The Certification Authority console provides the most convenient place to manage a CA trust hierarchy. There are several command-line tools in the Resource Kit that have functionality that is not present in the MMC console.
This utility allows you to dump, view, and manage certificates and CRLs issued by any CA over which you have administrative rights. You can also manage the CA database. Run certutil /? to get a list of switches and their functions.
For example:
C:\>certutil -verify server1.windomain.net_server1.crt Issuer: CN=PolicyCA-1 O=Windomain L=Phoenix S=AZ C=US E=administrator@windomain.ent Subject: CN=Server1 O=Windomain L=Phoenix S=AZ C=US E=administrator@windomain.net Cert Serial Number: 611227e4000000000003 Revocation check passed
This utility gives you a bit more control over the CA database than CERTUTIL. One particularly aggravating part of using DSSTORE is that some of the parameters are case sensitive. For example, here is a display listing of a CA root certificate. (The typeful name componentsDN, CN, and DCmust be in upper case):
C:\>dsstore -display DC=windomain,DC=net >>>>>>> CA Object # 0 <<<<<<< DN: CN=EnterpriseRootCA,CN=Certification Authorities,CN=Public Key Services, CN=Services,
CN=Configuration,DC=windomain,DC=net Cert #0 Issuer :: EnterpriseRootCA Subject :: EnterpriseRootCA SHA5 HASH: A7180DE4 81036013 07F630F7 B1A3B8B5 DB1AA67B
Here is a DSSTORE listing of all the information for a CA:
C:\>dsstore tcainfo CA Name: EnterpriseRootCA ============================= Machine Name: server4.windomain.net DS Location: CN=EnterpriseRootCA,CN=Enrollment Services,CN=Public Key Services,
CN=Services,CN=Configuration,DC=windomain,DC=net :: Supported Certificate Templates :: EFSRecovery EFS DomainController WebServer Machine User SubCA Administrator ::::::::::::::::::::::::::::::::::: CT #1 : EFS Recovery Agent CT #2 : Basic EFS CT #3 : Domain Controller CT #4 : Web Server CT #5 : Computer CT #6 : User CT #7 : Subordinate Certification Authority CT #8 : Administrator #CTs from enum: 8 Cert DN: CN=EnterpriseRootCA, O=Windomain, L=Phoenix, S=AZ, C=US, E=administrator@windomain.net
This GUI-based utility from the Platform SDK is a different way to view the contents of certificate store than the Certificates snap-in. Run it at any machine where you want to see the certificates. Figure 18.28 shows an example of the selection window.
This GUI-based utility from the Platform SDK lets you add a signing certificate to executables and DLLs. This is a great way to sign in-house applications as well as to prepare legacy drivers that do not have a digital signature as required to get the Windows 2000 logo