Command-Line PKI Tools
The Certification Authority console provides the most convenient place to manage a CA trust hierarchy. There are several command-line tools in the Resource Kit that have functionality that is not present in the MMC console.
This utility allows you to dump, view, and manage certificates and CRLs issued by any CA over which you have administrative rights. You can also manage the CA database. Run certutil /? to get a list of switches and their functions.
C:\>certutil -verify server1.windomain.net_server1.crt
Cert Serial Number: 611227e4000000000003
Revocation check passed
This utility gives you a bit more control over the CA database than CERTUTIL. One particularly aggravating part of using DSSTORE is that some of the parameters are case sensitive. For example, here is a display listing of a CA root certificate. (The typeful name componentsЧDN, CN, and DCЧmust be in upper case):
C:\>dsstore -display DC=windomain,DC=net
>>>>>>> CA Object # 0 <<<<<<<
DN: CN=EnterpriseRootCA,CN=Certification Authorities,CN=Public Key Services, CN=Services,
Issuer :: EnterpriseRootCA
Subject :: EnterpriseRootCA
SHA5 HASH: A7180DE4 81036013 07F630F7 B1A3B8B5 DB1AA67B
Here is a DSSTORE listing of all the information for a CA:
CA Name: EnterpriseRootCA =============================
Machine Name: server4.windomain.net
DS Location: CN=EnterpriseRootCA,CN=Enrollment Services,CN=Public Key Services,
:: Supported Certificate Templates ::
CT #1 : EFS Recovery Agent
CT #2 : Basic EFS
CT #3 : Domain Controller
CT #4 : Web Server
CT #5 : Computer
CT #6 : User
CT #7 : Subordinate Certification Authority
CT #8 : Administrator
#CTs from enum: 8
Cert DN: CN=EnterpriseRootCA, O=Windomain, L=Phoenix, S=AZ, C=US,
This GUI-based utility from the Platform SDK is a different way to view the contents of certificate store than the Certificates snap-in. Run it at any machine where you want to see the certificates. Figure 18.28 shows an example of the selection window.
Figure 18.28. Certmgr utility showing selection window.
This GUI-based utility from the Platform SDK lets you add a signing certificate to executables and DLLs. This is a great way to sign in-house applications as well as to prepare legacy drivers that do not have a digital signature as required to get the Windows 2000 logo.