authorized root certificates, list
for current user:
dir Cert:\CurrentUser\AuthRoot
for Local Machine:
dir Cert:\LocalMachine\AuthRoot
CA property type information – not all that useful unless you're curious about what properties are available
certutil -capropinfo
only works if you're already on the server housing the CA. Otherwise:
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.
exports the CA database and private key information to the specified path
Backup-CARoleService -Path "C:\CABackup"
exports the CA database to the specified path, does not back up the CA private key information.
Backup-CARoleService -Path "C:\CABackup" -DatabaseOnly
exports the CA private key information to the specified path, does not back up the CA database.
Backup-CARoleService -Path "C:\CABackup" -KeyOnly
This only pops up a form with an interactive list from which to choose. And if you inspect that list. If you actually pick one of the lines in the list with your mouse, then it'll display the server in the command line so you can copy that to supply to the inevitable requests to supply the name of that server when you issue other commands but aren't actually on that server.
certutil -config - -ping
And then it just hangs there waiting for you to select one
or exit the command. If you just run certutil
all by itself,
it'll give you the info you want as just a bunch of lines,
along with a bunch of other information
that's probably irrelevant most of the time. Below ought to work to
get more targeted info. It's kind of clunky trying to extract the
pertinent info - especially since it displays one way in server 2016
and differnt delimiters in 2012 R2, but it works so far.
$result
=
@()
foreach
($line
in
(certutil)) {
if
($line
-like
"Entry*") {
$entry
= (($line
-split
" ")[1] -split
":")[0]
}
elseif
($line
-like
"
Name:*") {
$name
= ($line
-split
'"')[1]
if
($null
-eq
$name) {
# if the line above didn't get anything,
then Server 2012 R2 delineates begin "`" end "'"
$name
= ($line
-split
'`')[1]
$name
= ($name
-split
"'")[0]
}
}
elseif
($line
-like
" Server:*") {
$server
= ($line
-split
'"')[1]
if
($null
-eq
$server) {
# if the line above didn't get anything, then Server 2012 R2
delineates begin "`" end "'"
$server
= ($line
-split
'`')[1]
$server
= ($server
-split
"'")[0]
}
$result
+=
New-Object
-TypeName PSObject -Property
@{
entry
=
$entry
name
=
$name
server
=
$server}
}
}
$result
=
$result | select entry,
name, server
$result
| ft
Intermediate CA certificate store, view
pops up a form with a list
certutil -enterprise -viewstore CA
same window whether or not you include the ending “CA”
server where certificate authority resides &ndash see certificate authority, find
pops up a form with a list
certutil -enterprise -viewstore Root
If you don't include the ending “Root”, seems to default to default to what you'd get if you instead specified “CA” at the end.