ADCS Installation (Part 3): Online Issuing CA CAPolicy.inf and post install script
This is my part 3 for AD Certificate Services Installation. I have asked questions about CAPolicy.inf and post installation script for my offline root CA in: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/4256a27f-29ee-42a1-b687-ad3c21e04c0c?prof=required I plan to build offline root CA and online issuing CA. Here is my CAPolicy.inf for the online issuing CA: **************************************************************** [Version] Signature = "$Windows NT$" [certsrv_server] renewalkeylength=2048 RenewalValidityPeriodUnits=10 RenewalValidityPeriod=years CRLPeriod = days CRLPeriodUnits = 3 CRLOverlapPeriod = hours CRLOverlapUnits = 4 CRLDeltaPeriod = hours CRLDeltaPeriodUnits = 12 AlternateSignatureAlgorithm = 1 LoadDefaultTemplates = 0 **************************************************************** Here is my post installation script for the online issuing CA: **************************************************************** ::Declare Configuration NC certutil -setreg CA\DSConfigDN CN=Configuration,DC=MyRootDomain,DC=com ::Define CRL Publication Intervals certutil -setreg CA\CRLPeriodUnits 3 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLOverlapUnits 4 certutil -setreg CA\CRLOverlapPeriod "Hours" certutil -setreg CA\CRLDeltaPeriodUnits 12 certutil -setreg CA\CRLDeltaPeriod "Hours" ::Apply the required CDP Extension URLs certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://%%1/CertEnroll/%%3%%8%%9.crl\n6:http://cert.MyCompanyName.com/CertData/%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10" ::Apply the required AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://%%1/CertEnroll/%%1_%%3%%4.crt\n2:http://cert.MyCompanyName.com/CertData/%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11" ::Enable all auditing events for the Fabrikam Corporate Issuing CA certutil -setreg CA\AuditFilter 127 :: Enable Alternate signatures in issued certificates Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1 ::Set Maximum Validity Period for Issued Certificates certutil -setreg CA\ValidityPeriodUnits 5 certutil -setreg CA\ValidityPeriod "Years" ::Restart Certificate Services net stop certsvc & net start certsvc sleep 5 certutil –crl **************************************************************** Could all experts in the forum examine those two files? Again, I have modified from examples inBrian Komar's book. In particular, please verify two commands: "certutil -setreg CA\CRLPublicationURLs ..." and "certutil -setreg CA\CRLPublicationURLs ...". My understanding is that both commands will setup four entries for CDP and AIA:
%windir%\system32\CertSrv\CertEnroll\...
http://My_FQDN_for_online_issuingCA_server/..
http://cert.MyCompanyName.com/CertData/...
ldap:///...,CN=Public Key Services,CN=Services,...
I also noticed that both CAPolicy.inf and post installation script to configure same settings Of course, I willl perform pre-installation configuration based on Brian's book page 132 to 134:
Installing certificates from root CA locally at the issuing CA
Publishing certificates and CRLs to AD DS
Copying Certificates and CRLs to HTTP Publication Points
And then install ADCS with Certification Authority, Certification Authority Web Enrolment, and Online Responder. Other than running post installation script for the above online issuing CA, do I do anything else? Thanks in advance. SJJ123
January 12th, 2010 1:45am
The only one correction:if your certificates will be used outside of your domain/forest (for example from internet) I would advice to set external HTTP url for CDP and AIA in first position.> RenewalValidityPeriodUnits=10> RenewalValidityPeriod=yearsthis is necessary for Root CAs. In other cases certificate validity period is determined be parent CA only.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2010 10:41am
Hi Vadims, Thank you very much for your reply. At the moment, our certificates will be used for internal purpose. My current plan is to point http://cert.MyCompanyName.com/CertData/... to the online issuing CA server via DNS as start and then it could be to other web server or web cluster. I will take your advice to put the potential external HTPP url http://cert.MyCompanyName.com/CertData/... in first position. The two lines are based on Brian's book (page 134) for online issuing CA. As recommended from you and other experts, both my offline root CA and online issuing CA will have 10 years of validity period. Do I need to take those two lines off? Kind regards, SJJ123
January 12th, 2010 1:28pm
these settings affect to Root CA renewal only. For Intermediate CAs this is not relevant.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2010 1:51pm
Actually, Vadims you are incorrect.You could request a shorter validity period than the validity period defined at the root CA.For example, at the root, you could set:ValidityPeriod: YearsValidityPeriodUnits: 10But could renew the issuing CA with five year validity period by setting RenewalValidityPeriodUnits=5> RenewalValidityPeriod=yearsBrian
January 12th, 2010 3:22pm
oops. And how it will look in request file? Also, how this setting will affect to online CAs (where templates are used)?http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2010 7:12pm
If you are requesting a subordinate CA certificate from an enterprise CA, then the validity period will be the least of:1) The ValidityPeriodUnits on the issuing CA2) The validity period of the Subordinate CA certificate3) The RenewalValidityPeriodUnits (or the validity period requested in the request)Brian
January 12th, 2010 9:50pm
does this means that template setting is not used?http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2010 10:05pm