stand alone Root CA and Enterprise Subordinate Ca installaion
In our DC, we are planning for CA environment. The plan is like, one Standalone Offline Root CA and one Enterprise subordinate CA.
I installed Root CA on nonmember windows 2008 R2 server with Certificate Authority only. After the installation , I run the following post script like bellow.
::Root CA Post Installation Script
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration, DC=<DOMAIN>,DC=<domain>
::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 52
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\CRLOverlapUnits 2
::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10.ldap:///CN=%%7%%8,CN%%2,CN=CDP,CD=Public
Key Services,CN=Services,%%6%%10\n2:http://WEBSERVER1/Certdata/%%3%%8%%9.crl\n2:http://WEBSERVER2/Certdata/%%3%%8%%9.crl"
::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public
Key Services,CN=Services,%%6%%11\n2:http://WEBSERVER1/CertData/%%1_%%3^^4.crt\n2:http://WEBSERVER2/CertData/%%1_%%3^^4.crt"
::Enable all
auditing events for the Root CA
certutil -setreg CA\AuditFilter 127
::Set Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"
::Enable discrete signatures in subordinate CA certificates
Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1
::Restart Certificate Services
net stop certsvc & net start certsvc
After that I copied the ROOT Ca certificate and CRL file to the subordinate CA server. and run the following command
certutil -f dspublish root-ca-ca.crl
I have a question regarding the
certutil -setreg CA\CRLPublicationURLs and certutil -setreg CA\CACertPublicationURLs , which are the paths we have to add with these commands, like if we use http://, is it need to be a valid web path where the crl and cer are manually stored?. Are we need
to install certificate web enrollment also with CA authority during installation.
Please help me...................
June 25th, 2012 12:19pm
Hi,
Thanks for posting in Microsoft TechNet forums.
Regarding the using the command "certutil -setreg", I suggest we read the article below which can help us understand it:
Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation
http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx
And if you hope to learn about Certificate Enrollment Web Services, we can check the article below:
Setting Up Certificate Enrollment Web Services
http://technet.microsoft.com/en-us/library/dd759243.aspx
Regards
Kevin
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 12:18am