Sample Script to Configure CorporateRootCA

Applies To: Windows Server 2003 with SP1

The script in this section applies the most important configuration changes to a Windows Server 2003 CA for the CorporateRootCA computer.

Important

Because percent (%) variables are handled differently in batch files and at a command prompt, you must use two percent signs (%%) if you run this sample script from a batch file, as described. If certutil is called from a command prompt and not from a batch file, only use only one percent sign (%), not two percent signs (%%).

REM
REM CA configuration script for a Windows Server 2003 CA
REM
REM The naming context applies to the individual organizations Active
Directory
REM configuration
REM
SET myADnamingcontext=DC=concorp,DC=contoso,DC=com
REM
REM This variable directs to the HTTP publication location that is used
for
REM the CRL and AIA publication
REM
SET myhttpPKIvroot=https://www.contoso.com/pki
REM
certutil.exe -setreg ca\DSConfigDN
"CN=Configuration,%myADnamingcontext%"
REM
REM Configure CRL and AIA CDP
REM
REM By default, Certutil creates a registry value of type REG_SZ if a
string is
REM specified as a parameter. Some registry values are expected as
REG_MULTI_SZ. To
REM create a REG_MULTI_SZ instead of a REG_SZ, add a \n to the end of
any value that
REM becomes part of the REG_MULTI_SZ
REM
certutil -setreg CA\CRLPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myhttp
PKIvroot%/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,
CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myhttp
PKIvroot%/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,
CN=Public Key Services,CN=Services,%%6%%11"
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 180
certutil -setreg CA\CRLPeriod "Days"
REM
REM Disable Delta CRL publication
REM
certutil -setreg CA\CRLDeltaPeriodUnits 0
REM
REM Set the validity period for issued certificates
REM
certutil -setreg ca\ValidityPeriodUnits 10
certutil -setreg ca\ValidityPeriod "Years"
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Repair CA file system shares and IIS virtual roots
REM
certutil -vroot
REM
REM Republish the CRL
REM The CRL publishing may immediately not work
REM after you restart the CA server service. If this behavior
REM occurs, try the certutil –CRL command at a command
REM prompt again.
REM
certutil -CRL
REM
REM Test if CAPolicy.inf file exists
REM
IF EXIST %SYSTEMROOT%\capolicy.inf GOTO ENDCFG
ECHO Warning, no capolicy.inf file used
:ENDCFG

The following script applies the same configuration as the previous script, but it configures a Windows 2000 CA. Remember that the delta CRL configuration parameter is not supported in a Windows 2000 CA environment. To perform the certutil –URL and certutil –vroot commands, you must run the version of certutil that is included with Windows Server 2003 on the Windows 2000 CA computer.

REM
REM CA configuration script for a Windows 2000 CA
REM
REM This variable directs to the HTTP publication location that is used
for
REM the CRL and AIA publication
REM
SET myhttpPKIvroot=https://www.contoso.com/pki
REM
REM Because CRLs and CA certificates are published in the
organizations Active
REM
REM Configure CRL and AIA CDP
REM
certutil -setreg policy\FileRevocationCRLURL "\n
certutil -setreg policy\RevocationCRLURL
%myhttpPKIvroot%/%%3%%8.crl\n
certutil -setreg policy\LDAPRevocationCRLURL
ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,
CN=Services,%%6?certificateRevocationList?base?objectclass=
cRLDistributionPoint\n"
certutil -setreg policy\FileIssuercertURL  "\n
certutil -setreg policy\IssuercertURL %myhttpPKIvroot%/%%1_%%3%%4.crt"
certutil -setreg policy\LDAPIssuercertURL
ldap:///CN=%%7,CN=AIA,CN=Public  Key
 Services,CN=Services,%%6?cACertificate?base?objectclass=
certificationAuthority
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 180
certutil -setreg CA\CRLPeriod "Days"
REM
REM Set the validity period for issued certificates
REM
certutil -setreg ca\ValidityPeriodUnits 10
certutil -setreg ca\ValidityPeriod "Years"
REM
REM Disable issuer name and issuer serial number
REM
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERNAME
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERSERIAL
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Repair CA files-system shares and IIS virtual roots
REM
certutil -vroot
REM
REM Publish the CRL with the updated CDP and naming information.
REM It might happen that CRL publishing fails immediately
REM after the CA server service has been restarted. If this
REM is the case, try certutil –CRL at a command prompt again.
REM
certutil -CRL