Pkiview.msc doesn't say the entire truth…

Posted on May 8, 2010 by DXter

I guess I am not the only one that usually removes old PKI stuff from the Public Key Container in Active Directory with pkiview.msc.

 

However, recently I discovered something that kind of bothered me. I was working with a customer of mine, and I was removing some stuff in sites and services regarding a decommissioned DC and I by curiosity open the Public Key Services container to take a look at it. I found three objects in the KRA Container and I decided to take a look at them with pkiview.msc since it presents PKI related objects in Active Directory in a much nice way than Sites and Services. But you can imagine my face expression when pkiview.msc reported the container as empty! :(

 

As you guys must understand, I just had to reproduce this “bug”. :)

 

So this morning, I installed a virtual Windows Server 2008 R2 Standard Edition in a isolated environment and made it a DC for the domain wtf.poweradmin.se.

 

I also made it an Enterprise Root CA for the same domain. After that, I started by confirming that the KRA object was located in that container. There are multiple ways to look at the PKI information in Active Directory but I decided to use five of them for this test. ;)

 

I started with adsiedit.msc:

image

ADSI Edit clearly shows that we have a object in the KRA container.

 

 

Then I decided to try dssite.msc:

image

Sites and Services also displays our object in the KRA container (if we show services nodes).

 

 

A third option is to use a LDAP using ldifde:

image

It writes out entries to a text file, and if we look at that text file…

 

 

image

… we can actually see the same info that both ADSI Edit and Sites And Services has provided us earlier.

 

 

Our fourth option is to query Active Directory with the Active Directory Module for PowerShell:

image

PowerShell also shows us our object in the KRA container.

 

 

Now, what does the fifth option, pkiview.msc, say about the KRA container? Well…

image

… according to Manage AD Containers in PKI View, the KRA Container is empty.

 

I recommend you guys that have removed objects of decommissioned CA’s with the “Manage AD containers” in PKI View: Look again in the KRA Container with ADSI Edit, Sites And Services, LDAP or PowerShell. You might find something interesting left behind. ;)

 

Update: http://poweradmin.se/blog/2010/06/02/pki-view-is-no-longer-a-supported-way-for-ca-decommission/

 

// Fredrik “DXter” Jonsson

No related posts.

This entry was posted in News, PKI and tagged , , . Bookmark the permalink.

4 Responses to Pkiview.msc doesn't say the entire truth…

  1. Pingback: Fredrik Wall

  2. Fredrik Wall says:
    May 8, 2010 at 10:57 am

    [Blog] Pkiview.msc doesn’t say the entire truth…: I guess I am not the only one that usually removes old PKI stuff… http://bit.ly/98Ga7t

    Reply
  3. Carsten Kinder says:
    May 9, 2010 at 12:46 pm

    Pkiview.msc doesn’t say the entire truth… http://bit.ly/as4HJd

    Reply

  4. Pingback: PKI View is no longer a supported way for CA decommission | Dalle & DXter

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>