Configure an offline root certification authority to support certificate revocation with Active Directory

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To configure an offline root certification authority to support certificate revocation with Active Directory

  1. Log on to the system as a Certification Authority Administrator.

  2. Open Command Prompt.

  3. Type the following, and then press ENTER.

    certutil -setreg ca\DSConfigDN "CN=Configuration, DNpath**"**

  4. Type the following, and then press ENTER.

    certutil -setreg ca\DSDomainDN "DNpath"

  5. Open Certification Authority.

  6. In the console tree, click the name of the certification authority (CA).

    Where?

    • Certification Authority (Computer)/CA name
  7. On the Action menu, point to All Tasks, and click Stop Service to stop the service.

  8. On the Action menu, point to All Tasks, and click Start Service to start the service.

Value Description

certutil

Specifies the name of the command-line program.

-setreg

Modifies the registry.

ca\DSConfigDN

Indicates the registry value for the distinguished name value of the path to the Configuration container in the Active Directory directory service.

ca\DSDomainDN

Indicates the registry value for the distinguished name value of the Active Directory domain.

DNpath

Specifies the distinguished name value in Active Directory. For more information, see Related Topics.

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • To ensure clients have the ability to locate the certificate revocation list (CRL), the certification authority (CA) must be configured with the appropriate LDAP path to retrieve this CRL from Active Directory. This is done by selecting the Include in the CDP extension of issued certificates check box when configuring the CDP. For more information, see Related Topics.

  • This procedure should be used as part of a larger plan to deploy an offline root CA. For more information about deploying an offline root CA, see Related Topics.

  • To view the complete syntax for this command, at a command prompt, type:

    certutil -setreg -?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Checklist: Creating a certification hierarchy with an offline root certification authority
Specify certificate revocation list distribution points in issued certificates
Start or stop the certification authority service
Active Directory naming