Active Directory: LDAPs(636) and MSFT-GC-SSL(3269) Service

Article
1/17/2024

Applies To:

Windows Server 2012, Windows Server 2012 R2 Preview

DoLdapInitialize

ADDS standard ports are opened during DCPROMO mainly LDAP initiation. Ports are opened during dsa init, specifically in ' DoLdapInitialize' - If we stop the 'Active Directory Domain Service' in service.msc neither of the port is listening.

My main purpose of this article is ldaps service & msft-gc-ssl service . Port 636 & 3269 are listing after promoting a DC. We can test that using Telnet, PortQuery , Netmon or Wireshark etc. The result below is taken from newly built DC using PortQry.

PortQry output after promoting a DC for SSL ports.


TCP port 636 (ldaps service): LISTENING
portqry.exe -n msft.net -e 636 -p TCP exits with return code 0x00000000.

TCP port 3269 (msft-gc-ssl service): LISTENING
portqry.exe -n msft.net -e 3269 -p TCP exits with return code 0x00000000.

There is fantastic tool called LDP.EXE which was the part of the windows support tools in earlier version of windows OS (2003). Now days if we installed a DC automatically that is available into a DC due to RSAT. We can connect port 389 & 3268 through ldp but not 636/3269. Those SSL ports are only listened LDAPS when we put the valid certificate into DCs. We need valid SAN, Intended purpose for that certificate (EKU).

LDP.EXE output after connecting the SSL ports.

If your certificate server itself a DC then you no need to worry for SSL ports. Those ports are connected through LDP.EXE.

ld = ldap_sslinit("ADS01HAMLOK.ms.net", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to ADS01HAMLOK.ms.net.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=ms,DC=net; 
currentTime: 7/6/2013 7:39:46 PM India Standard Time; 
defaultNamingContext: DC=ms,DC=net; 
dnsHostName: ADS01HAMLOK.ms.net; 
domainControllerFunctionality: 4 = ( WIN2008R2 ); 
domainFunctionality: 2 = ( WIN2003 ); 
dsServiceName: CN=NTDS Settings,CN=ADS01HAMLOK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ms,DC=net; 
forestFunctionality: 2 = ( WIN2003 ); 
highestCommittedUSN: 24762; 
isGlobalCatalogReady: TRUE; 
isSynchronized: TRUE; 
ldapServiceName: ms.net:ads01hamlok$@MS.NET; 
namingContexts (5): DC=ms,DC=net; CN=Configuration,DC=ms,DC=net; CN=Schema,CN=Configuration,DC=ms,DC=net; DC=DomainDnsZones,DC=ms,DC=net; DC=ForestDnsZones,DC=ms,DC=net; 
rootDomainNamingContext: DC=ms,DC=net; 
schemaNamingContext: CN=Schema,CN=Configuration,DC=ms,DC=net; 
serverName: CN=ADS01HAMLOK,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ms,DC=net; 
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ms,DC=net; 
supportedCapabilities (5): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080; 
supportedControl (28): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 
supportedLDAPPolicies (14): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; 
supportedLDAPVersion (2): 3; 2; 
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5; 
 
-----------
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
    {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Authenticated as: 'MS\Administrator'.

NETMON capture for SSL Ports

Also Netmon results are taken after putting the valid certificate into a Domain Controller. Used the filter " LDAP". Also you can use ".Protocol.LDAP". You will get the same result. Here I have installed the netmon in DC.

Listening the ldaps Port (636) into the below Capture

Listening the gc-ssl Port (3269) into the below Capture

Network capture without netmon

Also you can trace without the Netmon/WireShare. Using Netsh but it is applicable Windows 2008R2 and Windows 7 and upper version OS.

For starting the capture.

netsh trace start capture=yes tracefile=cap.etl

For stopping the capture

netsh trace stop

For reading the .etl file you need the netmon anywhere.

Netsh trace will be created two files. see the below snap. For reading the .etl file you need to select the Windows Parser in Netmon.

Cert server into a domain controller is not recommended.

We need additional steps for listening the ssl ports for DCs If cert server in a member server .We need to publish the certificate template into the cert server & that certificate template need to put DC’s local computer->personal or NTDS->Personal store.

Local computer->personal store

NTDS->Personal store

(This store is available only in DC. When we have more than one cert template for Server Authentication, we can use this store for avoiding the conflict)

Publish a cert Template

Here I have used "Kerberos Authentication" template for publishing the new certificate template.

Log into the certificate server . Run " certtmpl.msc" & chose the Kerberos Authentication Template.

We need to set few properties before publishing a certificate template. Those are marked as green.

Click on Duplicate Templete.

Publish cert in AD.

Allow Pvt. key to be exported.

Subject Name format

After publishing that cert you can check the properties using " certutil -v -template <Template_Name>". Here my cert template name is LDAPSSL. See the following output.

certutil -v -template LDAPSSL

PS C:\> certutil -v -template LDAPSSL

``Name: Active Directory Enrollment Policy

``Id: {32376692-6063-4EDC-A375-572FED78C626}

``Url: ldap:

34 Templates:

``Template[21]:

``TemplatePropCommonName = LDAPSSL

``TemplatePropFriendlyName = LDAPSSL

``TemplatePropEKUs =

4 ObjectIds:

``1.3.6.1.5.2.3.5 KDC Authentication

``1.3.6.1.4.1.311.20.2.2 Smart Card Logon

``1.3.6.1.5.5.7.3.1 Server Authentication

``1.3.6.1.5.5.7.3.2 Client Authentication

``TemplatePropCryptoProviders =

``0: Microsoft RSA SChannel Cryptographic Provider

``TemplatePropMajorRevision = 64 (100)

``TemplatePropDescription = Computer

``TemplatePropSchemaVersion = 2

``TemplatePropMinorRevision = 1

``TemplatePropRASignatureCount = 0

``TemplatePropMinimumKeySize = 800 (2048)

``TemplatePropOID =

``1.3.6.1.4.1.311.21.8.1546289.5796744.12012220.14775765.9035062.224.8004685.4056790 LDAPSSL

``TemplatePropV1ApplicationPolicy =

4 ObjectIds:

``1.3.6.1.5.2.3.5 KDC Authentication

``1.3.6.1.4.1.311.20.2.2 Smart Card Logon

``1.3.6.1.5.5.7.3.1 Server Authentication

``1.3.6.1.5.5.7.3.2 Client Authentication

``TemplatePropEnrollmentFlags = 28 (40)

``CT_FLAG_PUBLISH_TO_DS -- 8

``CT_FLAG_AUTO_ENROLLMENT -- 20 (32)

``TemplatePropSubjectNameFlags = 18c00000 (415236096)

``CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS -- 400000 (4194304)

``CT_FLAG_SUBJECT_ALT_REQUIRE_SPN -- 800000 (8388608)

``CT_FLAG_SUBJECT_ALT_REQUIRE_DNS -- 8000000 (134217728)

``CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN -- 10000000 (268435456)

``TemplatePropPrivateKeyFlags = 10 (16)

``CT_FLAG_EXPORTABLE_KEY -- 10 (16)

``TemplatePropGeneralFlags = 20060 (131168)

``CT_FLAG_AUTO_ENROLLMENT -- 20 (32)

``CT_FLAG_MACHINE_TYPE -- 40 (64)

``CT_FLAG_IS_MODIFIED -- 20000 (131072)

``TemplatePropSecurityDescriptor = O:LAG:EAD:PAI(OA;;RPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;RO)(OA;;RPCR;a05b8cc2

bc-4802-a710-e7c15ab866a2;;RO)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d

0c04f79dc55;;DD)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;EA)(OA;;RPWPCR;a05b8cc2-17bc-4802-a710-e7c15ab866a2

D)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;ED)(OA;;RPWPCR;a05b8cc2-17bc-4802-a710-e7c15ab866a2;;ED)(A;;CCDCL

RPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;LA)(A;;LCRPLORC;;;AU)

`` Allow Enroll CONTOSO\Enterprise Read-only Domain Controllers

``Allow ``Auto``-Enroll CONTOSO\Enterprise Read-only Domain Controllers

``Allow Enroll CONTOSO\Domain Admins

``Allow Enroll CONTOSO\Domain Controllers

``Allow Enroll CONTOSO\Enterprise Admins

``Allow ``Auto``-Enroll CONTOSO\Domain Controllers

``Allow Enroll NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

``Allow ``Auto``-Enroll NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

``Allow Full Control CONTOSO\Domain Admins

``Allow Full Control CONTOSO\Enterprise Admins

``Allow Full Control CONTOSO\Administrator

``Allow Read NT AUTHORITY\Authenticated Users

``TemplatePropExtensions =

4 Extensions:

``Extension[0]:

``1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30

``Certificate Template Information

``Template=LDAPSSL(1.3.6.1.4.1.311.21.8.1546289.5796744.12012220.14775765.9035062.224.8004685.4056790)

``Major Version Number=100

``Minor Version Number=1

``Extension[1]:

``2.5.29.37: Flags = 0, Length = 2b

`` Enhanced Key Usage

``KDC Authentication (1.3.6.1.5.2.3.5)

``Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

``Server Authentication (1.3.6.1.5.5.7.3.1)

``Client Authentication (1.3.6.1.5.5.7.3.2)

``Extension[2]:

``2.5.29.15: Flags = 1(Critical), Length = 4

``Key Usage

``Digital Signature, Key Encipherment (a0)

``Extension[3]:

``1.3.6.1.4.1.311.21.10: Flags = 0, Length = 33

``Application Policies

``[1]Application Certificate Policy:

``Policy Identifier=KDC Authentication

``[2]Application Certificate Policy:

``Policy Identifier=Smart Card Logon

``[3]Application Certificate Policy:

``Policy Identifier=Server Authentication

``[4]Application Certificate Policy:

``Policy Identifier=Client Authentication

`` TemplatePropValidityPeriod = 1 Years

``TemplatePropRenewalPeriod = 6 Weeks

CertUtil: -Template command completed successfully.

PS C:\

Find that Template from computer store using "certutil -store my". See the below snap.

Find the Template Details using "V" switch.

PS C:\> certutil -store -v my 1
my
================ Certificate 1 ================
X509 Certificate:
Version: 3
Serial Number: 611b0cbe000000000004
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=contoso-PKIROOTCA-CA
    DC=contoso
    DC=com
 
 NotBefore: 6/26/2013 1:42 PM
 NotAfter: 6/26/2014 1:42 PM
 
Subject:
    CN=BAN-ADS01.contoso.com
 
Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000  30 82 01 0a 02 82 01 01  00 d2 97 d0 1d 7d 8a 2a
    0010  f9 1f ac 21 b2 ae 0b e7  b8 69 83 5c e5 d3 52 0c
    0020  91 ed 6f cf c6 33 25 f2  b3 2a 47 da 66 2e 82 f9
    0030  17 65 f8 ee 83 27 e6 64  9c 13 70 bb 2a 5e 6b 9c
    0040  ed d6 a4 1a 1f de 7d 82  73 4b 98 38 ec 85 f0 f1
    0050  fc ed 01 74 2b dc 93 19  e8 d1 21 c7 2c ff e4 8d
    0060  03 67 f7 ce b6 01 e1 86  29 91 55 d1 0c d5 73 a6
    0070  84 ad 78 5f c3 38 60 43  20 6b 72 25 42 90 df bf
    0080  44 93 d8 09 f9 19 93 05  b3 98 8d b3 d6 a3 cd be
    0090  86 1d d7 db 57 db 29 36  27 8f f6 84 d0 5b 1e f5
    00a0  c1 01 fc d4 a6 6e 1e c7  77 ed 28 d5 98 3e 9f 45
    00b0  99 fc 9c f7 dc 9d 05 70  dd 69 5f b1 83 26 a8 51
    00c0  cd ae f5 f6 83 5b d7 67  bf 0b dc 89 1b 40 77 cc
    00d0  df 87 99 83 77 a4 61 4d  c9 78 ce be 75 bf b4 60
    00e0  9b 39 1a 96 ff bf 98 9f  c2 8d 89 1d 7c 28 33 09
    00f0  33 e1 cc 8c f9 6e 83 10  d3 2c 42 99 57 d6 4d cf
    0100  45 05 44 21 70 e1 ad c4  3d 02 03 01 00 01
Certificate Extensions: 9
    1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30
    Certificate Template Information
        Template=LDAPSSL(1.3.6.1.4.1.311.21.8.1546289.5796744.12012220.14775765.9035062.224.8004685.4056790)
        Major Version Number=100
        Minor Version Number=1
 
    2.5.29.37: Flags = 0, Length = 2b
    Enhanced Key Usage
        KDC Authentication (1.3.6.1.5.2.3.5)
        Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
        Server Authentication (1.3.6.1.5.5.7.3.1)
        Client Authentication (1.3.6.1.5.5.7.3.2)
 
    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Key Encipherment (a0)
 
    1.3.6.1.4.1.311.21.10: Flags = 0, Length = 33
    Application Policies
        [1]Application Certificate Policy:
             Policy Identifier=KDC Authentication
        [2]Application Certificate Policy:
             Policy Identifier=Smart Card Logon
        [3]Application Certificate Policy:
             Policy Identifier=Server Authentication
        [4]Application Certificate Policy:
             Policy Identifier=Client Authentication
 
    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        ae 5f a1 12 09 ef c9 35 2c e7 31 89 38 e1 f9 2a c2 78 5e f4
 
    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=36 e5 92 e8 53 3b 14 fe 23 ec 64 d3 22 49 0b eb cb a8 45 f6
 
    2.5.29.31: Flags = 0, Length = cc
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=ldap:///CN=contoso-PKIROOTCA-CA,CN=PKIRootCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN
=Configuration,DC=contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
 
    1.3.6.1.5.5.7.1.1: Flags = 0, Length = b9
    Authority Information Access
        [1]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=ldap:///CN=contoso-PKIROOTCA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=
contoso,DC=com?cACertificate?base?objectClass=certificationAuthority
 
    2.5.29.17: Flags = 0, Length = 57
    Subject Alternative Name
        Other Name:
             Principal Name=BAN-ADS01$@contoso.com
        DNS Name=BAN-ADS01.contoso.com
        DNS Name=contoso.com
        DNS Name=CONTOSO
 
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  b4 40 8b 4c f9 83 ae c0  68 8b 05 1f a2 37 f8 a1
    0010  14 42 5b ae 2c 37 60 9b  3c 95 24 c4 ed 86 ee b5
    0020  22 f7 e3 90 bd 74 e2 f9  0f 51 bd 72 f6 03 75 53
    0030  fb dd 70 3f 5c 44 11 2b  3b f8 a4 f8 91 59 73 f4
    0040  b2 bb 04 00 4d 80 34 be  db 65 31 2a 96 f7 7f ef
    0050  bf 1d 42 56 9d 98 b2 be  f3 7d 21 47 fb 94 12 6f
    0060  ee 42 89 64 a2 c1 38 a3  db 75 a5 02 48 e1 44 c5
    0070  af d3 48 ba 33 ed 49 1c  ec dd f2 35 83 8b c6 61
    0080  db 24 bc fc 38 27 8c 0d  d7 df e1 1a f7 dd c1 22
    0090  aa 4e 4c b5 b5 ad f1 f7  b3 fe 6e e5 e2 e3 53 cf
    00a0  2f 57 27 bf 8a c6 f5 87  b0 79 43 24 3b a3 35 db
    00b0  0b 6a b2 9c d6 e4 e9 c3  77 85 e9 07 e4 2e 15 fc
    00c0  2d 24 13 fa e9 7e f9 37  f2 96 10 41 f3 ae 26 e1
    00d0  22 a3 1b 87 13 71 04 02  b3 f0 10 bb 36 3a a9 cb
    00e0  f4 a8 9e dc 27 56 7a a1  2c 69 dc 61 e6 6f bc 8f
    00f0  5a 67 f1 34 1c 9e c9 e2  9e f4 b9 54 3e 93 87 7f
Non-root Certificate
Key Id Hash(rfc-sha1): ae 5f a1 12 09 ef c9 35 2c e7 31 89 38 e1 f9 2a c2 78 5e f4
Key Id Hash(sha1): c7 c8 c4 4c 19 84 b8 11 45 03 6d 78 f0 0f 85 a3 61 a2 45 30
Cert Hash(md5): 46 78 5a 30 c8 67 58 33 d0 59 7b 8a 55 89 a2 ac
Cert Hash(sha1): ed 80 d4 35 e9 97 f2 59 b5 29 ca ff 72 60 ad 78 e4 d4 6d 7e
 
  CERT_REQUEST_ORIGINATOR_PROP_ID(71):
    BAN-ADS01.contoso.com
 
  CERT_CEP_PROP_ID(87):
  Enrollment Policy Url: ldap:
  Enrollment Policy Id: {32376692-6063-4EDC-A375-572FED78C626}
  Enrollment Server Url: PKIRootCA.contoso.com\contoso-PKIROOTCA-CA
  Request Id: 4
  Flags = 0
    DefaultNone -- 0
  Url Flags = 20 (32)
    PsfAllowUnTrustedCA -- 20 (32)
  Authentication = 2
    Kerberos -- 2
  Enrollment Server Authentication = 2
    Kerberos -- 2
 
  CERT_KEY_PROV_INFO_PROP_ID(2):
    Key Container = 8f97dfc0a002a569360e48e62702d8d8_f1f08ee9-bf5c-4df4-aaed-e26f8eaa8ea6
  Simple container name: le-LDAPSSL-a7c1c867-6c1b-488b-b519-463156b8d26f
    Provider = Microsoft RSA SChannel Cryptographic Provider
    ProviderType = c
    Flags = 20
    KeySpec = 1 -- AT_KEYEXCHANGE
 
  CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID(24):
    ac 47 4e aa 5d 0a 63 d4 0c 90 09 8f b8 09 b2 97
 
  CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
    27 40 4a d2 6b 5f 0e a9 48 bc 24 00 91 1c c9 e9
 
  CERT_KEY_IDENTIFIER_PROP_ID(20):
    ae 5f a1 12 09 ef c9 35 2c e7 31 89 38 e1 f9 2a c2 78 5e f4
 
  CERT_SIGNATURE_HASH_PROP_ID(15):
    f2 2f 01 a4 6e 1d 2f 1b 96 a8 95 41 5e 2b d2 fc 80 5a 4c 21
 
  CERT_MD5_HASH_PROP_ID(4):
    46 78 5a 30 c8 67 58 33 d0 59 7b 8a 55 89 a2 ac
 
  CERT_SHA1_HASH_PROP_ID(3):
    ed 80 d4 35 e9 97 f2 59 b5 29 ca ff 72 60 ad 78 e4 d4 6d 7e
  Simple container name: le-LDAPSSL-a7c1c867-6c1b-488b-b519-463156b8d26f
  PP_KEYSTORAGE = 1
    CRYPT_SEC_DESCR -- 1
  KP_PERMISSIONS = 3f (63)
    CRYPT_ENCRYPT -- 1
    CRYPT_DECRYPT -- 2
    CRYPT_EXPORT -- 4
    CRYPT_READ -- 8
    CRYPT_WRITE -- 10 (16)
    CRYPT_MAC -- 20 (32)
 
  D:PAI(A;;GAGR;;;SY)(A;;GAGR;;;BA)
 
    Allow Full Control  NT AUTHORITY\SYSTEM
    Allow Full Control  BUILTIN\Administrators
 
 
Private Key:
  PRIVATEKEYBLOB
  Version: 2
  aiKeyAlg: 0xa400
    CALG_RSA_KEYX
    Algorithm Class: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
    Algorithm Type: 0x400(2) ALG_TYPE_RSA
    Algorithm Sub-id: 0x0(0) ALG_SID_RSA_ANY
  0000  52 53 41 32                                        RSA2
  0000  ...
  048c
Encryption test passed
CertUtil: -store command completed successfully.PS C:\>

Enabling/Disabling CryptoAPI 2.0

Enabling CryptoAPI 2.0 Diagnostic Logging

wevtutil sl microsoft-windows-capi2/operational /e:True

Disabling CryptoAPI 2.0 Diagnostic Logging

wevtutil sl microsoft-windows-capi2/operational /e:False

PKI Info; those are stored in AD ; See the following Snap.using ADSIEDIT.MSC

Also you can see the ADCS info using DSSITE.MSC

Some key Points.

Cert Templates are stored in AD (Configuration Partition).
Enterprise Certificate Server in a Domain controller is enabled LDAPS(636) & GC SSL(3269) ports for all the Domain controller)
1. [Due to Certificate Template Domain Controller]
If all Sub CAs host the same certificate templates for enrolment those servers we can use for Redundancy & fault tolerance.
Also you can use Certificate server cluster for Redundancy & fault tolerance.

PKI Events.

(Snap is taken from Windows Server 2008 PKI - Brian Komar)

Certificate Server Registry Key (Path)

We are used "certutil -setreg" for changing those keys.

___________________________________________________