none
How to check remotely whether Certificate Authority (CA) Service is on (start) or not (stop)

    Question

  • I have installed Certifiacte Authority services on Window Server 2012 R2. If I am stopping the CA service (tools -> Certificate Authority -> right click CA -> Stop), then how I can find whether CA service is start or stop (on or off) from remote computer. The remote computer can be windows, Linux, VxWorks.
    Wednesday, March 15, 2017 5:12 AM

All replies

  • Hi MINI04,

    I suppose the easiest way would be using VNC and manipulate remote computers.
    I am using RealVNC for remote-control of my computers.

    Regards,
    Ashidacchi
    Wednesday, March 15, 2017 7:21 AM
  • Hi Ashidacchi,

    Thanks for replying. Actually I am writing a program in c/c++ which should work in windows, Linux & Vxwork. I got an idea that I can ping the server http://servername/certsrv/certcarc.asp, where it is asking username & password and if CA service is stopped then it is displaying message. But using this method I need to pass parameter and according to me passing username and password is not good practice. Is there any way where web page information can be popped without passing credential.

    Regards,

    Mini

    Wednesday, March 15, 2017 8:57 AM
  • Hi Mini,

    one option would be to configure your app to run in the security context of a domain account (non-privileged) and then adjust permissions on the CA service to allow that domain account to query its status. More at http://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

    hth
    Marcin

    Wednesday, March 15, 2017 11:20 AM
  • Hi Marcin,

    Thanks for your reply. I think that should not be the solution because running the app in non-privilidge mode is again not a good practice. Is there any other mean to find CA service status other than pinging to web page.

    Thanks,

    Mini

    Thursday, March 16, 2017 3:48 AM
  • Hi,

    In windows,to verify the responsiveness of a remote CA, run the following command and select the target CA from the list of available CAs.

    certutil –config – -ping

    The first pinging when the CA is on,second pinging the CA is stopped.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 16, 2017 8:20 AM
    Moderator
  • Hi CartMan,

    I already tried certutil command, but for same PC where CA is installed it is displaying that server is unavailable or alive, but if I am trying from other computer then in the list my CA name is not listed.

    Thanks,

    Mini

    Thursday, March 16, 2017 9:58 AM
  • Hi,

    From any browser just type the CA server name

    https://<serverName>/certsrv. If you able to view the default page your CA is working. If service unavailable it is not working.

    Thanks

    Syed Abdul Kadar M.



    Dont forget to mark as Answered if you found this post helpful.

    Thursday, March 16, 2017 10:49 AM
  • Hi Mini,Why would consider running an app in a non-privileged mode to qualify as a bad practice? The only permission that the app would have is reading status of a remote service. If that's more than you are willing to tolerate, then you can further secure access to the app itself - so only a privileged account can run it

    hth
    Marcin

    Thursday, March 16, 2017 11:30 AM
  • Hi Marcin,

    Thanks for valuable reply. I just makeup my mind to check CA service status by pinging to url http://servername/certsrv/certcarc.asp. Now I am facing problem which I am not able to solve it.

    When I ping using internet explorer, it ask me username and password and I am able to know the CA service status. But when I ping the url in my program using curl library, it gives 404 http code (I am providing username and password in the programming).

    1) To check that my code is correct I replaced the url by http://servername/certsrv/mscep_admin/ where this url also need credentials, so for this url code is working fine and give http code 200.

    2) I also capture the packet in wireshark and according to me there is problem in reassembling the packet but not able to sort out the problem.

    #include <iostream> #include <string> #include <curl.h> void main() { CURLcode res; CURL *curl; long http_code = 0; curl_global_init(CURL_GLOBAL_WIN32); curl = curl_easy_init(); if (curl) { curl_easy_setopt(curl, CURLOPT_URL, "http://10.140.190.151/certsrv/certcarc.asp/"); curl_easy_setopt(curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_ANY); curl_easy_setopt(curl, CURLOPT_USERPWD, "administrator:abc123#"); res = curl_easy_perform(curl); curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code); if ((http_code == 200) && (res != CURLE_ABORTED_BY_CALLBACK)) printf("\nOK\n http_code = %d\n", http_code); else printf("\nNOT OK\n http_code = %d\n", http_code); if (res != CURLE_OK) { fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res)); } curl_easy_cleanup(curl); } getchar(); }

    Thanks,

    Mini

    Tuesday, March 21, 2017 9:37 AM
  • Output of wireshark when I ping using Internet Explorer:Output of wireshark when I ping using Internet Explorer

    Output of Output of wireshark when I ping using my program


    Tuesday, March 21, 2017 9:51 AM
  • Remotely I am not able to see my CA under list when I run the certutil –config – -ping
    Tuesday, March 21, 2017 11:10 AM
  • Hi,

    If you need a debugging service for network capture files,you could contact Microsoft Customer Support Service (CSS) for assistance so that this problem can be resolved efficiently. To obtain the phone numbers for specific technology request please take a look at the web site listed below:

    https://support.microsoft.com/en-us/gp/customer-service-phone-numbers


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 28, 2017 2:01 AM
    Moderator