Retrieving an Issued Certificate from Active Directory
An enterprise certification authority (CA) publishes issued certificates to the Active Directory; a stand-alone certification authority may also publish issued certificates to the Active Directory. The following example shows how to acquire a certificate context for a certificate stored in Active Directory. After the certificate context is acquired, you can retrieve the contents of the certificate or perform certificate operations by using the CryptoAPI functions.
The following example shows retrieving a certificate from Active Directory.
// Copyright (C) Microsoft. All rights reserved.
// Retrieve a user certificate from Active Directory.
//
// This example uses CryptoAPI calls to retrieve
// a certificate previously published to Active Directory
// by Microsoft Certificate Services.
// Ensure Crypt32.lib and Secur32.lib are part of link libraries.
#pragma comment(lib, "crypt32.lib")
#define SECURITY_WIN32 1
#define UNICODE 1
#include <stdio.h>
#include <windows.h>
#include <Wincrypt.h>
#include <strsafe.h>
#include <security.h>
#define MAXBUFF 512
void __cdecl main()
{
HCERTSTORE hStore=NULL;
PCCERT_CONTEXT pCertCtx = NULL;
WCHAR wszDN[MAXBUFF];
ULONG cchDN = MAXBUFF;
WCHAR wszQuery[MAXBUFF * 2];
ULONG cchQuery = MAXBUFF * 2;
// Determine the name of the user whose certificate is being
// retrieved. This value can be constructed by other means,
// but this example will use GetUserNameEx.
if (!GetUserNameEx(NameFullyQualifiedDN,
wszDN,
&cchDN))
{
printf("Failed GetUserNameEx: %x\n",
GetLastError());
exit(1);
}
// Build the LDAP query string.
if (S_OK != StringCchPrintf(wszQuery,
cchQuery,
L"ldap:///%s?%s",
wszDN,
L"userCertificate"))
{
printf("Failed StringCchPrintf\n");
exit(1);
}
// Open the Active Directory certificate store.
hStore = CertOpenStore(CERT_STORE_PROV_LDAP,
0,
0,
CERT_STORE_READONLY_FLAG,
wszQuery);
if ( NULL == hStore)
{
printf("Failed CertOpenStore - %x\n", GetLastError());
exit(1);
}
// Retrieve a certificate context from this opened store.
// Here, retrieve any existing certificate stored for
// the user in Active Directory.
// If more than one certificate exists, consult
// CertFindCertificateInStore documentation for search
// types and calling instructions.
pCertCtx = CertFindCertificateInStore(hStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_ANY,
NULL,
NULL);
if (NULL == pCertCtx)
{
DWORD dwErr;
dwErr = GetLastError();
if (CRYPT_E_NOT_FOUND == dwErr)
printf("User does not have certificate"
"in Active Directory\n");
else
printf("Failed CertFindCertificateInStore - %x\n",
dwErr);
}
else
{
// Use the certificate context as needed.
// Here, display the serial number.
DWORD dwLen, i;
dwLen = pCertCtx->pCertInfo->SerialNumber.cbData;
// The serial number bytes are stored
// least significant byte first.
printf("Serial number: ");
for (i = dwLen-1; i != MAXDWORD; i--)
printf("%02x",
*(pCertCtx->pCertInfo->SerialNumber.pbData + i));
printf("\n");
// Free the certificate context.
CertFreeCertificateContext(pCertCtx);
}
// Close the certificate store.
CertCloseStore(hStore, 0);
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for