How to find out where a Certificate Request came from

Solution 1:

When I ask the employee why they requested the certificate they don't remember why or what system it was for.

That sounds about right. EFS certificates (and many others) are typically issued and renewed automatically. It's possible to disable EFS in policy or limit the scope of issuance to a specific security group on the template.

I am looking for a way to see all requested certs and what machines they are tied to

EFS certificates are typically issued to users, and implicitly not limited to a specific computer. There are also other types of EFS certificates, such as Data Recovery Agents (DRA).

I tried to look at the database using certutil.

The certificates should be visible in the management mmc. It's possible the CA/template is configured to not save a copy of the certificate, but that isn't the default configuration.

Does anyone know if I will be able to find what servers / URL's are using the certs on my CA?

From the CA? No. It may have some information such as a subject that matches the computer name or username. There may also be certificates issued to names that don't match a computer name or username. Or the certificates may not be saved on the CA. This is a question that everyone that uses certificates asks at one time or another, and there isn't a one-size-fits-all solution. Certificates can exist in a Windows computer certificate store, a Windows user certificate store, the registry, a file on a file system used by an application, embedded in an application like SQL server, so inventorying where certificates are is not as simple as you would think. And even if they are found, it doesn't mean they are in use. And even if they are in use, you may still not know what is using them without further investigation.

The best approach is to already have a good tracking system in place. The next next best approach is to have your network regularly scanned for ports/certificates in use.