Windows Server
United States (English) Sign in
Home Windows Server 2012 Windows Server 2008 R2 Windows Server 2003 Library Forums
TechNet Library
Windows Server
Windows Server 2003
Deployment
Windows Server 2003: Deployment Whitepapers
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
About This Document (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Overview of the PKI Design Process (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Integration Into Existing Environments (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Windows Server 2003 PKI and Dependencies (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure)
Creating Certificate Policies and Certificate Practice Statements
Example Scenario for Contoso
Stand-alone Offline Intermediate CA (IntermediateCA1)
Stand-alone Offline Intermediate CA (CorporateSub2CA)
Online Enterprise Issuing CAs (CorporateEnt1CA)
Certification Authority Maintenance
Appendix A: Directory Objects
Contents of \\Localhost\CertConfig and \\Localhost\CertEnroll
Relationship of the Configuration Container and Certificate Store
Default CA Certificate and CRL Storage
Mapping Custom Object Identifiers to Friendly Names
CAPolicy.inf Syntax
CRL Distribution Point Replacement Token
CRL Publishing Properties
AIA Publishing Properties
Sample Script to Configure CorporateRootCA
Sample Script to Configure IntermediateCA
Sample Script to Configure the EnterpriseSubCA
Appendix B: Parameters for a Three-Tier CA Topology
Appendix C: Additional Information
Expand Minimize
1 out of 2 rated this helpful - Rate this topic

Sample Script to Configure CorporateRootCA

Updated: February 14, 2012

Applies To: Windows Server 2003 with SP1

The script in this section applies the most important configuration changes to a Windows Server 2003 CA for the CorporateRootCA computer.

ImportantImportant
Because percent (%) variables are handled differently in batch files and at a command prompt, you must use two percent signs (%%) if you run this sample script from a batch file, as described. If certutil is called from a command prompt and not from a batch file, only use only one percent sign (%), not two percent signs (%%).

Copy 
REM
REM CA configuration script for a Windows Server 2003 CA
REM
REM The naming context applies to the individual organizations Active
Directory
REM configuration
REM
SET myADnamingcontext=DC=concorp,DC=contoso,DC=com
REM
REM This variable directs to the HTTP publication location that is used
for
REM the CRL and AIA publication
REM
SET myhttpPKIvroot=http://www.contoso.com/pki
REM
certutil.exe -setreg ca\DSConfigDN
"CN=Configuration,%myADnamingcontext%"
REM
REM Configure CRL and AIA CDP
REM
REM By default, Certutil creates a registry value of type REG_SZ if a
string is
REM specified as a parameter. Some registry values are expected as
REG_MULTI_SZ. To
REM create a REG_MULTI_SZ instead of a REG_SZ, add a \n to the end of
any value that
REM becomes part of the REG_MULTI_SZ
REM
certutil -setreg CA\CRLPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myhttp
PKIvroot%/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,
CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myhttp
PKIvroot%/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,
CN=Public Key Services,CN=Services,%%6%%11"
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 180
certutil -setreg CA\CRLPeriod "Days"
REM
REM Disable Delta CRL publication
REM
certutil -setreg CA\CRLDeltaPeriodUnits 0
REM
REM Set the validity period for issued certificates
REM
certutil -setreg ca\ValidityPeriodUnits 10
certutil -setreg ca\ValidityPeriod "Years"
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Repair CA file system shares and IIS virtual roots
REM
certutil -vroot
REM
REM Republish the CRL
REM The CRL publishing may immediately not work
REM after you restart the CA server service. If this behavior
REM occurs, try the certutil –CRL command at a command
REM prompt again.
REM
certutil -CRL
REM
REM Test if CAPolicy.inf file exists
REM
IF EXIST %SYSTEMROOT%\capolicy.inf GOTO ENDCFG
ECHO Warning, no capolicy.inf file used
:ENDCFG

The following script applies the same configuration as the previous script, but it configures a Windows 2000 CA. Remember that the delta CRL configuration parameter is not supported in a Windows 2000 CA environment. To perform the certutil –URL and certutil –vroot commands, you must run the version of certutil that is included with Windows Server 2003 on the Windows 2000 CA computer.

Copy 
REM
REM CA configuration script for a Windows 2000 CA
REM
REM This variable directs to the HTTP publication location that is used
for
REM the CRL and AIA publication
REM
SET myhttpPKIvroot=http://www.contoso.com/pki
REM
REM Because CRLs and CA certificates are published in the
organizations Active
REM
REM Configure CRL and AIA CDP
REM
certutil -setreg policy\FileRevocationCRLURL "\n
certutil -setreg policy\RevocationCRLURL
%myhttpPKIvroot%/%%3%%8.crl\n
certutil -setreg policy\LDAPRevocationCRLURL
ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,
CN=Services,%%6?certificateRevocationList?base?objectclass=
cRLDistributionPoint\n"
certutil -setreg policy\FileIssuercertURL  "\n
certutil -setreg policy\IssuercertURL %myhttpPKIvroot%/%%1_%%3%%4.crt"
certutil -setreg policy\LDAPIssuercertURL
ldap:///CN=%%7,CN=AIA,CN=Public  Key
 Services,CN=Services,%%6?cACertificate?base?objectclass=
certificationAuthority
REM
REM Configure CRL publication
REM
certutil -setreg CA\CRLPeriodUnits 180
certutil -setreg CA\CRLPeriod "Days"
REM
REM Set the validity period for issued certificates
REM
certutil -setreg ca\ValidityPeriodUnits 10
certutil -setreg ca\ValidityPeriod "Years"
REM
REM Disable issuer name and issuer serial number
REM
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERNAME
certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERSERIAL
REM
REM Restart the CA server service
REM
net stop certsvc & net start certsvc
REM
REM Repair CA files-system shares and IIS virtual roots
REM
certutil -vroot
REM
REM Publish the CRL with the updated CDP and naming information.
REM It might happen that CRL publishing fails immediately
REM after the CA server service has been restarted. If this
REM is the case, try certutil –CRL at a command prompt again.
REM
certutil -CRL

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft
|
Site Feedback
© 2013 Microsoft. All rights reserved.