Hello all... Today i will move my ca from one location to another... and i have configure RPC dynamic port allocation, How can i test my ca that it is working correct..?? That it will still renew/create new certificates for users and computer mail etc..?? thanx all dkotix

I would try enrolling for a user and computer certificate from a domain member computer manually (online by using the MMC console) and also try to autoenroll for some certificate by issuing the CERTUTIL -PULSE command after deleting some previously autoenrolled certificate.and also publish manually the CRLs on the authority and try the CERTUILT -VERIFY -URLFETCH on some client's certificate.ondrej.

Hi Ondrej Thanx one more time :-) dkotix

Also CERTUTIL -PING servername can be useful.HTHMartin

Thanx Martin :-) dkotix

If i will join a new computer the domain with new name and a new user isn't a test way also..?? dkotix

If i will join a new computer the domain with new name and a new user isn't a test way also..??dkotix If you are asking whether you'll test your CA, by joining a new computer and logging with existing / new user, then the answer is: No you will not test whether CA is functioning correctly.Best regardsMartin

Yhanx Martin :-) i am publishing the crl manualy and type the following cmd CertUtil -verify -urlfetch 402.420.948: Begin: 10/14/2009 3:33 PM 12.579s 301.3252.0: certcli.dll: 5.2.3790.3959 retail (srv03_sp2_rtm.070216-1710) 301.3252.0: certutil.exe: 5.2.3790.3959 retail (srv03_sp2_rtm.070216-1710) 301.3156.465: Command Line: CertUtil -verify -urlfetch 301.3175.509: Command Status: Incorrect function. 0x1 (WIN32: 1) 402.315.949: End: 10/14/2009 3:33 PM 12.610s

certutil -urlfetch -verify is used to verify validity of a certificate or CRL. You need a CRL or certificate to validate.

Is it possible to have a sample plz.... because i am trying to find any info from internet to understand all this but unfortunately nothing to help me :-( thanx dkotix

Ondrej proposed a good testing procedure. I may elaborate:1. Use domain computer to get a test certificate 2. Publish CRL manually from CA (certutil -crl)3. Export the certificate you got in step one into a .cer file (suppose it is named test.cer)4. Use certutil -urlfetch -verify test.cer5. Review resultsThis way you'll check that1) CA issues certificates and CRLs2) CRL points are reachableAlso consider using Enterprise PKI tool (http://technet.microsoft.com/en-us/library/cc732261(WS.10).aspx). This tool is part of 2003 resource kit tools. It is installed by default with 2008 Active Directory Certificate Services. Look for "pkiview.msc" MMC snapin.HTHMartin

Hi all All my cert request failed the certutil give me the following results The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614) And the event viewer The revocation function was unable to check revocation for the certificate. ======================================================================== 402.420.948: Begin: 10/15/2009 5:46 PM 54.468s 301.3252.0: certcli.dll: 5.2.3790.3959 retail (srv03_sp2_rtm.070216-1710) 301.3252.0: certutil.exe: 5.2.3790.3959 retail (srv03_sp2_rtm.070216-1710) 301.3156.465: Command Line: CertUtil -verify CAnet.freak.net_subwinca.crt dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) CertContext[0][0]: dwInfoStatus=4 dwErrorStatus=40 Issuer: CN=root, OU=lab, O=freak, C=gr Subject: CN=subwinca, DC=freak, DC=net Serial: 6884002cb6470bcfecd43fe57596d369 0f e5 54 8f e9 02 e2 56 0f 0d cd 16 d5 bb 2d 80 10 31 14 a9 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=root, OU=lab, O=freak, C=gr Subject: CN=root, OU=lab, O=freak, C=gr Serial: e8ed89a5a2d5b463789d4154850067e4 06 80 e9 08 e7 3d 6c 99 0c d8 7b f6 20 2b e5 81 39 01 97 11 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: 0f e5 54 8f e9 02 e2 56 0f 0d cd 16 d5 bb 2d 80 10 31 14 a9 Full chain: 87 1a 04 59 0d 4b e6 30 24 ed 13 a8 48 6e 43 f1 7c da 3d 75 Issuer: CN=root, OU=lab, O=freak, C=gr Subject: CN=subwinca, DC=freak, DC=net Serial: 6884002cb6470bcfecd43fe57596d369 0f e5 54 8f e9 02 e2 56 0f 0d cd 16 d5 bb 2d 80 10 31 14 a9 The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614) ------------------------------------ 301.3175.511: Command Succeeded 402.315.949: End: 10/15/2009 5:46 PM 54.562s

Ok i found where the error was.. in case someone else faces the same error.... must create the crl distribution points