ICertConfig::GetConfig method (certcli.h)

The GetConfig method retrieves the configuration string for a Certificate Services server. This method was first defined in the ICertConfig interface.

The configuration string is the server name and certification authority name separated by a backslash (); for example: ServerName\CAName. This configuration string can be used to refer unambiguously to a specific Certificate Services server. For more information, see Remarks.


HRESULT GetConfig(
  [in]  LONG Flags,
  [out] BSTR *pstrOut


[in] Flags

Value that specifies the certification authority to use. This parameter can be one of the following values.

Value Meaning
Retrieves the default certification authority.
Returns the first certification authority.
Retrieves the local certification authority if it is running.
Retrieves the local certification authority.
Displays a user interface that allows the user to select a certification authority.
Displays a user interface that allows the user to select a certification authority. The UI excludes any local certification authority. This exclusion is useful during subordinate certification authority certificate renewal when the subordinate certification authority certificate request is submitted to a certification authority other than the current certification authority.

[out] pstrOut

A pointer to a BSTR that contains the configuration. When you have finished using the configuration, call the SysFreeString function to free pbstrOut.

Return value


If the method succeeds, the method returns S_OK.

If the method fails, it returns an HRESULT value that indicates the error. For a list of common error codes, see Common HRESULT Values.


The return value is a string that contains the configuration.


The certification authority (CA) name portion of the configuration string that this function returns is the exact text entered during the Certificate Services setup process. Note that this text may be different from the form of the CA name found in file names (such as for the certificate revocation list) or in registry keys. This is because file names and registry keys use a sanitized version of the CA name.

The process of sanitizing the CA name is necessary to remove characters that are illegal for file names, registry key names, or distinguished name values, or illegal for reasons specific to Certificate Services. In the sanitizing process, any illegal character in the common name is converted to a five-character representation in the format !xxxx, where ! is used as an escape character and xxxx represents four hexadecimal digits that uniquely identify the character to be converted.

For example, the number sign (#) is not allowed in distinguished names in Active Directory. If the CA name entered during setup is #YourName, the sanitized CA name will be !0023YourName.

The following characters, if entered for the common name of the CA during setup, are converted to the !xxxx format during the sanitizing process. This list is subject to change.

Name Character Value in !xxxx format
Ampersand & !0026
Apostrophe ' !0027
Asterisk * !002a
Backslash \ !005c
Left brace { !007b
Right brace } !007d
Left bracket [ !005b
Right bracket ] !005d
Caret ^ !005e
Colon : !003a
Comma , !002c
Equal sign = !003d
Exclamation point ! !0021
Grave accent ` !0060
Greater than sign > !003e
Less than sign < !003c
Number sign # !0023
Opening parenthesis ( !0028
Closing parenthesis ) !0029
Percent % !0025
Pipe | !007c
Plus sign + !002b
Question mark ? !003f
Quotation mark " !0022
Semicolon ; !003b
Slash mark / !002f

Any nonprinting character and all Unicode characters that are not seven bits are also converted to the !xxxx format.

A sanitized short name is generated when the sanitized name is too long for a 64-character directory services relative distinguished name (RDN). The sanitized short name consists of the sanitized name truncated and appended with a hash of the full sanitized name. The sanitized short name reserves some of the 64 characters to contain certificate revocation list (CRL) suffixes, such as (123).

The certification authority name portion of the configuration string returned by this method is the original text entered during setup. Note that Certificate Services methods that require a certification authority name as a parameter accept the originally entered certification authority name. For example, for the certification authority name #YourName, the
ICertView2::OpenConnection method accepts #YourName as the parameter's certification authority portion.


The following example shows how to use this method to retrieve the default certification authority configuration string.

    ICertConfig2 * pConfig = NULL;
    BSTR  bstrConfig = NULL; //Contains CA configuration name
    HRESULT    hr;

    if (FAILED(hr))
        printf("Failed CoInitializeEx - [%x]\n", hr);
        goto error;

    // Create an instance of the CertConfig object.
    hr = CoCreateInstance( CLSID_CCertConfig,
                           (void **)&pConfig);
    if (FAILED(hr))
        printf("Failed CoCreateInstance - pConfig [%x]\n", hr);
        goto error;

    // Retrieve the default CA configuration string.
    hr = pConfig->GetConfig(CC_DEFAULTCONFIG, &bstrConfig);
    if (FAILED(hr))
        printf("Failed GetConfig - [%x]\n", hr);
        goto error;
        printf("GetConfig returned: %ws\n", bstrConfig );


    // Done processing.
    if (pConfig)

    if (bstrConfig)



Minimum supported client None supported
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header certcli.h (include Certsrv.h)
Library Certidl.lib
DLL Certcli.dll

See also