certutil.exe shortcut

Hi,
currently I am working with great people on a PKI project. So it came how it has to come, we use certutil.exe for various purposes and we came across a nice shortcut I want share.
So every time you use certutil.exe to query a CA server from remote you have to specify the config information. (Actually the -ping allows you just to specify the CA hostname, no -config necessary)


e.g.



C:\system>certutil.exe
Entry 0:
  Name:                         `AAA-trii-CAI01'
  Organizational Unit:          `'
  Organization:                 `tribaldi'
  Locality:                     `'
  State:                        `'
  Country/region:               `'
  Config:                       `cai01.tribaldi.net\AAA-trii-CAI01'
  Exchange Certificate:         `'
  Signature Certificate:        `'
  Description:                  `'
  Server:                       `cai01.tribaldi.net'
  Authority:                    `AAA-trii-CAI01'
  Sanitized Name:               `AAA-trii-CAI01'
  Short Name:                   `AAA-trii-CAI01'
  Sanitized Short Name:         `AAA-trii-CAI01'
  Flags:                        `1'
  Web Enrollment Servers:       `'
CertUtil: -dump command completed successfully.


So then you copy the config value and use it like:

C:\system>certutil -catemplates -config "cai01.tribaldi.net\AAA-trii-CAI01"
3b_clmAgent: 3b_clmAgent -- Auto-Enroll: Access is denied.
3B_enrollment_agent: 3B_enrollment_agent -- Auto-Enroll: Access is denied.
3BUser_onbehalf: 3BUser_onbehalf -- Auto-Enroll: Access is denied.
WebServerORG: Web Server ORG -- Auto-Enroll: Access is denied.
3bcomputer: 3bcomputer -- Auto-Enroll: Access is denied.
ISE_BYOD: ISE_BYOD -- Auto-Enroll: Access is denied.
BYOD: BYOD -- Auto-Enroll: Access is denied.
WebServer: Web Server -- Auto-Enroll: Access is denied.
IPSECIntermediateOffline: IPSec (Offline request) -- Auto-Enroll: Access is denied.
CEPEncryption: CEP Encryption -- Auto-Enroll: Access is denied.
EnrollmentAgentOffline: Exchange Enrollment Agent (Offline request) -- Auto-Enroll: Access is denied.
CertUtil: -CATemplates command completed successfully.



So while that is cool for scripting purpose, e.g. for documentation, the shortcut is much simpler. Instead of the value behind the config parameter you can just type a dash (minus sign), and that will open a dialog showing you all CA registered in AD. See here

And that will give you exact the same result as in the command before. 

Until next time,

Lutz

P.S. these examples are created from Windows 2012 R2 machines.