Correct AIA and CDP extensions for offline Root CA, publish to local file system and LDAP only
I have a double objective here: 1) Properly configure the AIA and CDP extensions for an offline Root CA and 2) create a script with the same settings that you see in the GUI.
The name of the CA is "CA-A". Domain name is mynet.int
Do these settings seem to be appropriate?
Here is what I have configured for AIA (as seen in the GUI, CA properties, Extensions tab)
AIA
AIA - C:\...(etc.).
Nothing - options grayed out.
AIA - LDAP
Check "Include in the AIA extension of issued certificates"
AIA - HTTP
Nothing checked (for present scenario, certs would only be distributed via GPO/autoenrollement and I would not be using OCSP).
AIA - File
Nothing - do we still use the file option?
CDP
CDP - C:\... (etc.).
Publish CRLs (and Delta CRLs) to this location.
Other options grayed out.
CDP - LDAP
Not sure about this...
Should I uncheck the "Publish..." options since the Root CA cannot publish to Active Directory? Seems to make sense, unless I'm missing something. Of course, I will copy appropriate files to the Sub CA and use certutil -addstore and certutil -dspublish to
install Root CA cert and crl as needed.
CDP - HTTP
Nothing
CDP - File
Nothing
#################################################
In the scripts, reflecting (I hope) the above configuration, we would have:
AIA
certutil setreg CA\CACertPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"
Local file system
1: -> Publish to local file system (use indicated path)
%1 -> DNS name of computer "CA1.mynet.int"
%3 -> CA logical name CA-A
%4 -> name of cert file
LDAP
2: -> Include LDAP URL in AIA of all issued certificates.
%7 -> CA sanitized name -------- (what name?)
%6 -> ConfigDN ----------- (CN=Configuration,DC=mynet,DC=int)
%11 -> Simply designates object as a CA object in AD.
CDP
certutil setreg CA\CRLPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10"
Local File System
1: Publish to local file system (use indicated path)
%3 -> CA logical name CA-A
%8 -> CRL Name Suffix - the CRL's renewal extension
%9 -> Delta CRL allowed (If I add %9, that means they are allowed - and used?)
LDAP
%7 -> CA sanitized name ----------------- (???)
%8 -> CRL Name Suffix - the CRL's renewal extension
%2 -> Server short name (NetBIOS name) - CA-A
%6 -> ConfigDN ----------- (CN=Configuration,DC=mynet,DC=int)
%10 -> Designates object as a CDP in Active Directory
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
March 16th, 2012 9:10pm
You are all go, the certutil command with the AIA and CDP URLs looks very correct for what you are describing
/Hasain
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2012 1:11am
You are all go, the certutil command with the AIA and CDP URLs looks very correct for what you are describing
/Hasain
March 18th, 2012 8:07am
Thanks.
Will give that a try shortly.Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2012 9:02am