Friday, April 29, 2011

How to Easily Check for a Windows Enterprise CA

I work with a lot of different clients and often need to generate private certificates for applications, such as Exchange, Lync Server, and System Center.  I'm often surprised that clients aren't aware if they even have a certificate authority server in their domain and if so, what it's name is.

Here's a simple way to check for an enterprise CA in a Windows domain.  Run the following command from a CMD prompt:
certutil -config - -ping

Notice the extra dash "-" between the -config and -ping switches.

If there is an enterprise CA published in Active Directory, you will see a pop-up box asking you to choose the CA to ping, as shown below:


Notice that CA name and the computer that hosts it are displayed.  Once you select the certification authority and click OK, certutil will ping the server to make sure that it's online and functioning, as shown below:

Certutil successfully pinged the CA
If certutil is enable to locate and Enterprise CA in the domain, it will display an error message indicating that no active Certification Authorities were found:

Certutil was unable to locate an Enterprise CA in the domain
12:01 PM