Lets imagine the following situation. Lets say I have 2008R2 server which name is msft-ca-01. Lets say that I have standalone root ca installed onto this server. Lets name it MSFT-ROOT-CA. During installation when self signed certificate is generated it is placed on c: drive as file. And it's name is the following: msft-ca-01_MSFT-ROOT-CA.crt So my question would be - is it possible somehow to change this name to some other name using some king of variables before this certificate generation and have my defined file name when self signed certificate is generated or is it hardcoded thing? I want file name to be only MSFT-ROOT-CA.crt without any msft-ca-01_ in front of it? Is it possible at all? Thanks.

you can change CA certificte name only after CA setup (usally before any certificate is issued). To change it you should edit AIA extension in Extension tab of Certification Authority properties.http://www.sysadmins.lv

But as I can understand this affects only issued certificates (by root ca) AIA field and not the physical root ca crt file name. I still need manualy rename root ca certificate crt file. I've tried to do the following experiment. I modified AIA extension and left only the following: C:\Windows\system32\CertSrv\CertEnroll\%3%4.crt When I renewed root ca using the same keys nothing has changed at all. There was only msft-ca-01_MSFT-ROOT-CA(2).crt file generated at C:\Windows\system32\CertSrv\CertEnroll\. Tried to renew root ca certificate using new key - the same result. Maybe only way is to write custom exit module?:/

> But as I can understand this affects only issued certificates (by root ca) AIA field and not the physical root ca crt file namethis is not quite correct. In AIA extension you can cpecify URLs that will appear in issued certificates AIA extension. Unfortunately you cannot set file publishing points and file names through GUI. You should consider to use regsitry settings via certutil utility:certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myhttpPKIvroot%/%%1_%%3%%4.crt"you may change file name in bolded text. Prefix (1) indicates that CA server will publish physical file to specified location. Another prefix (2) indicates that specified path will be included in all issued certs. Of course if you change physical filename, you will have to change this value for AIA URLs accordingly (filenames must match).http://www.sysadmins.lv

Thanks for this info. And what about 0: prefix? When I add the same path through the GUI, new entry has 0: prefix. Anyway I've tried your suggestion. Tried to add your mentioned value through certutil, tried to add it manualy via regedit, tried to use following values: 1:C:\Windows\system32\CertSrv\CertEnroll\%%3%%4.crt and also tried: 1:C:\Windows\system32\CertSrv\CertEnroll\%3%4.crt When renewed root CA (used the same keys, used the new keys) I didn't notice any change at all. Root CA certificate file name changed from: msft-ca-01_MSFT-ROOT-CA(2).crt to msft-ca-01_MSFT-ROOT-CA(3).crt after that to msft-ca-01_MSFT-ROOT-CA(4).crt and so on so on:( So in general file name was not affected at all:(

So my question is: Why?What risk are you mitigating by changing from the default file naming mechanismThere used to be a registry key in Windows Server 2003 CACertFileName that allowed you to manipulate the format of the name, but that was depracated for Windows Server 2008It may still work, but it is no longer asserted in the registryBrian

This was mainly my own interest if I can do that:) I do not want root ca file name to be so complex and long, I do not want to have server name in this file name, I do not want to manually rename this file so I thought it is somehow possible:) I'll try this reg entry just in case. Thanks Brian.