Announcement

Collapse
No announcement yet.

AS Certificate Services + Offline Authority

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AS Certificate Services + Offline Authority

    Hello everyone,
    I recently took over an AD environment and have been reviewing all the servers on the domain. I have an offline certificate authority(not on the domain) and an enterprise authority both running on Server 2008r2. How can I figure out if it is being used and what for? I did notice that all of the certificates that had been issued expired in 2009. An suggestions you might have would be very helpful. If it is not being used, would I be able to decommission these servers?

    Thank you,
    Jeremy
    Last edited by Jreays; 27th July 2014, 22:36.

  • #2
    Re: AS Certificate Services + Offline Authority

    login to a station with admin credentials...

    open a command prompt...

    type the following command:
    Code:
    certutil.exe
    you will get an output like the following:

    Code:
    C:\Users\jhaynes>certutil.exe
    Entry 0:
      Name:                         `ca'
      Organizational Unit:          `'
      Organization:                 `'
      Locality:                     `'
      State:                        `'
      Country/region:               `'
      Config:                       `JAX-ca-01.NONYABIZINC.COM\ca'
      Exchange Certificate:         `'
      Signature Certificate:        `'
      Description:                  `'
      Server:                       `JAX-ca-01.NONYABIZINC.COM'
      Authority:                    `ca'
      Sanitized Name:               `ca'
      Short Name:                   `ca'
      Sanitized Short Name:         `ca'
      Flags:                        `1'
      Web Enrollment Servers:       `'
    
    Entry 1:
      Name:                         `jax-dc-01'
      Organizational Unit:          `'
      Organization:                 `'
      Locality:                     `'
      State:                        `'
      Country/region:               `'
      Config:                       `jax-dc-01.NONYABIZINC.COM\jax-dc-01'
      Exchange Certificate:         `'
      Signature Certificate:        `'
      Description:                  `'
      Server:                       `jax-dc-01.NONYABIZINC.COM'
      Authority:                    `jax-dc-01'
      Sanitized Name:               `jax-dc-01'
      Short Name:                   `jax-dc-01'
      Sanitized Short Name:         `jax-dc-01'
      Flags:                        `1'
      Web Enrollment Servers:       `'
    CertUtil: -dump command completed successfully.
    you can see that windows has identified 2 servers on this domain that are CAs.
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

    Comment


    • #3
      Re: AS Certificate Services + Offline Authority

      Sure enough. The server is listed. What now?

      C:\Users\#####>certutil.exe
      Entry 0:
      Name: `#####-#####-CA'
      Organizational Unit: `'
      Organization: `'
      Locality: `'
      State: `'
      Country/region: `'
      Config: `#####.corp.######.com\corp-#####-CA'

      Exchange Certificate: `'
      Signature Certificate: `'
      Description: `'
      Server: `#####.corp.#####.com'
      Authority: `corp-#######-CA'
      Sanitized Name: `corp-#####-CA'
      Short Name: `corp-#####-CA'
      Sanitized Short Name: `corp-#####-CA'
      Flags: `1'
      Web Enrollment Servers: `'
      CertUtil: -dump command completed successfully.

      Comment


      • #4
        Re: AS Certificate Services + Offline Authority

        well, idk what you wanted to do with the info, i just know thats how to find the CA in your domain.

        what did you want to do with it?

        you asked:
        How can I figure out if it is being used and what for?
        the ##redacted## servers listed are being used as certificate authorities...
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...

        Comment


        • #5
          Re: AS Certificate Services + Offline Authority

          Jreays, are you trying to ascertain what CA Servers are still providing Certificates that are still actively being used? I know you said the Certs expired in 2009. I assume you want to know what damage/chaos will be caused if you remove them. If that is the case, take the CA Servers offline and see what calls you get and how quick they, if any, may come.

          [Sorry James, sort of doubled up on your post a bit there.] Click image for larger version

Name:	bugger.GIF
Views:	9
Size:	4.3 KB
ID:	466851
          Last edited by biggles77; 29th July 2014, 15:09.
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment

          Working...
          X