In Identity Audit, all logging application certificates must be signed by the Secure Logging Server root certificate and they must contain an application identifier.
Use the following AudCGen command to determine whether a certificate is valid:
audcgen -cacert:filename -capkey:filename -verify -appcert:filename
When you use the -verify command, AudCGen checks the integrity of the target certificate. It determines if the target certificate is derived from the Secure Logging Server root certificate (trusted) and returns the logging application’s application identifier.
The following sample command verifies the certificate for the Identity Manager Instrumentation:
audcgen -cacert:cacert.pem -capkey:capkey.pem -verify -appcert:c:\windows\dxicert.pem
For more information, see Section 6.2, The Identity Audit AudCGen Utility.
NOTE:Identity Audit 2.0.2 verifies only the Secure Logging Server and logging application certificates. It does not verify any other certificates in the certificate chain. Consequently, if the third-party CA expires or invalidates the Secure Logging Server certificate, AudCGen does not identify the problem in the certificate chain and still trusts the Secure Logging Server root certificate and its associated logging application certificates.