Keyboard Worrier
Profile
1 min read

Troubleshooting Windows Server Certificates

Commands and Troubleshooting steps for Certificate Issues on Windows Server

# View certificates in the CA store:
certutil -store CA

# see what CA I'm part of
certutil -view

# View certificates in the Root store
certutil -store Root

# Search for a specific certificate by issuer
certutil -store CA "CN = ca 5, OU = PKI, OU = blah, O = hello, C = US"

# view information using cert serial number issues by CA
certutil -store CA <SerialNumber>

# verify certificate chain
certutil -verify -urlfetch <CertificateFile>

# display CA configuration
certutil -cainfo

# enrollment policy
certutil -policy

# This will show what your current SSL bindings are. You should be able to 
# recognize which IP and Port combination you need to focus on. In this 
# example, the site that is used with the CTL is represented as follows
netshow http show sslcert

# Show available CSR templates
certutil -CATemplates/Get-CATemplate

#show all available CAs and select one for pinging
certutil -config - -ping

# Get templates from domain
certutil -dstemplate

Listing CA Servers in a Windows Environment

Method 1: Using the Certification Authority MMC Snap-in

  1. Open the Microsoft Management Console (MMC) by pressing Win + R, typing mmc, and pressing Enter.
  2. Go to File > Add/Remove Snap-in.
  3. Select "Certification Authority" and click "Add".
  4. Choose "Enterprise" to view all CAs in your Active Directory forest.
  5. Click "Finish" and then "OK".
  6. Expand the Certification Authority node to see the list of CA servers.

Method 2: Using PowerShell

To list Enterprise CAs in your Active Directory forest:

Get-ADObject -Filter 'objectClass -eq "pKIEnrollmentService"' -Properties * | Select-Object Name, DNSHostName`

To list all CAs (including standalone CAs) that have published their information in Active Directory:

  • Test one two three four five six
  • Hello blkah blah blah blha blah what what what what what what what what one two three four six seven nine abasdfasdfasdfasdfasdfasdf
    • asdfasdfasdfasdfasdfasdfasdfaslkdfjas;dlkjasdf
  • asdfasddskflajsdfkjasldkfjaksldfasdlkfjasldkfksdlfj