Windows Server
United States (English) Sign in
Home Windows Server 2012 Windows Server 2008 R2 Windows Server 2003 Library Forums
TechNet Library
Windows Server
Windows Server 2003
Deployment
Windows Server 2003: Deployment Whitepapers
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
About This Document (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Overview of the PKI Design Process (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Integration Into Existing Environments (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Windows Server 2003 PKI and Dependencies (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Creating Certificate Policies and Certificate Practice Statements
Example Scenario for Contoso
Stand-alone Offline Intermediate CA (IntermediateCA1)
Stand-alone Offline Intermediate CA (CorporateSub2CA)
Online Enterprise Issuing CAs (CorporateEnt1CA)
Certification Authority Maintenance
Appendix A: Directory Objects
Contents of \\Localhost\CertConfig and \\Localhost\CertEnroll
Relationship of the Configuration Container and Certificate Store
Default CA Certificate and CRL Storage
Mapping Custom Object Identifiers to Friendly Names
CAPolicy.inf Syntax
CRL Distribution Point Replacement Token
CRL Publishing Properties
AIA Publishing Properties
Sample Script to Configure CorporateRootCA
Sample Script to Configure IntermediateCA
Sample Script to Configure the EnterpriseSubCA
Appendix B: Parameters for a Three-Tier CA Topology
Appendix C: Additional Information
Expand Minimize
This topic has not yet been rated - Rate this topic

Sample Script to Configure IntermediateCA

Updated: February 14, 2012

Applies To: Windows Server 2003 with SP1

The following script applies the most important configuration changes to a Windows Server 2003 CA for the IntermediateCA computer.

Copy 
REM
REM CA configuration script for a Windows Server 2003 CA
REM
REM The naming context applies to the individual organizations Active
Directory
REM configuration
REM
SET myADnamingcontext=DC=concorp,DC=contoso,DC=com
REM
REM This variable directs to the HTTP publication location that is used
for
REM the CRL and AIA publication
REM
SET myhttpPKIvroot=http://www.contoso.com/pki
REM
REM Because CRLs and CA certificates are published in the
organizations Active
REM Map the namespace of Active Directory
REM
certutil.exe -setreg ca\DSConfigDN
"CN=Configuration,%myADnamingcontext%"
REM
REM Configure CRL and AIA CDP
REM
REM By default, Certutil creates a registry value of type REG_SZ if a
string is
REM specified as a parameter. Some registry values are expected as
REG_MULTI_SZ.
REM To create a REG_MULTI_SZ instead of a REG_SZ, add a \n to the end
of any value
REM that becomes part of the REG_MULTI_SZ
REM
certutil -setreg CA\CRLPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myhttp
PKIvroot%/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,
CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myhttp
PKIvroot%/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,
CN=Public Key Services,CN=Services,%%6%%11"
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 30
certutil -setreg CA\CRLPeriod "Days"
REM
REM Disable Delta CRL publication
REM
certutil -setreg CA\CRLDeltaPeriodUnits 0
REM
REM Set the validity period for issued certificates
REM
certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod "Years"
REM
REM Include certificate policies in certificate request
REM
certutil -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"
REM
REM
REM Disable issuer name and issuer serial number
REM
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERNAME
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERSERIAL
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Repair CA files-system shares and IIS virtual roots
REM
certutil -vroot
REM
REM Republish the CRL
REM It might happen that CRL publishing fails immediately
REM after the CA server service has been restarted. If this
REM is the case, try certutil –CRL at a command prompt again.
REM
certutil -CRL

The following script applies the same configuration as the previous script but the following script configures a Windows 2000 CA. Remember that the delta CRL configuration parameter is not supported in a Windows 2000 CA environment. To use the certutil –URL and certutil –vroot command, you must run the Windows Server 2003 version of the certutil utility on the Windows 2000 CA computer.

Copy 
REM
REM CA configuration script for a Windows 2000 CA
REM
REM This variable directs to the HTTP publication location that is used
for
REM the CRL and AIA publication
REM
SET myhttpPKIvroot=http://www.contoso.com/pki
REM
REM Configure CRL and AIA CDP
REM
REM By default, certutil creates a registry value of type REG_SZ if a
string is
REM specified as a parameter. Some registry values are expected as
REG_MULTI_SZ. To
REM create a REG_MULTI_SZ value instead of a REG_SZ value, add \n to
the end of any
REM value that becomes part of REG_MULTI_SZ.
REM
certutil -setreg policy\FileRevocationCRLURL \n
certutil -setreg policy\RevocationCRLURL
%myhttpPKIvroot%/%%3%%8.crl\n
certutil -setreg policy\LDAPRevocationCRLURL
ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,
CN=Services,%%6?certificateRevocationList?base?objectclass=
cRLDistributionPoint\n"
certutil -setreg policy\FileIssuercertURL
"%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n
certutil -setreg policy\IssuercertURL %myhttpPKIvroot%/%%1_%%3%%4.crt"
certutil -setreg policy\LDAPIssuercertURL
ldap:///CN=%%7,CN=AIA,CN=Public 
Key Services,CN=Services,%%6?cACertificate?base?objectclass=
certificationAuthority
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 30
certutil -setreg CA\CRLPeriod "Days"
REM
REM Set the validity period for issued certificates
REM
certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod "Years"
REM
REM Include certificate policies in certificate request
REM
certutil -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"
REM
REM
REM Disable issuer name and issuer serial number
REM
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERNAME
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERSERIAL
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Repair CA files-system shares and IIS virtual roots
REM
certutil -vroot
REM
REM Republish the CRL.
REM It might happen that CRL publishing fails immediately
REM after the CA server service has been restarted. If this
REM is the case try certutil –CRL at a command prompt again.
REM
certutil -CRL

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.