4

I'm in the process of setting up a new root ADCS (Active Directory Certificate Server) certificate authority for a child domain in a multi-forest environment that already has a number of existing CAs. I would very much like to not repeat what the last guy did, which was to set stuff up in an ad hoc fashion and document nothing, so I'm looking for a way to standardize the configuration of our CAs.

To that end, is there a way to view/export/determine the configuration of a Windows ADCS CA? In particular, the settings I can't seem to determine are the Private Key Cryptography options, as in the below setup dialogue.

enter image description here

The existing CAs are Server 2008 R2 or Server 2012 R2, so ideally/hopefully, I'm looking for a solution that works for both.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209

2 Answers2

3

Go see if you can snag the CAPolicy.inf file from the Windows directory on one of the existing CAs. It should still be there.

Other than that, it's all in the registry of the CA:

HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\My-CA

CA Registry

Edit: I misread "not repeat what the last guy did"

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
2

I think you can extract pretty much any data from your PKI with these powershell extensions - not 100% sure on your exact query but i don't see why not.

https://pspki.codeplex.com/

Dan
  • 138
  • 2
  • 11
  • Looks promising, thanks... I'm installing and trying that now. – HopelessN00b Oct 29 '15 at 16:53
  • Well, it leaves a lot to be desired, so I'm gonna try to find something better, but thank you... it *almost* does everything I need. It's missing one of the settings I need, and reports a couple of the others by their reference (`System.Security.Cryptography.Oid`) instead of the actual value... d'oh. – HopelessN00b Oct 29 '15 at 18:28