Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

HRA Certification Authority Commands

Updated: March 29, 2012

Applies To: Windows Server 2008, Windows Server 2012, Windows Server 2012 R2

This section contains the following commands.

HRA certification authority (CA) commands are used to assign one or more CAs that Health Regulation Authority (HRA) can use to obtain Network Access Protection (NAP) health certificates. You can also use these commands to configure the validity period of health certificates, and specify certain properties of the CA server. The following entries provide details for each command.

Adds a CA server to the HRA configuration.

add caserver [ [ name = ] name [ processingorder = ] processingorder ]

name
Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".

processingorder
Optional. Specifies the priority of the CA server in the list of CA servers.

In the following example, a CA server is added to the HRA configuration. This CA server has the name server1 with a certificate name of CA, and is assigned the highest processing order.

add caserver name= "\\server1\CA" processingorder = "1"

Deletes an existing CA server.

delete caserver [ name= ] name

name
Required. Specifies the name of the CA server and the certificate. The required format is "\\computername\CAname".

In the following example of command usage, a CA server with the name server1 and certificate name of CA is removed from the HRA configuration.

delete caserver name = "\\server1\CA"

Changes the name of a CA server.

rename caserver [ [ name = ] name [ newname = ] newname ]

name
Required. Specifies the current name of the CA server and the certificate. The required format is "\\oldcomputername\CAname".

newname
Required. Specifies the new name of the CA server and the certificate. The required format is "\\newcomputername\CAname".

In the following example of command usage, a CA server with the name server1 is renamed to server2.

rename caserver name = "\\server1\CA" newname = "\\server2\CA"

Deletes all CA servers that are configured in HRA and resets the HRA configuration to default values.

CautionCaution
Do not run this command if you want to maintain any of the CA server settings you have configured at the HRA server. This command deletes all CA server settings that you have configured, and after running this command, your settings cannot be recovered. Before you run this command, it is recommended that you use the export command to save the HRA server configuration to an XML file.

reset caserver

Changes the processing order of an existing CA server. This command cannot be used to change the name of a CA server.

noteNote
If you set the processing order to a number higher than the number of configured CA servers, the CA server will be assigned a processing order equal to the number of CA servers.

set caserver [ [ name = ] name [ processingorder = ] processingorder ]

name
Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".

processingorder
Required. Specifies the priority of the CA server in the list of CA servers.

In the following example of command usage, a CA server with the name server1 and a processing order of 2 is changed to a processing order of 1. server2.

set caserver name = "\\server1\CA" processingorder = "1"

Resets the CA server operational mode to the default value of standalone only.

reset opmode

Sets the CA server operational mode. Two modes are available: 1) standalone and 2) enterprise and standalone. A value of zero is default and configures the CA server to operate in standalone mode only. A value of one configures the CA server to operate in an enterprise and standalone mode. In this mode, the CA server can request health certificates from either enterprise or standalone CA servers.

ImportantImportant
You must configure certificate templates prior to assigning the CA server to operate in a mode that includes enterprise CA servers.

set opmode [ [ mode = ] 0 | 1 ]

0
Required. Specifies the operational mode of CA server as standalone only. This is the default setting.

1
Required. Specifies the operational mode of the CA server as enterprise and standalone. This setting allows HRA to obtain health certificates from CA servers operating in either an enterprise or standalone mode.

In the following example of command usage, the CA server operational mode is set to enterprise and standalone.

set opmode mode = 1

Deletes the anonymous and authenticated CA server template configurations from HRA.

reset templates

Configures certificate templates for use with an enterprise CA server. Certificate templates are required prior to configuring the CA server to operate in enterprise mode. Anonymous and authenticated certificate template names must both be configured at the same time.

ImportantImportant
Certificate templates with identical certificate simple names to those specified in the set template command must be available prior to configuring CA server templates. Certificate template names are case-sensitive.

set templates [ [ anontemplate = ] anontemplate [ authtemplate = ] authtemplate ]

anontemplate
Required. Specifies the simple name of the health certificate template to use when requesting certificates that do not require client authentication. This template can be used to perform client health authentication in a workgroup environment. Certificate template names are case-sensitive.

authtemplate
Required. Specifies the simple name of the health certificate template to use when requesting certificates that require both client authentication and system health authentication. This template can be used to perform client health authentication in a domain environment. Certificate template names are case-sensitive.

noteNote
Type certutil -template at the command line to display a list of available templates.

In the following example of command usage, the CA server is configured to use a template simple name for anonymous certificate requests of AnonymousNAPCompliant and a template simple name for authenticated certificate requests of DomainNAPCompliant.

set templates anontemplate = AnonymousNAPCompliant authtemplate = DomainNAPCompliant

Resets the CA server timeout to defaults values. The default blackout time is five minutes, and the default no response time is 20 seconds.

reset timeout

Configures how long HRA will wait when no response is received from the CA server before sending another request. Two values are configurable, and these can be configured independently of each other. The blackout time specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time. The no response time specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.

set timeout [ [ blackout = ] blackout [ noresponse = ] noresponse ]

blackout
Optional. Specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time.

noresponse
Optional. Specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.

Following is an example of the command usage. In this example, the CA server is configured to use a blackout time of 10 minutes and a no response time of 60 seconds.

set timeout blackout = "10" noresponse = "60"

Resets the CA server policyOID setting to the default value. By default, the use of policyOIDs by the CA server is disabled.

reset usepolicyoids

Changes the CA server policyOID setting to enable or disable. The default setting is disable.

ImportantImportant
To enable policyOIDs, the CA server operational mode must be set to standalone only.

set usepolicyoids [ state = ] enable | disable

enable
Required. Enables use of policy object identifiers with the CA server in standalone mode.

disable
Required. Disables use of policy object identifiers with the CA server in standalone mode. This is the default setting.

In the following example of the command usage, the CA server is configured to enable the use of policyOIDs.

set usepolicyoids state = "enable"

Resets the health certificate validity period the default value. The default health certificate validity period is four hours.

reset validityperiod

Configures the validity period in minutes of health certificates issued by the CA server. The default value is 240 minutes, and the minimum value allowed is five minutes. The validity period influences load on the CA server by affecting how often it issues new health certificates.

set validityperiod [ duration = ] duration

duration
Required. The time in minutes that health certificates issued by the CA server are considered valid. Client computers must obtain a new health certificate prior to expiration of the validity period or they will be considered noncompliant with health requirements.

In the following example of command usage, the health certificate validity period is set to 24 hours.

set validityperiod duration = 1440

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.