR-ILM1, DC=ADCORP, DC=LAB
Subject: CN=ROOT-CA-FOR-ILM1, DC=ADCORP, DC=LAB
Serial: 086a9a332a7daa9e4f125a9cda8070b5
18 fb 55 43 ce 4c 50 62 a5 7f b4 3c 71 50 06 a9 63 fe 89 98
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
18 fb 55 43 ce 4c 50 62 a5 7f b4 3c 71 50 06 a9 63 fe 89 98
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Supported Certificate Templates:
Cert Type[0]: CLM-Partner-Authentication (CLM-Partner-Authentication)
Cert Type[1]: CLM-User-Authentication (CLM-User-Authentication) -- No
Access!
Cert Type[2]: CLM-Email-Encryption (CLM-Email-Encryption)
Cert Type[3]: CLM-SmartCard-Logon-Multi (CLM-SmartCard-Logon-Multi)
Cert Type[4]: CLM-EFS-Encryption (CLM-EFS-Encryption)
Cert Type[5]: CLM-Code-Signing (CLM-Code-Signing)
Cert Type[6]: CLM-Workstation-Authentication
(CLM-Workstation-Authentication)
Cert Type[7]: CLM-Web-Server (CLM-Web-Server)
Cert Type[8]: CLM-User-Software (CLM-User-Software)
Cert Type[9]: CLM-SmartCard-Logon-Update (CLM-SmartCard-Logon-Update)
Cert Type[10]: CLM-SmartCard-Logon-Single (CLM-SmartCard-Logon-Single)
Cert Type[11]: SmartcardLogonv2 (Smartcard Logon v2)
Cert Type[12]: CLMKeyRecoveryAgent (CLM Key Recovery Agent) -- No Access!
Cert Type[13]: CLMEnrollmentAgent (CLM Enrollment Agent) -- No Access!
Cert Type[14]: CLMSigning (CLM Signing) -- No Access!
Cert Type[15]: Userv2 (User v2)
Cert Type[16]: Computerv2 (Computer v2)
Cert Type[17]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[18]: DomainControllerAuthentication (Domain Controller
Authentication)
Cert Type[19]: EFSRecovery (EFS Recovery Agent)
Cert Type[20]: EFS (Basic EFS)
Cert Type[21]: DomainController (Domain Controller)
Cert Type[22]: WebServer (Web Server)
Cert Type[23]: SubCA (Subordinate Certification Authority)
Cert Type[24]: Administrator (Administrator)
Validated Cert Types: 25
================================================================
RFSMBSV2.ADCORP.LAB\ROOT-CA-FOR-ILM1:
Enterprise Root
CA<<<------------------------------------------------------------------------
Online
CertUtil: -TCAInfo command completed successfully.
-----
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<jsp...@gmail.com> wrote in message
news:a7c14c97-b93c-4ae4...@i76g2000hsf.googlegroups.com...
jspudz
PERFECT! Thanks for this info, its exactly what I needed.
jspudz
<SubstituteThisWithMyFullNameSeparatedByD...@gmail.com> wrote:
PERFECT! Thanks for this info, its exactly what I needed.