SOLVED: 3 Easy Ways To Find a Certificate Authority In Active Directory

As you likely already know, most SSL certificates show only the “friendly name” of the issuing Certificate Authority and not the host name.

1 – The Certificates ISSUED BY Field

Often the ISSUED BY field will give you a clue to the hostname of your CA

1. Click START, type CERTIFICATE, then click on MANAGE COMPUTER CERTIFICATES
2. Expand PERSONAL and / or TRUSTED ROOT CERFICATION AUTHORITIES
3. Look at the ISSUED BY column or double click on any cert and readd the ISSUED BY field

If that CA name is something useless like OurCompanyCA your first method of finding your domains CA is dead.

2 – Active Directory Sites and Services

1. On a Domain Controller, click START, type SITES, then click ACTIVE DIRECTORY SITES AND SERVICES
2. Click VIEW, click on SHOW SERVICS NODE
3. Expand SERVICES > PUBLIC KEY SERVICS > CERTIFICATE AUTHORITIES

Note that if you find old CA’s that no longer exist, it is not a good idea to just right click and delete them. There is slightly more to manually deleting a CA from AD as explained HERE.

3 – Ping your CA

1. Launch a CMD, PowerShell, or Terminal as an Administrator
2. Type certutil -config – -ping

If something pops up, your AD thinks there is a Certificate Authority on your domain. Otherwise you will something like “No active Certificate Authorities were found: No More data is available”.