Sample Script to Configure the EnterpriseSubCA
Applies To: Windows Server 2003 with SP1
The following script applies the most important configuration changes to a Windows Server 2003 CA for the EnterpriseSubCA computer.
Important
Because percent (%) variables are handled differently in batch files and at a command prompt, you must use two percent signs (%%) if you run this sample script from a batch file, as described. If certutil is called from a command prompt and not from a batch file, only use one percent sign (%), not two (%%).
REM
REM CA configuration script for a Windows Server 2003 CA
REM
REM This variable directs to the HTTP publication location that is used
for
REM CRL and AIA publication
REM
SET myhttpPKIvroot=https://www.contoso.com/pki
REM
REM Configure CRL and AIA CDP
REM
certutil -setreg CA\CRLPublicationURLs "65:
%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:%myhttp
PKIvroot%/%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,
CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs "1:
%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt
n2:%myhttpPKIvroot%/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,
CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\"
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLPeriod "Days"
REM
REM Disable issuer name and issuer serial number
REM
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERNAME
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERSERIAL
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Create Web virtual roots and file shares
REM
certutil.exe -vroot
REM
REM Republish the CRL
REM
certutil -CRL
The following script applies the same configuration as the previous script, but it configures a Windows 2000 CA. Remember that the delta CRL configuration parameter is not supported in a Windows 2000 CA environment. To use the certutil –URL and certutil –vroot commands, you must run the version of the Certutil.exe utility that is included with the Windows Server 2003 operating system on the computer serving as the Windows 2000 CA.
REM
REM CA configuration script for a Windows 2000 CA
REM
REM This variable directs to the HTTP publication location that is used
for
REM the CRL and AIA publication
REM
SET myhttpPKIvroot=https://www.contoso.com/pki
REM
REM Configure CRL and AIA CDP
REM
certutil -setreg policy\FileRevocationCRLURL "\n
certutil -setreg policy\RevocationCRLURL
%myhttpPKIvroot%/%%3%%8.crl\n
certutil -setreg policy\LDAPRevocationCRLURL
ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,
CN=Services,%%6?certificateRevocationList?base?objectclass=
cRLDistributionPoint\n"
certutil -setreg policy\FileIssuercertURL
"%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n
certutil -setreg policy\IssuercertURL %myhttpPKIvroot%/%%1_%%3%%4.crt"
certutil -setreg policy\LDAPIssuercertURL
ldap:///CN=%%7,CN=AIA,CN=Public Key
Services,CN=Services,%%6?cACertificate?base?objectclass=
certificationAuthority
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLPeriod "Days"
REM
REM Disable delta CRL publication
REM
certutil -setreg CA\CRLDeltaPeriodUnits 0
REM
REM Disable issuer name and issuer serial number
REM
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERNAME
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERSERIAL
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Create Web virtual roots and file shares
REM
certutil.exe -vroot
REM
REM Republish the CRL
REM
certutil -CRL