When you are performing an operation on a remote CA, certutil requires the config string as input parameter. The common way to find out the config string is to run a certutil -dump command, list all available CAs in the Active Directory forest and copy/past the config parameter from the dump into the new command-line.

There is a much simpler way to set the config string in certutil. Just use a dash as config string and certutil will show a selection dialog with all CAs that are registered in your Active Directory forest.

For example to verify the responsiveness of a remote CA, run the following command and select the target CA from the list of available CAs.

certutil –config - -ping