Questions[ad-certificate-services](server)

I have a CA setup on Server 2012 R2, the person who ran the server left the company and I have setup a new CA server.

I am trying to figure out what systems / URL's the certs are for.

In the List of Issued Certificated is the following:

Request ID: 71

Requester Name: DOMAIN\UserName

Certificate Template: Basic EFS (EFS)

Serial Number: 5f00000047c60993f6dff61ddb000000000047

Certificate Effective Date: 11/05/2015 8:46

Certificate Expiration Date: 11/04/2016 8:46

Issued Country/Region:

Issued Organization:

Issued Organization Unit: Org Users Employees

Issued Common Name: Employee Name <-- Acutal Name of Employee

Issued City:

Issued State:

Issued Email Address:

When I ask the employee why they requested the certificate they don't remember why or what system it was for.

I am looking for a way to see all requested certs and what machines they are tied to:

Things I have tried/Googled:

1. A command similar to Netstat that could tell me any listening or established connection to the server on 443, I may be way off base on my logic and thinking.

2. I have looked through the event viewer looking at the "Certificate Effective Date: 11/05/2015 8:46" time stamp and cannot find any logs that show me anything.

3. I tried to look at the database using certutil command however I have to stop the service before I can view the database, looking over the schema it looks like a lot of the information I am looking for might be in there.

If i stop the service will SSL certs still be ok or will the end user get that SSL warning?

If I take a backup of the database can i move the file to a differnet PC and be able to read it.

Does anyone know if I will be able to find what servers / URL's are using the certs on my CA?

Is there a different better way I can find the information?

I'm new to DSC and trying to figure out how to make it work for us.

What I'm stuck on is how the credentials are actually protected. My current understanding is that it isn't all that great.

The big three problems are these. How does using a public key as a decryption source really protect those credentials? Which computers need the certificate in push and pull scenarios? What are the best practices for dealing with credentials in light of these issues?

Using a public key of a certificate is good for authenticating the source of a transmission. But using it as a decryption key means that access to the public key of the certificate determines access to the password.

If you have to push the cert to every computer that needs to decrypt MOF files, what is there to stop average users from getting access to the cert and being able to decrypt the MOF? Saying active directory security means that you may as well leave it in plain text and just rely on AD security.

Can someone help me get my head around this?

Windows Server provides a certificate authority service. However, it's not clear from its documentation how (or if) the root certificate gets distributed to clients.

• Do domain member computers automatically trust the root certificate?
  • If so, how and when do they get the certificate?
• Is there any user interaction required for the root certificate to be installed or trusted?
• Does the client poll Active Directory? Is it in AD DNS?
• Will it only get it during login?
• What if a domain member remotely VPNs into the LAN?
• Are there any caveats for different versions of Windows clients?

I'm having a problem similar to that posted in this question:

Missing Certificate template From certificate to issue

The short version is that I've created a duplicate certificate template and I'm trying to add it to my domain CA so that I can issue certificates with it. However, when I go into the Certification Authority MMC and go to "Certificate Templates -> New -> Certificate Template To Issue", my template is missing (along with quite a number of other templates that are present in the domain).

Unlike the previous question, however, my CA is running on Server 2008 R2 Enterprise. Our organization has a single DC and a single CA, so I'm not seeing where there could be propagation delay.

Any ideas how to get my template to show so that I can issue certificates?

The certificate store on my Win7 box is constantly hanging. Observe:

C:\>1.cmd

C:\>certutil -?   | findstr /i ping
  -ping             -- Ping Active Directory Certificate Services Request interface
  -pingadmin        -- Ping Active Directory Certificate Services Admin interface

C:\>set PROMPT=$P($t)$G

C:\(13:04:28.57)>certutil -ping
CertUtil: -ping command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:04:58.68)>certutil -pingadmin

CertUtil: -pingadmin command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:05:28.79)>set PROMPT=$P$G

C:\>

Explanations:

• The first command shows you that there are –ping and –pingadmin parameters to certutil
• Trying any ping parameter fails with 30 seconds timeout (the current time is seen in the prompt)

This is a serious problem. It screws all the secure communication in my app. If anyone knows how this can be fixed - please share.

Thanks.

P.S.

1.cmd is simply a batch of these commands:

certutil -? | findstr /i ping
set PROMPT=$P($t)$G
certutil -ping
certutil -pingadmin
set PROMPT=$P$G

EDIT1

I have succeeded to pin down the single windows API that causes the problem - DsGetDcName

According to the windbg, the certutil -ping invokes it like so:

PDOMAIN_CONTROLLER_INFO pdci;
DWORD ret = ::DsGetDcName(NULL, NULL, NULL, NULL, DS_DIRECTORY_SERVICE_PREFERRED, &pdci);

On my workstation it times out for 30 seconds and then returns error code 1355, which is ERROR_NO_SUCH_DOMAIN No domain controller is available for the specified domain or the domain does not exist.

On another machine, which is accidentally a windows server 2003, it returns almost immediately with the correct domain controller name inside the returned DOMAIN_CONTROLLER_INFO structure.

Now the question is what is missing on my workstation for that API to find the correct domain controller?