Hello,
We are preparing to retire a PKI hierarchy based on Win2003 ADCS. We are being asked to be able to query the subordinate CA certificate database if, years in the future, we are challenged about a signature created by one of our certificates (we need to be able to demonstrate when the cert was issued, expired, revoked, etc).
Can an enterprise sub CA service start somehow without being able to bind to AD (and possibly no network connection at all)? Otherwise, is there a way to query a CA database using certutil or another tool without the CA service being started?