Contents of \\Localhost\CertConfig and \\Localhost\CertEnroll
Applies To: Windows Server 2003 with SP1
Because more than one certificate file exists in the \CertConfig and \CertEnroll share after a period of time, the following table explains the certificate file name extensions and their purpose. If the CA name is used as part of a file name, the sanitized CA name adds additional escape characters in order to accommodate any extended ASCII characters in the file name. The escape characters appear in the file name as %20.
Table 21 Certificate Paths and File Name Extensions
| Example of the file name | Description |
|---|---|
\\Localhost\CertConfig\Certsrv.txt |
CA configuration file |
\\Localhost\CertConfig\Certsrv.bak |
Previous CA configuration file if the CA has been reinstalled |
\\Localhost\CertConfig\CAname.req \\Localhost\CertConfig\CAname(1).req |
Request file that is used to generate the CA certificate. Request files are used only for subordinate CAs. Request files are generated with the same base file name suffix as certificates. |
SystemDriveAndSystemroot\\CAname.req SystemDriveAndSystemroot\\CAname(1).req |
If no shared folder was created during the CA setup procedure and Active Directory is used to publish the CAs configuration information, request files are written to the Systemroot drive instead of to the \\Localhost\CertConfig file. To verify where the configuration information is published, at a command prompt, type certutil –getreg CA\UseDS. If the value is set to 0, the configuration information is written to the shared folder. If the value is set to 1, the configuration is maintained in Active Directory.) |
\\Localhost\CertConfig\CAname.crt \\Localhost\CertEnroll\CAname.crt |
Original root CA certificate (V0.0) |
\\Localhost\CertConfig\CAname(1).crt \\Localhost\CertEnroll\CAname(1).crt |
Renewed root CA certificate (V1.0) |
\\Localhost\CertConfig\CAname(0-1).crt \\Localhost\CertEnroll\CAname(0-1).crt |
Cross certificate for CA certificate V0.0 to V1.0 |
\\Localhost\CertConfig\CAname(1-0).crt \\Localhost\CertEnroll\CAname(1-0).crt |
Cross certificate for CA certificate V1.0 to V0.0 |
\\Localhost\CertConfig\CAname(2).crt \\Localhost\CertEnroll\CAname(2).crt |
renewed root CA cert (V2.0) |
\\Localhost\CertEnroll\CAname.crl |
CA base revocation list |
\\Localhost\CertEnroll\CAname(1).crl |
CA base revocation list (first instance) |
\\Localhost\CertEnroll\Caname+.crl |
Delta CRL |
\\Localhost\CertEnroll\Caname(1)+.crl |
Delta CRL (first instance) |
The cross-certificates are automatically generated when the Certificates service starts after renewing a root CA certificate with a new key. Cross-certificates are not created for subordinate CAs, and it does not occur when a root certificate is renewed with the same key. If you upgrade from Windows 2000 Server after renewing a root CA certificate with a new key, the cross certificate is generated the first time that the certificate server service starts after you upgrade to Windows Server 2003.
The following sample is an example of \\Localhost\Certenroll after a clean root CA installation.
C:\>dir \\Localhost\certenroll
Volume in drive \\Localhost\certenroll has no label.
Volume Serial Number is CC0E-CACB
Directory of \\Localhost\certenroll
06/12/2002 11:57 AM <DIR> .
06/12/2002 11:57 AM <DIR> ..
06/12/2002 11:32 AM 1,299 concorp-
ca-00_CorporateRootCA.crt
06/12/2002 11:32 AM 925 CorporateRootCA.crl
06/12/2002 11:32 AM 321 nsrev_CorporateRootCA.asp
3 File(s) 2,545 bytes
2 Dir(s) 4,478,095,360 bytes free
The following sample is an example of \\Localhost\Certconfig after a clean root CA installation.
C:\>dir \\localhost\certconfig
Volume in drive \\localhost\certconfig has no label.
Volume Serial Number is CC0E-CACB
Directory of \\localhost\certconfig
06/12/2002 12:28 PM <DIR> .
06/12/2002 12:28 PM <DIR> ..
06/12/2002 11:32 AM 105 certsrv.bak
06/12/2002 11:32 AM 216 certsrv.txt
06/12/2002 11:32 AM 1,299 concorp-
ca-00_CorporateRootCA.crt
3 File(s) 1,620 bytes
2 Dir(s) 4,478,095,360 bytes free
The following sample is an example of \\Localhost\Certenroll after the two key renewals on a CA.
C:\>dir \\localhost\certenroll
Volume in drive \\localhost\certenroll has no label.
Volume Serial Number is CC0E-CACB
Directory of \\localhost\certenroll
06/11/2002 07:48 PM <DIR> .
06/11/2002 07:48 PM <DIR> ..
06/11/2002 05:31 PM 1,338 concorp-
ca-00_CorporateRootCA(1).crt
06/11/2002 05:31 PM 1,928 concorp-ca-00_CorporateRootCA
(0-1).crt
06/11/2002 05:31 PM 1,940 concorp-ca-00_CorporateRootCA
(1-0).crt
06/11/2002 07:48 PM 1,338 concorp-
ca-00_CorporateRootCA(2).crt
06/11/2002 11:57 AM 1,299 concorp-
ca-00_CorporateRootCA.crt
06/11/2002 05:31 PM 943 CorporateRootCA(1).crl
06/11/2002 05:32 PM 938 CorporateRootCA.crl
06/11/2002 11:57 AM 321 nsrev_CorporateRootCA.asp
8 File(s) 10,045 bytes
2 Dir(s) 4,481,171,456 bytes free
The following sample is an example of \\Localhost\Certconfig after two key renewals on a CA.
C:\>dir \\localhost\certconfig
Volume in drive \\localhost\certconfig has no label.
Volume Serial Number is CC0E-CACB
Directory of \\localhost\certconfig
06/11/2002 07:48 PM <DIR> .
06/11/2002 07:48 PM <DIR> ..
06/11/2002 11:27 AM 105 certsrv.bak
06/11/2002 11:57 AM 216 certsrv.txt
06/11/2002 05:31 PM 1,928 concorp-ca-00_CorporateRootCA
(0-1).crt
06/11/2002 05:31 PM 1,338 concorp-
ca-00_CorporateRootCA(1).crt
06/11/2002 05:31 PM 1,940 concorp-ca-00_CorporateRootCA
(1-0).crt
06/11/2002 07:48 PM 1,338 concorp-
ca-00_CorporateRootCA(2).crt
06/11/2002 11:57 AM 1,299 concorp-
ca-00_CorporateRootCA.crt
04/24/2002 10:53 AM 1,942 connoam-ca-00_CONNOAM-CA-00.req
8 File(s) 10,106 bytes
2 Dir(s) 4,481,171,456 bytes free