stand alone Root CA and Enterprise Subordinate Ca installaion
In our DC, we are planning for CA environment. The plan is like, one Standalone Offline Root CA and one Enterprise subordinate CA. I installed Root CA on nonmember windows 2008 R2 server with Certificate Authority only. After the installation , I run the following post script like bellow. ::Root CA Post Installation Script ::Declare Configuration NC certutil -setreg CA\DSConfigDN CN=Configuration, DC=<DOMAIN>,DC=<domain> ::Define CRL Publication Intervals certutil -setreg CA\CRLPeriodUnits 52 certutil -setreg CA\CRLPeriod "Weeks" certutil -setreg CA\CRLDeltaPeriodUnits 0 certutil -setreg CA\CRLDeltaPeriod "Days" certutil -setreg CA\CRLOverlapPeriod "Weeks" certutil -setreg CA\CRLOverlapUnits 2 ::Apply the required CDP Extension URLs certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10.ldap:///CN=%%7%%8,CN%%2,CN=CDP,CD=Public Key Services,CN=Services,%%6%%10\n2:http://WEBSERVER1/Certdata/%%3%%8%%9.crl\n2:http://WEBSERVER2/Certdata/%%3%%8%%9.crl" ::Apply the required AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://WEBSERVER1/CertData/%%1_%%3^^4.crt\n2:http://WEBSERVER2/CertData/%%1_%%3^^4.crt" ::Enable all auditing events for the Root CA certutil -setreg CA\AuditFilter 127 ::Set Validity Period for Issued Certificates certutil -setreg CA\ValidityPeriodUnits 10 certutil -setreg CA\ValidityPeriod "Years" ::Enable discrete signatures in subordinate CA certificates Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1 ::Restart Certificate Services net stop certsvc & net start certsvc After that I copied the ROOT Ca certificate and CRL file to the subordinate CA server. and run the following command certutil -f dspublish root-ca-ca.crl I have a question regarding the certutil -setreg CA\CRLPublicationURLs and certutil -setreg CA\CACertPublicationURLs , which are the paths we have to add with these commands, like if we use http://, is it need to be a valid web path where the crl and cer are manually stored?. Are we need to install certificate web enrollment also with CA authority during installation. Please help me...................
June 25th, 2012 12:19pm

Hi, Thanks for posting in Microsoft TechNet forums. Regarding the using the command "certutil -setreg", I suggest we read the article below which can help us understand it: Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx And if you hope to learn about Certificate Enrollment Web Services, we can check the article below: Setting Up Certificate Enrollment Web Services http://technet.microsoft.com/en-us/library/dd759243.aspx Regards Kevin
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 12:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics