Hi, I would like to know where exactly is the user certificates stored issued by an windows 2003 enterprise CA, is it stored in active directory or in the default certificate database path selected during the installation of the CA ? I would appreciate anyone who answer my query. Regards Santosh.

by default CA database is stored in:%systemroot%\system32\CertLog[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Thanks Vadim.A following question to this.Does the Active Directory map the user accounts and machine accounts to this folder? If I delete the files from this folder, does is mean the Active Directory will not be able to perform the user or machine authentication ?Mythought process behind this process was that Enterprise CA used Active Directory to store the certificates in some container and this was in turn mapped to the respective user accounts. Please correct me if I am wrong.Regards

You are incorrect.1) All certificates issued by a CA are maintained in a separate (not AD) Jet database in the path referenced earlier (set during the installation wizard).2) Certificates *may* be stored in AD if a certificate template includes the publish to AD attribute. This is typically used with encryption certifricates, not signature (authentication certificates)3) Authentication certificates will typically have the user's UPN in the subject alternative name attribute of the issued certificate. Because the UPN is unique in a forest, the account is determined by looking up the UPN.HTHBrian

Thanks Brian.Your reply gave me lot of clarity.From your reply, I understand that Enterprise CA*may* (not mandatory) use Active Directory to store certificate templates and encryption certificates. Can we install an Enterprise CA without an Active Directory. I would like to know the dependancies of the Enterprise CA with the Active Directory because when I try to installEnterprise CA without the Active Directory, it doesn'tgo any furtheras it needs Active Directory components. May be my questions are trivial, but I request you to respond to them, as it would help me designing the architecture.RegardsSantosh.

AFAIK templates always stored in AD, so they can be replicated to other CAs. This means that you may create template on one CA, but issue on other CA.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

do you ever sleep vadims? whenever I get here, you have answered something several minutes ago :-)

Good question :-)So, tonight I haven't slept.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

hey, I am going to try it myself, this must yield a lot of time to do things!o.

AFAIK templates always stored in AD, so they can be replicated to other CAs. This means that you may create template on one CA, but issue on other CA. The templates aren't replicated to other CAs when using Enterprise CAs. They're replicated to other DCs.When you manage templates you are actually accessing a domain controller.Then you decide which CA or CAs should be able to issue a specific template.Sanurajan, when installing an Enterprise CA the AD is mandatory. If you do not want to use the AD (or haven't got one) then install a Stand-alone CA and the templates will be stored locally on the CA.

> The templates aren't replicated to other CAs when using Enterprise CAs. They're replicated to other DCs.thats correct. CAs read them from AD. [http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

GuysFirst of all let me thank each and everyone for replying my query.So then, certificate templates and encryption certificates are the only things stored in the AD and authentication/signature certificates are stored outside the AD (in predefined path).Is it possible to configure Windows Enterprise CA 2003 / 2008 to use another directory services (example Tivoli or Sun) instead of AD ? Also can we configure Windows Enterprise CA 2003 / 2008 to store even authentication/signature certificates in the AD ?RegardsSantosh.

No, Enterprise CA requires AD and AD only (not even ADLS/ADAM can be used).You can deploy an MS CA in another LDAP environment, but you must use a Standalone CA. (and lots and lots of work arounds). There are no certificate templates, so you are reduced to using certreq or other APIs to submit requests (defining all certificate attributes).As for signing certificates, you could store it in AD, but for what use?? No application will look up a signing certificate, so it is just wasting DIT space (IMHO). Also, only the certificate is stored, (and the public key as an attribute). The private key is not stored in AD. Brian