Contents of \\Localhost\CertConfig and \\Localhost\CertEnroll

Applies To: Windows Server 2003 with SP1

Because more than one certificate file exists in the \CertConfig and \CertEnroll share after a period of time, the following table explains the certificate file name extensions and their purpose. If the CA name is used as part of a file name, the sanitized CA name adds additional escape characters in order to accommodate any extended ASCII characters in the file name. The escape characters appear in the file name as %20.

Table 21 Certificate Paths and File Name Extensions

Example of the file name Description


CA configuration file


Previous CA configuration file if the CA has been reinstalled



Request file that is used to generate the CA certificate. Request files are used only for subordinate CAs. Request files are generated with the same base file name suffix as certificates.



If no shared folder was created during the CA setup procedure and Active Directory is used to publish the CAs configuration information, request files are written to the Systemroot drive instead of to the \\Localhost\CertConfig file.

To verify where the configuration information is published, at a command prompt, type certutil –getreg CA\UseDS. If the value is set to 0, the configuration information is written to the shared folder. If the value is set to 1, the configuration is maintained in Active Directory.)



Original root CA certificate (V0.0)



Renewed root CA certificate (V1.0)



Cross certificate for CA certificate V0.0 to V1.0



Cross certificate for CA certificate V1.0 to V0.0



renewed root CA cert (V2.0)


CA base revocation list


CA base revocation list (first instance)


Delta CRL


Delta CRL (first instance)

The cross-certificates are automatically generated when the Certificates service starts after renewing a root CA certificate with a new key. Cross-certificates are not created for subordinate CAs, and it does not occur when a root certificate is renewed with the same key. If you upgrade from Windows 2000 Server after renewing a root CA certificate with a new key, the cross certificate is generated the first time that the certificate server service starts after you upgrade to Windows Server 2003.

The following sample is an example of \\Localhost\Certenroll after a clean root CA installation.

C:\>dir \\Localhost\certenroll
  Volume in drive \\Localhost\certenroll has no label.
  Volume Serial Number is CC0E-CACB
  Directory of \\Localhost\certenroll
06/12/2002  11:57 AM    <DIR>          .
06/12/2002  11:57 AM    <DIR>          ..
06/12/2002  11:32 AM              1,299 concorp-
06/12/2002  11:32 AM               925 CorporateRootCA.crl
06/12/2002  11:32 AM               321 nsrev_CorporateRootCA.asp
               3 File(s)          2,545 bytes
               2 Dir(s)   4,478,095,360 bytes free

The following sample is an example of \\Localhost\Certconfig after a clean root CA installation.

C:\>dir \\localhost\certconfig
Volume in drive \\localhost\certconfig has no label.
Volume Serial Number is CC0E-CACB
Directory of \\localhost\certconfig
06/12/2002  12:28 PM    <DIR>          .
06/12/2002  12:28 PM    <DIR>          ..
06/12/2002  11:32 AM               105 certsrv.bak
06/12/2002  11:32 AM               216 certsrv.txt
06/12/2002  11:32 AM             1,299 concorp-
               3 File(s)          1,620 bytes
               2 Dir(s)   4,478,095,360 bytes free

The following sample is an example of \\Localhost\Certenroll after the two key renewals on a CA.

C:\>dir \\localhost\certenroll
  Volume in drive \\localhost\certenroll has no label.
  Volume Serial Number is CC0E-CACB
  Directory of \\localhost\certenroll
06/11/2002  07:48 PM    <DIR>           .
06/11/2002  07:48 PM    <DIR>           ..
06/11/2002  05:31 PM             1,338 concorp-
06/11/2002  05:31 PM             1,928 concorp-ca-00_CorporateRootCA
06/11/2002  05:31 PM             1,940 concorp-ca-00_CorporateRootCA
06/11/2002  07:48 PM             1,338 concorp-
06/11/2002  11:57 AM             1,299 concorp-
06/11/2002  05:31 PM               943 CorporateRootCA(1).crl
06/11/2002  05:32 PM               938 CorporateRootCA.crl
06/11/2002  11:57 AM               321 nsrev_CorporateRootCA.asp
               8 File(s)         10,045 bytes
               2 Dir(s)   4,481,171,456 bytes free

The following sample is an example of \\Localhost\Certconfig after two key renewals on a CA.

C:\>dir \\localhost\certconfig
  Volume in drive \\localhost\certconfig has no label.
  Volume Serial Number is CC0E-CACB
  Directory of \\localhost\certconfig
06/11/2002  07:48 PM    <DIR>           .
06/11/2002  07:48 PM    <DIR>           ..
06/11/2002  11:27 AM           105 certsrv.bak
06/11/2002  11:57 AM           216 certsrv.txt
06/11/2002  05:31 PM             1,928 concorp-ca-00_CorporateRootCA
06/11/2002  05:31 PM           1,338 concorp-
06/11/2002  05:31 PM           1,940 concorp-ca-00_CorporateRootCA
06/11/2002  07:48 PM           1,338 concorp-
06/11/2002  11:57 AM           1,299 concorp-
04/24/2002  10:53 AM           1,942 connoam-ca-00_CONNOAM-CA-00.req
           8 File(s)           10,106 bytes
           2 Dir(s)   4,481,171,456 bytes free