This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 39%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Dear all, I started a new company and they asked me to work on something and identify the CAs, root CA and subordinate CAs in their environment. They have several I believe. What is the easiest and most reliable way to do this? Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 8%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Hello, Thankyou for using the Microsoft Q&A forums. You can go to your Domain Controller and find the Cert Publishers group in Active Directory. It should have your servers with the Certificate Authority role. If you run the Certutil cmd there, you can get the info of the certificates installed. Hope it helps.
If you run "certutil -getreg ca\CAType" you can see what type of CA you have:
Values 1 and 4 are Enterprise subordinate and Standalone subordinate.
Values 0 and 3 are Enterprise root CA and Standalone root CA. 5 means it's unknown.
Example:
You can also find the value by going into the registry to Computer\HKLM\System\CurrentControlSet\Services\CertSvc and checking the key "CAType"
his was a bit of a challenge to find online. Maybe it was just me so thank you.
Appreciate it
Thanks for the response. Yes I already did this and found the article but it does not have steps to tell me which is the root CA and which one's are the subordinates? I see three CA servers. Is there a way to find out? This is a very brief document. https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/find-name-enterprise-root-ca-server
This came up because they want to remove one of them so I need to make sure it is one of the subs I guess.
I added a follow up in the comments of my answer to avoid filling the post with unnecesary "answers"