لطفا منتظر باشید ...
PublisherCommand-Line PKI Tools
The Certification Authority console provides the most convenient place to manage a CA trust hierarchy. There are several command-line tools in the Resource Kit that have functionality that is not present in the MMC console.
CERTUTIL
This utility allows you to dump, view, and manage certificates and CRLs issued by any CA over which you have administrative rights. You can also manage the CA database. Run certutil /? to get a list of switches and their functions.For example:
C:\>certutil -verify server1.windomain.net_server1.crt
Issuer:
CN=PolicyCA-1
O=Windomain
L=Phoenix
S=AZ
C=US
E=administrator@windomain.ent
Subject:
CN=Server1
O=Windomain
L=Phoenix
S=AZ
C=US
E=administrator@windomain.net
Cert Serial Number: 611227e4000000000003
Revocation check passed
DSSTORE
This utility gives you a bit more control over the CA database than CERTUTIL. One particularly aggravating part of using DSSTORE is that some of the parameters are case sensitive. For example, here is a display listing of a CA root certificate. (The typeful name componentsDN, CN, and DCmust be in upper case):
[View full width]C:\>dsstore -display DC=windomain,DC=net
>>>>>>> CA Object # 0 <<<<<<<
DN: CN=EnterpriseRootCA,CN=Certification Authorities,CN=Public Key Services, CN=Services,CN=Configuration,DC=windomain,DC=net
Cert #0
Issuer :: EnterpriseRootCA
Subject :: EnterpriseRootCA
SHA5 HASH: A7180DE4 81036013 07F630F7 B1A3B8B5 DB1AA67B
Here is a DSSTORE listing of all the information for a CA:
[View full width]C:\>dsstore tcainfo
CA Name: EnterpriseRootCA =============================
Machine Name: server4.windomain.net
DS Location: CN=EnterpriseRootCA,CN=Enrollment Services,CN=Public Key Services,
:: Supported Certificate Templates ::
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
:::::::::::::::::::::::::::::::::::
CT #1 : EFS Recovery Agent
CT #2 : Basic EFS
CT #3 : Domain Controller
CT #4 : Web Server
CT #5 : Computer
CT #6 : User
CT #7 : Subordinate Certification Authority
CT #8 : Administrator
#CTs from enum: 8
Cert DN: CN=EnterpriseRootCA, O=Windomain, L=Phoenix, S=AZ, C=US,
Certmgr
This GUI-based utility from the Platform SDK is a different way to view the contents of certificate store than the Certificates snap-in. Run it at any machine where you want to see the certificates. Figure 18.28 shows an example of the selection window.
Figure 18.28. Certmgr utility showing selection window.
Signcode
This GUI-based utility from the Platform SDK lets you add a signing certificate to executables and DLLs. This is a great way to sign in-house applications as well as to prepare legacy drivers that do not have a digital signature as required to get the Windows 2000 logo
