1

We have a network using Windows Server 2003 with Active Directory. A few years ago I set up the Certificate Authority on one of the servers. Recently I wanted to do some maintenance, but found that the CA on that machine hasn't been issuing certificates since 2007, and yet users on the network are getting Auto-enrolled certificates all the time, so SOMETHING must be issuing them.

How do I tell which machine is the active CA?

maweeras
  • 2,734
  • 2
  • 17
  • 23
Chris Wenham
  • 189
  • 1
  • 1
  • 8

2 Answers2

2

CertUtil.exe will give you most of the information you want. There's a very good blog posting by Tony Murray on his blog here about using Certutil and querying the AD for the info you want.

Helvick
  • 20,019
  • 4
  • 38
  • 55
0

Examine one of those certificates and have a look at who issued it.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Doesn't help. The "issuer" is my own username, or the username of whoever the certificate belongs to. It doesn't say which hostname the CA was from. – Chris Wenham Nov 04 '09 at 19:37
  • That's not correct. The certificate should contain the path to the issuing CA(s). Guess something strange is happening here... – Massimo Nov 04 '09 at 21:40