Where is the data about certificate is stored when i run dspublish in a domain joined computer?

Question

When is run the command certutil -f -dspublish "CA01_Fabrikam Root CA.crt" RootCA

Output is

ldap:///CN=Fabrikam Root CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=fabrikam,DC=com?cACertificate

Certificate added to DS store.

ldap:///CN=Fabrikam Root CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=fabrikam,DC=com?cACertificate

Certificate added to DS store.

CertUtil: -dsPublish command completed successfully.

Where is this certificate information actually stored? Where is the DS store?

The output that you've included is literally the address of where it's stored. — user1686, Jul 12 '21 at 15:00
@user1686 apart from ad browser is there any way to see where in the filesystem it is stored? — cypherphage, Jul 13 '21 at 17:00

score 0 · Accepted Answer · answered Jan 05 '22 at 20:59

The CA information is literally stored in the printed Active Directory object:

CN=Fabrikam Root CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=fabrikam,DC=com

The certificate itself is stored in binary form in the cACertificate attribute of the AD object.

The file is not stored on the file system, but within the Active Directory database, which is located in the C:\Windows\NTDS folder by default.

1 Answers1