How to find out where a Certificate Request came from

Question

I have a CA setup on Server 2012 R2, the person who ran the server left the company and I have setup a new CA server.

I am trying to figure out what systems / URL's the certs are for.

In the List of Issued Certificated is the following:

Request ID: 71

Requester Name: DOMAIN\UserName

Certificate Template: Basic EFS (EFS)

Serial Number: 5f00000047c60993f6dff61ddb000000000047

Certificate Effective Date: 11/05/2015 8:46

Certificate Expiration Date: 11/04/2016 8:46

Issued Country/Region:

Issued Organization:

Issued Organization Unit: Org Users Employees

Issued Common Name: Employee Name <-- Acutal Name of Employee

Issued City:

Issued State:

Issued Email Address:

When I ask the employee why they requested the certificate they don't remember why or what system it was for.

I am looking for a way to see all requested certs and what machines they are tied to:

Things I have tried/Googled:

1. A command similar to Netstat that could tell me any listening or established connection to the server on 443, I may be way off base on my logic and thinking.

2. I have looked through the event viewer looking at the "Certificate Effective Date: 11/05/2015 8:46" time stamp and cannot find any logs that show me anything.

3. I tried to look at the database using certutil command however I have to stop the service before I can view the database, looking over the schema it looks like a lot of the information I am looking for might be in there.

If i stop the service will SSL certs still be ok or will the end user get that SSL warning?

If I take a backup of the database can i move the file to a differnet PC and be able to read it.

Does anyone know if I will be able to find what servers / URL's are using the certs on my CA?

Is there a different better way I can find the information?

Answer 1

When I ask the employee why they requested the certificate they don't remember why or what system it was for.

That sounds about right. EFS certificates (and many others) are typically issued and renewed automatically. It's possible to disable EFS in policy or limit the scope of issuance to a specific security group on the template.

I am looking for a way to see all requested certs and what machines they are tied to

EFS certificates are typically issued to users, and implicitly not limited to a specific computer. There are also other types of EFS certificates, such as Data Recovery Agents (DRA).

I tried to look at the database using certutil.

The certificates should be visible in the management mmc. It's possible the CA/template is configured to not save a copy of the certificate, but that isn't the default configuration.

Does anyone know if I will be able to find what servers / URL's are using the certs on my CA?

From the CA? No. It may have some information such as a subject that matches the computer name or username. There may also be certificates issued to names that don't match a computer name or username. Or the certificates may not be saved on the CA. This is a question that everyone that uses certificates asks at one time or another, and there isn't a one-size-fits-all solution. Certificates can exist in a Windows computer certificate store, a Windows user certificate store, the registry, a file on a file system used by an application, embedded in an application like SQL server, so inventorying where certificates are is not as simple as you would think. And even if they are found, it doesn't mean they are in use. And even if they are in use, you may still not know what is using them without further investigation.

The best approach is to already have a good tracking system in place. The next next best approach is to have your network regularly scanned for ports/certificates in use.