Hello Everybody,

I am following the guide 

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

https://technet.microsoft.com/en-us/library/hh831348.aspx to set up the test PKI environment for my own practice.

On the part - To configure the root CA settings :-

When i try to run the below command in windows power shell, i get the error - certutil:too many arguments.

certutil -setreg CA\DSConfigDN CN=Configuration,DC=corp,DC=contoso,DC=com

Kindly somebody advise on this.

Thanks,

Amit

Does the value you're using for CN=Configuration,DC=corp etc. have a space in it? If so, you may need to wrap that value in quotation marks in your command.

-setreg

CertUtil [Options] -setreg [{ca|restore|policy|exit|template|enroll|chain|PolicyServers}\[ProgId\]]RegistryValueName Value

Set registry value

ca: Use CA's registry key

restore: Use CA's restore registry key

policy: Use policy module's registry key

exit: Use first exit module's registry key

template: Use template registry key (use -user for user templates)

enroll: Use enrollment registry key (use -user for user context)

chain: Use chain configuration registry key

PolicyServers: Use Policy Servers registry key

ProgId: Use policy or exit module's ProgId (registry subkey name)

RegistryValueName: registry value name (use "Name*" to prefix match)

Value: new numeric, string or date registry value or filename. If a numeric value starts with "+" or "-", the bits specified in the new value are set or cleared in the existing registry value.

If a string value starts with "+" or "-", and the existing value is a REG_MULTI_SZ value, the string is added to or removed from the existing registry value. To force creation of a REG_MULTI_SZ value, add a "\n" to the end of the string value.

If the value starts with "@", the rest of the value is the name of the file containing the hexadecimal text representation of a binary value. If it does not refer to a valid file, it is instead parsed as [Date][+|-][dd:hh] -- an optional date plus or minus optional days and hours. If both are specified, use a plus sign (+) or minus sign (-) separator. Use "now+dd:hh" for a date relative to the current time.

Use "chain\ChainCacheResyncFiletime @now" to effectively flush cached CRLs.

[-f] [-user] [-GroupPolicy] [-config Machine\CAName]

Ignore Offline CRL Errors on the CA

Normally, a Windows Server 2003 CA will always check revocation on all certificates in the PKI hierarchy (except the root CA certificate) before issuing an end-entity certificate. To disable this feature, use the following command on the CA, and then restart the CA service:

certutil setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE 

Try this one :

certutil -setreg CA\DSConfigDN "CN=Configuration,DC=corp,DC=contoso,DC=com"

• Edited by Olivier CRAPET 8 hours 17 minutes ago
• Proposed as answer by Vadims PodansMVP 5 hours 28 minutes ago