Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
The primary administration and troubleshooting interfaces in a Windows Server 2003 PKI are the Certification Authority and Certificate Templates MMC snap-ins. Windows Server 2003 PKI also comes with a set of interesting command-line utilities: certutil (switches are listed in Table16.13) and certreq (switches are listed in Table 16.14). The functionality of the dsstore utility that was coming with Windows 2000 PKI has now been merged into the certutil utility. The Windows Server 2003 Resource Kit includes the PKI Health (based on the pkiview.dll) and the Key Recovery (krt.exe) utilities.
| Goal | Certutil Switch |
|---|---|
| Display CA configuration information | -dump |
| Retrieve CA certificate | -ca.cert |
| Retrieve CA certificate chain | -ca.chain |
| Revoke certificates | -revoke |
| Publish certificates or CRLs to AD | -dspublish |
| Publish the CRL or delta CRL | -CRL |
| Check certificate, CRL, or certificate chain validity | -verify |
| Deny pending certificate request | -deny |
| Set attributes on pending certificate requests | -setattributes |
| Verify a key set | -verifykeys |
| Decode or encode base 64 | -decode -encode |
| Shut down the CA server | -shutdown |
| Display the CA database schema | -schema |
| Verify CRL or certificate URLs (CDP, AIA) | -url |
| Merge *.pfx files | -mergepfx |
| Backup and restore CA keys and database | -backup -restore -backupDB -restoreDB -backupKey -restoreKey |
| Display CA database locations | -databaselocations |
| Display certificates in the machine certificate store | -store |
| Display certificates in the machine certificate store and verifies certificates and private keys | -verifystore |
| Display certificates in the user certificate store | -user -store |
| Display error code message text | -error |
| Import certificates into the database | -importcert |
| Set, display, delete CA registry settings | -setreg -getreg -delreg |
| Create or remove CA Web virtual roots and file shares | -vroot |
| Retrieve archived private key recovery blob | -getkey |
| Recover archived private key | -recoverkey |
| Goal | Certreq Switch |
|---|---|
| Submit a certificate request to a CA | -submit |
| Retrieve certificates, that were set to pending, from the CA | -retrieve |
| Create a cross-certification or qualified subordination certificate request | -policy |
Категории