AH
Uploaded byAmmar Hasayen
DOCX, PDF959 views

Install offline Root CA Server 2003

The document provides a detailed guide for installing and configuring an offline standalone root certification authority (CA) server, specifically for Microsoft Windows Server 2003. It includes step-by-step procedures covering the installation of certificate services, configuration of essential settings such as the capolicy.inf file, post-installation tasks, and the management of certificate revocation lists (CRLs). The document emphasizes security measures and specific requirements for a CA that is not connected to a network.

Embed presentation

Downloaded 10 times
2008 Ammar Hasayen Ammarhasayen@outlook.com http://ammarhasayen.com Twitter:@ammarhasayen [INSTALLING ROOT CERTIFICATION AUTHORITY] Thisdocumentprovides Step-by-stepprocedurestoinstall andconfigure anofflinestandalone Root Certificate Authorityserver.
Installing Root Certification Authority 2 Table of Contents 1 Introduction ...............................................................................................................3 2 Installation..................................................................................................................4 2.1 CAPolicy.inf File .....................................................................................................4 2.2 Installing Certificate Services...................................................................................6 3 Post Installation Tasks .........................................................................................10 3.1 To verify Installation: .............................................................................................10 3.2 Map the Namespace of Active Directory to an Offline CA's Registry Configuration ....10 3.3 Configure Distribution Points for CRL and AIA by using GUI. ...................................11 3.4 Republish new CRLs ............................................................................................15 3.5 Set the Validity Period for Issued Certificates at the Offline Root CA ........................15 3.6 Object Access Auditing .........................................................................................16 3.7 Export Root Certificates and CRL to a floppy ..........................................................17 3.8 All in one post installation batch file........................................................................18 3.9 Publishing CA certificates and CRL in Active Directory ............................................20
Installing Root Certification Authority 3 1 Introduction The CONTOSO stand-alone root CA (named ContosoRootCA), is never connected to a network and remains offline and physically secured. It is installed on Microsoft Virtual Machine 2005 R2 SP1. The root CA issues and revokes certificates for Issuing/Policy CAs in the hierarchy. Offline Root Keys are generated by Microsoft Software CSP. The CA certificate and the CRL are regularly and manually published and made available through an HTTP and an LDAP distribution point. Settings for Offline Root CA:  Computer name (should be unique in the network) : ContosoRootCA  Windows 2003 server with SP2  Local Password : d?spene_$uT2$Ra5  Windows Server 2003 Resource Kit Tools installed.  Common Name for this CA: CONTOSO Corporate Root CA  Distinguished name suffix : DC=CONTOSO,DC=com  IP : 192.168.80.80 mask 255.255.255.0  H.D: 20 GB all allocated for the “C” partition.
Installing Root Certification Authority 4 2 Installation 2.1 CAPolicy.inf File The CAPolicy.inf file provides Certificate Services configuration information, which is read during initial CA installation and whenever the CA certificate is renewed. The CAPolicy.inf file defines settings specific to root CAs, as well as settings that affect all CAs in the CA hierarchy. By default, the CAPolicy.inf file does not exist when l Microsoft Windows Server 2003 is installed. It should be manually created in the Windows operating system folder (%windir% folder). When Certificate Services are installed, the operating system applies any settings defined in the CAPolicy.inf file. This CAPolicy.inf file for Root CA makes the following assumptions:  The root CA will renew its key with one with length of 4,096 bits.  Hash algorithm: SHA-1  The validity period of the root CA certificate is 20 years.  Base CRLs are published every 50 weeks.  Delta CRLs are disabled.  The root CA does not contain a CDP or an AIA extension to prevent revocation checking of the root CA certificate.  Cryptographic service provider (CSP): Microsoft Strong Cryptographic Service Provider.  Database and log settings: Database files on C:CA_DB .Log files on C:CA_LOG  Empty CDP and AIA locations in the CAPolicy File. Based on these assumptions, the following CAPolicy.inf file can be installed in the %windir% of the ROOTCA computer:
Installing Root Certification Authority 5 [Version] Signature="$Windows NT$" [certsrv_server] renewalkeylength=4096 RenewalValidityPeriodUnits=20 RenewalValidityPeriod=years CRLPeriod=weeks CRLPeriodUnits=50 CRLDeltaPeriodUnits=0 CRLDeltaPeriod=days [CRLDistributionPoint] Empty=True [AuthorityInformationAccess] Empty=True Notes:  The [Version] section defines that the .inf file uses the Windows NT format. This section must exist for both root and subordinate CA installations.  CRLDeltaPeriodUnits=0 means that Delta CRLs are disabled which is a recommendation in an offline root CA.  [CRLDistributionPoint] and [AuthorityInformationAccess] are assigned value empty as a best practice for the root CA certificate. Later after installation, those values should be redefined to locate the correct location for CDP and AIA for the Issuing/online CA Certificates. o renewalkeylength=4096 specifies the key length for the CA Root certificate when its key are renewed. In the other hand, the current key length is specified in the installation wizard.
Installing Root Certification Authority 6 2.2 Installing Certificate Services Once the CAPolicy.inf file is installed, Certificate Services on the root CA computer can be installed. The installation must be performed by a member of the local Administrators account on the CA computer, and the computer must not be a member of a domain. This will allow the computer to be removed from the network for long periods of time. Note: IIS is not required for the installation of an offline root CA. The only certificate requests submitted to the root CA are for subordinate CA certificates, and these can be submitted by using the Certification Authority console. You can use the following procedure to install the root CA: 1. Ensure that the date and time on the root CA computer is correct. This is to ensure the correct time for publishing and stamping CLRs. (run this command from the root CA : net time jdcdc01.contoso.com /set) 2. From the Start menu, click Control Panel and click Add or Remove Programs. 3. In the Add or Remove Programs window, click Add/Remove Windows Components. 4. In the Windows Components Wizard, in the Windows Components list, click the Certificate Services check box. 5. In the Microsoft Certificate Services dialog box, click Yes. 6. On the Windows Components page, click Next. 7. On the CA Type page, click Standalone Root CA, enable the Use Custom Settings to Generate the Key Pair and CA Certificate check box, and click Next.
Installing Root Certification Authority 7 8. On the Public and Private Key Pair page, set the following options:  CSP: Microsoft Strong Cryptographic Service Provider  Allow the CSP to interact with the desktop: Disabled  Hash algorithm: SHA-1  Key length: 4,096
Installing Root Certification Authority 8 9. On the CA Identifying Information page, enter the following information:  Common Name for this CA: CONTOSO Corporate Root CA  (Optional) In Distinguished name suffix : DC=CONTOSO,DC=com  Validity Period: 20 Years <Validity time can only be set for a root CA> Note: If you type a name in the (Distinguished name suffix), confirm that you have typed it correctly so that it works in the context of the Active Directory domain name. If you install a CA on a computer that is a domain member with Enterprise Administrator privileges, the distinguished name suffix is automatically configured. You can also set the distinguished name suffix at a later time by using the Certutil.exe command.
Installing Root Certification Authority 9 10. On the Certificate Database Settings page, provide the following settings and click Next:  Certificate database: C:CA_DB  Certificate database log: C:CA_Log  CA configuration: C:CA_Config 11. If prompted, insert the Windows Server 2003, Standard Edition, and CD in the CDROM drive and choose the i386 folder. 15. In the Microsoft Certificate Services dialog box, click OK to identify that IIS is not installed. 16. On the Completing the Windows Components Wizard page, click Finish. 17. Close the Add or Remove Programs dialog box.
Installing Root Certification Authority 10 3 Post Installation Tasks After the stand-alone offline root CA is installed, you must configure the properties of the offline root CA for certificates that are subsequently issued from the CA. These extensions are necessary to ensure correct revocation and chain building. Note that any settings configured to the CA can be found in the following registry path: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration 3.1 To verify Installation:  At a command prompt, type certutil –cainfo and verify the CA type. The result will be similar to the following: CA type: 3 -- Stand-alone Root CA ENUM_STANDALONE_ROOTCA -- 3  At a command prompt, type certutil –getreg to verify the database settings 3.2 Map the Namespace of Active Directory to an Offline CA's Registry Configuration Because the offline root CA is not connected to the domain and does not automatically publish the CRL to Active Directory, you must set a key in the registry. To do this, at a command prompt, type the following command and then stop and start the CA service: certutil.exe –setreg caDSConfigDN CN=Configuration,DC=contoso,DC=com Where DC=concorp,DC=contoso,DC=com is the namespace of the forest root domain. This setting is primarily required for CRLs and CA certificates (AIA) that are published in Active Directory. This registry value sets the %6 replacement token that is required for the CRL location attribute.
Installing Root Certification Authority 11 3.3 Configure Distribution Points for CRL and AIA by using GUI. The CRL and AIA distribution points must be set before any certificates are issued from the new CA. This configuration step ensures that the correct information is embedded in each of the issued certificates so that the certificate's signature and revocation status can be verified. CRL distribution point and AIA extension changes take effect only after the CA is restarted. We must configure the CRL and AIA distribution point for certificates issued by this CA. To configure these extensions in a Windows Server 2003 CA, perform the following steps: 1. Log on to the computer running certificate services with an account that has Certification Authority Management permissions. 2. Click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority 3. In the console tree, right-click the name of the CA that you want to work with, and then click Properties. Click the Extensions tab 4. To configure the Distribution Points for the CRL :  First, remove all of the CRL distribution point locations, except for the local CRL distribution point. Warning: Do not remove the local CRL distribution point location. The local distribution point will look similar to the following path: C:WindowsSystem32CertSrvCertEnrollCorporateRootCA.crl The CA must publish the CRL to the file system because all of the other distribution points are not accessible for this offline CA. The CA uses the local CRL to validate all certificates that are generated before the certificates are issued to users. The local path is not included in the CRL distribution point extension of issued certificates.  On the Extensions tab, in Select extension, select CRL Distribution Point (CDP).  In Specify location from which users can obtain a certificate revocation list (CRL), click the default LDAP location, click Remove, and then click Yes.  Repeat this for all CRL distribution point locations except for the local CRL distribution point  After you remove all of the appropriate locations, the remaining list of CRL distribution points will be similar to the following figure. Note: Don’t ever add CDP locations from the GUI interface and always use the CA variable instead of typing the explicit name of the server or certificate name. This is the best recommendation from Microsoft PKI Team.
Installing Root Certification Authority 12  Create a folder on the www.contoso.com named (CA)  Add the folder to the IIS by creating a virtual directory. Give only read access to Everyone and clear all other checkboxes. Make sure that the file names that are published with HTTP exactly match the CA certificate and CRL distribution point as defined as part of the CA configuration. If the file names do not match, clients will fail to retrieve the CRL with the URL that was specified as the CRL distribution point.  On the offline root, copy the contents of the %Systemroot%System32CertsrvCertEnroll folder to a floppy disk.  Take the floppy disk to the online server and move the contents into the folder previously created.
Installing Root Certification Authority 13  Record the URL for the virtual directory (http://www.contoso.com/CA/Contoso Root CA.crl)  Run the below script: certutil -setreg CACRLPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%3%%8%%9.crln14:LDAP:///CN=%%7%%8,CN= %%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"n2:http://www.contoso.com/ca/%%3%%8%%9.crl  Make sure to configure the properties for each URL as shown in the table below: CRL distribution point property File HTTP LDAP Publish CRLs to this location check box Select N/A Clear Include in all CRLs check box N/A N/A Select Include in CRLs check box N/A Select* Select Include in the CDP extension of issued certificates check box N/A Select Select Publish delta CRLs to this location check box Clear N/A Clear Note: In Publish CRLs to this location, since the CorporateRootCA computer is not attached to the network, the CA cannot automatically publish the CRL to the LDAP CRL distribution point. By default, this option is chosen on an enterprise CA to automate the CRL publishing to the LDAP CRL distribution point. In Publish CRLs to this location, a UNC file path can be specified to publish to clustered Web servers using IIS for CRL fault tolerance. If the Publish Delta CRLs to this location check box is selected, make sure that the delta CRL is also published
Installing Root Certification Authority 14  In the Extensions tab ,In the select Extension ,Choose (Authority Information Access (AIA)  Remove Any existing places, and run the below script certutil -setreg CACACertPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:LDAP:///CN =%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11n2:http://www .contoso.com/ca/%%1_%%3%%4.crt" Access protocol AIA Distribution Point [local] D:WINDOWSsystem32CertSrvCertEnroll%1_%3%4.crt HTTP http://www.contoso.com/pki/%1_%3%4.crt LDAP ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11  Make sure to configure the properties for each URL as shown in the table below: AIA property FILE HTTP LDAP Include in the AIA extension of issued certificates check box N/A Select Select Include in the online certificate status protocol (OCSP) extension check box N/A Clear Clear
Installing Root Certification Authority 15 3.4 Republish new CRLs It is important to republish the CRL because adapted configuration parameters such as DSConfigDN are included as attributes in the CRL. Also, CRL properties affect the publication of the CRL.  Log onto the CA server with CA Manager permissions  Open the Certification Authority MMC. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority  Right-click Revoked Certificates, point to All Tasks, and then click Publish.  A new base CRL is published. A delta CRL is published only if you have also set the CRL delta publication schedule.  When you are prompted to confirm the type of CRL that should be published with this request, click New CRL  Because only base CRLs are published by the offline root CA, only the New CRL option is available.  To publish the CRL, at a command prompt, type certutil -CRL, and then press ENTER. When you do this, the CRL is published to the location that you configured. 3.5 Set the Validity Period for Issued Certificates at the Offline Root CA Note that during the installation, we specified the validity period for the CA certificate (20 years).This is because there is no parent CA from which the validity period can be specified. Because this CA will issue future certificate ,there must be a way to specify the validity period for issues certificates.To fo this ,apply the following Batch file on the root CA. certutil -setreg caValidityPeriodUnits 10 certutil -setreg caValidityPeriod "Years" net stop certsvc & net start certsvc
Installing Root Certification Authority 16 3.6 Object Access Auditing The post-installation script enables all auditing events for Certificate Services. These events depend on enabling success and failure auditing for Object Access. Because the offline policy CA is not a member of a domain, auditing must be enabled in the Local Security Policy using the following procedure: 1. From Administrative Tools, open Local Security Policy. 2. In Security SettingsLocal PoliciesAudit Policy, enable the following auditing settings:  Account Logon: Success, Failure  Account Management: Success, Failure  Directory Service Access: Failure  Logon Events: Success, Failure  Object Access: Success, Failure  Policy Change: Success, Failure  Privilege Use: Failure  Process Tracking: No auditing  System Events: Success, Failure 3. Close the Local Security Policy console. 4. Close all windows. 5. Run this command (certutil -setreg CAAuditFilter 127) 6. Enable object access auditing in the following locations: a. %windir%system32certsrvcertenroll b. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc Configuration.
Installing Root Certification Authority 17 Configure CRL Publication Interval by Using the User Interface After the CRL distribution point is set, you must configure the CRL publication interval. To configure the publication schedule, use the following procedure. 1. Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. This opens the Certification Authority MMC Snap-in. 2. In the console tree, right-click Revoked Certificates, and then click Properties. 3. In CRL publication interval, type a number for the CRL publication interval according to your CPS (50 weeks). 4. Verify that the Publish Delta CRLs check box is not selected. 3.7 Export Root Certificates and CRL to a floppy Make sure to insert a floppy disk on the root CA and run the below script certutil –crl ::Copy the Root CA certificates and CRLs to the Floppy Drive Echo Insert a Floppy disk in Drive A: sleep 5 copy /y %windir%system32certsrvcertenroll*.cr? a: Note: (Certutil –crl ) is used to publish new CRLs , and the Sleep command requires that Windows Server 2003 Resource Kit is installed on the root CA computer. After installing the resource kit tool ,search for sleep.exe and copy it to %windowsroot%system32
Installing Root Certification Authority 18 3.8 All in one post installation batch file @ECHO OFF REM FileName Config-Root REM Contoso International REM CA configuration script for Windows Server 2003 CA REM REM Map name spcae for Active Directory certutil.exe –setreg caDSConfigDN "CN=Configuration,DC=CONTOSO,DC=com" REM REM Configure CRL and AIA CDP REM certutil -setreg CACRLPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%3%%8%%9.crln14:LDAP:///CN=%%7%%8,CN= %%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"n2:http://www.contoso.com/ca/%%3%%8%%9.crl” REM certutil -setreg CACACertPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:LDAP:///CN=%%7,CN=AIA, CN=Public Key Services,CN=Services,%%6%%11n2:http://www.contoso.com/ca/%%1_%%3%%4.crt" REM REM Configure CRL Publication REM certutil -setreg CACRLPeriod "Weeks" certutil -setreg CACRLPeriodUnits 50 REM REM Set the CRL Overlap REM
Installing Root Certification Authority 19 certutil -setreg CACRLOverlapUnits 10 certutil -setreg CACRLOverlapPeriod "Days" REM REM Disable Delta CRL Publication REM certutil -setreg CACRLDeltaPeriodUnits 0 certutil -setreg CACRLDeltaPeriod "days" REM REM Set the validity period for issued certificates REM Certutil -setreg caValidityPeriodUnits 10 Certutil -setreg caValidityPeriod "Years" REM REM Enable all auditing events for the CONTOSO Corporate Issuing CA certutil -setreg CAAuditFilter 127 REM REM Restart the CA Server Services REM net stop certsvc & net start certsvc REM REM Publish CRL REM The CRL Publishing may immediately not work REM after you restart the CA server service. if this behavior REM occurs, try certutil CRL command at a command REM prompt again REM SLEEP 5
Installing Root Certification Authority 20 Certutil -CRL REM REM Test if CAPolicy.inf file exists REM IF EXIST %SYSTEMROOT%capolicy.inf GOTO ENDCFG ECHO Warning, no capolicy.inf file used :ENDCFG pause 3.9 Publishing CA certificates and CRL in Active Directory On the offline root, copy the contents of the Systemroot%System32CertsrvCertEnroll into the root of the C drive of a domain controller and open a command prompt and type the following: cd for %%c in (*.crt) do certutil -dspublish -f “%%c” RootCA for %%c in (*.crl) do certutil -dspublish -f “%%c" Note: If the publication of the root CA certificate, append the Root CA NetBIOS name to the command as per the following: for %%c in (*.crt) do certutil -dspublish -f “%%c” RootCA CAName Where CANAME is the NetBIOS name of the Root CA server.

More Related Content

PPTX
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
byMd. Abdul Barek
 
PDF
Proyecto Hotspot mikrotik
byDavid Pérez
 
PPTX
MCSA 70-412 Chapter 06
byComputer Networking
 
PPTX
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
bykieranjacobsen
 
PDF
Mary Kay - Ciclo mensal JUNHO
byArteiras
 
DOC
ĐỒ ÁN THIẾT KẾ VÀ THI CÔNG NGÔI NHÀ THÔNG MINH
bylamluanvan.net Viết thuê luận văn
 
DOCX
Gpo
byCassio Ramos
 
PDF
Hệ thống giám sát và cảnh báo sử dụng cảm biến và camera trong gia đình
bysunflower_micro
 
Deploy and Configure an Enterprise Root CA & Subordinate CA in Windows Server...
byMd. Abdul Barek
 
Proyecto Hotspot mikrotik
byDavid Pérez
 
MCSA 70-412 Chapter 06
byComputer Networking
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
bykieranjacobsen
 
Mary Kay - Ciclo mensal JUNHO
byArteiras
 
ĐỒ ÁN THIẾT KẾ VÀ THI CÔNG NGÔI NHÀ THÔNG MINH
bylamluanvan.net Viết thuê luận văn
 
Gpo
byCassio Ramos
 
Hệ thống giám sát và cảnh báo sử dụng cảm biến và camera trong gia đình
bysunflower_micro
 

Similar to Install offline Root CA Server 2003

PPTX
Build and Operate Your Own Certificate Management Center of Mediocrity
byT.Rob Wyatt
 
PDF
SSL Setup for Oracle 10g AS
byEnkitec
 
PDF
Cisco WSA - Cisco Web Security Appliance - Appliance Configuration
byattackying
 
PPTX
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
byLouis Göhl
 
PDF
OSCM 2024 | Ignite: Monitoring and maintaining self-signed certificates is da...
byNETWAYS
 
PPTX
EC PKI Training on-prem and cloud-based PKI
byParnashreeSaha
 
PDF
TekCERT Manual
byYasin KAPLAN
 
DOC
Ad cs-step-by-step-guide
byValentín Sánchez de Movellán
 
PDF
Windows Server 2016 Cookbook Jordan Krause
bywaksyioda
 
PDF
Avaya Security Certificates Webinar
byArrow Systems Integration
 
DOC
Certification authority
byproser tech
 
PPT
certificates.ppt
byfaizalkhan673954
 
PDF
320.1-Cryptography
bybehrad eslamifar
 
PDF
Steam Learn: HTTPS and certificates explained
byinovia
 
PDF
Cisco iso based CA (certificate authority)
byNetwax Lab
 
PPTX
[Cluj] Turn SSL ON
byOWASP EEE
 
PPT
Session 10 Tp 10
bygithe26200
 
DOC
3 level cert tomcat
bySuraj Pratap
 
PPTX
How to install SSL Certificate on Microsoft Exchange Server 2010
byCheapSSLsecurity
 
PDF
Information about the SSL Certificate
byCheapSSLUSA
 
Build and Operate Your Own Certificate Management Center of Mediocrity
byT.Rob Wyatt
 
SSL Setup for Oracle 10g AS
byEnkitec
 
Cisco WSA - Cisco Web Security Appliance - Appliance Configuration
byattackying
 
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
byLouis Göhl
 
OSCM 2024 | Ignite: Monitoring and maintaining self-signed certificates is da...
byNETWAYS
 
EC PKI Training on-prem and cloud-based PKI
byParnashreeSaha
 
TekCERT Manual
byYasin KAPLAN
 
Ad cs-step-by-step-guide
byValentín Sánchez de Movellán
 
Windows Server 2016 Cookbook Jordan Krause
bywaksyioda
 
Avaya Security Certificates Webinar
byArrow Systems Integration
 
Certification authority
byproser tech
 
certificates.ppt
byfaizalkhan673954
 
320.1-Cryptography
bybehrad eslamifar
 
Steam Learn: HTTPS and certificates explained
byinovia
 
Cisco iso based CA (certificate authority)
byNetwax Lab
 
[Cluj] Turn SSL ON
byOWASP EEE
 
Session 10 Tp 10
bygithe26200
 
3 level cert tomcat
bySuraj Pratap
 
How to install SSL Certificate on Microsoft Exchange Server 2010
byCheapSSLsecurity
 
Information about the SSL Certificate
byCheapSSLUSA
 

More from Ammar Hasayen

PPTX
Introducing Azure Bastion
byAmmar Hasayen
 
PPTX
Cloud Reference Architecture - Part 1 Foundation
byAmmar Hasayen
 
PPTX
Microsoft 365 Certification - How to become Enterprise Administrator Expert
byAmmar Hasayen
 
PPTX
Secure Modern Workplace With Microsoft 365 Threat Protection
byAmmar Hasayen
 
PDF
Microsoft Cloud App Security CASB
byAmmar Hasayen
 
PPTX
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
byAmmar Hasayen
 
PPTX
Windows Advance Threats - BSides Amman 2019
byAmmar Hasayen
 
PPTX
Microsoft 365 Threat Management and security - EMS E5
byAmmar Hasayen
 
PPTX
UAE Microsoft MVPs - How To become Microsoft MVP
byAmmar Hasayen
 
PPTX
What is microsoft 365
byAmmar Hasayen
 
PPTX
Office 365 periodic table - editable
byAmmar Hasayen
 
PDF
Microsoft EMS Enterprise Mobility and Security Architecture Poster
byAmmar Hasayen
 
PDF
Modern Workplace Deep Dive infographic
byAmmar Hasayen
 
PDF
Exchange Online Protection EOP headers
byAmmar Hasayen
 
PDF
Email edge security architecture EOP
byAmmar Hasayen
 
PDF
Strict KDC Validation
byAmmar Hasayen
 
PPTX
How to plan your Modern Workplace Project - SPS Denver October 2018
byAmmar Hasayen
 
PPTX
Era of disruption with Microsoft 365
byAmmar Hasayen
 
PPTX
The Emerge Of The Modern Workplace
byAmmar Hasayen
 
PDF
Migrating your certification authority hashing algorithm from sha 1 to sha-2
byAmmar Hasayen
 
Introducing Azure Bastion
byAmmar Hasayen
 
Cloud Reference Architecture - Part 1 Foundation
byAmmar Hasayen
 
Microsoft 365 Certification - How to become Enterprise Administrator Expert
byAmmar Hasayen
 
Secure Modern Workplace With Microsoft 365 Threat Protection
byAmmar Hasayen
 
Microsoft Cloud App Security CASB
byAmmar Hasayen
 
Virtual Data Center VDC - Azure Cloud Reference Architecture CRA
byAmmar Hasayen
 
Windows Advance Threats - BSides Amman 2019
byAmmar Hasayen
 
Microsoft 365 Threat Management and security - EMS E5
byAmmar Hasayen
 
UAE Microsoft MVPs - How To become Microsoft MVP
byAmmar Hasayen
 
What is microsoft 365
byAmmar Hasayen
 
Office 365 periodic table - editable
byAmmar Hasayen
 
Microsoft EMS Enterprise Mobility and Security Architecture Poster
byAmmar Hasayen
 
Modern Workplace Deep Dive infographic
byAmmar Hasayen
 
Exchange Online Protection EOP headers
byAmmar Hasayen
 
Email edge security architecture EOP
byAmmar Hasayen
 
Strict KDC Validation
byAmmar Hasayen
 
How to plan your Modern Workplace Project - SPS Denver October 2018
byAmmar Hasayen
 
Era of disruption with Microsoft 365
byAmmar Hasayen
 
The Emerge Of The Modern Workplace
byAmmar Hasayen
 
Migrating your certification authority hashing algorithm from sha 1 to sha-2
byAmmar Hasayen
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
The year in review - MarvelClient in 2025
bypanagenda
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
AI Technology important knowledge ......
byutkarshj2007
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

Install offline Root CA Server 2003

  • 1.
    2008 Ammar Hasayen Ammarhasayen@outlook.com http://ammarhasayen.com Twitter:@ammarhasayen [INSTALLING ROOT CERTIFICATIONAUTHORITY] Thisdocumentprovides Step-by-stepprocedurestoinstall andconfigure anofflinestandalone Root Certificate Authorityserver.
  • 2.
    Installing Root CertificationAuthority 2 Table of Contents 1 Introduction ...............................................................................................................3 2 Installation..................................................................................................................4 2.1 CAPolicy.inf File .....................................................................................................4 2.2 Installing Certificate Services...................................................................................6 3 Post Installation Tasks .........................................................................................10 3.1 To verify Installation: .............................................................................................10 3.2 Map the Namespace of Active Directory to an Offline CA's Registry Configuration ....10 3.3 Configure Distribution Points for CRL and AIA by using GUI. ...................................11 3.4 Republish new CRLs ............................................................................................15 3.5 Set the Validity Period for Issued Certificates at the Offline Root CA ........................15 3.6 Object Access Auditing .........................................................................................16 3.7 Export Root Certificates and CRL to a floppy ..........................................................17 3.8 All in one post installation batch file........................................................................18 3.9 Publishing CA certificates and CRL in Active Directory ............................................20
  • 3.
    Installing Root CertificationAuthority 3 1 Introduction The CONTOSO stand-alone root CA (named ContosoRootCA), is never connected to a network and remains offline and physically secured. It is installed on Microsoft Virtual Machine 2005 R2 SP1. The root CA issues and revokes certificates for Issuing/Policy CAs in the hierarchy. Offline Root Keys are generated by Microsoft Software CSP. The CA certificate and the CRL are regularly and manually published and made available through an HTTP and an LDAP distribution point. Settings for Offline Root CA:  Computer name (should be unique in the network) : ContosoRootCA  Windows 2003 server with SP2  Local Password : d?spene_$uT2$Ra5  Windows Server 2003 Resource Kit Tools installed.  Common Name for this CA: CONTOSO Corporate Root CA  Distinguished name suffix : DC=CONTOSO,DC=com  IP : 192.168.80.80 mask 255.255.255.0  H.D: 20 GB all allocated for the “C” partition.
  • 4.
    Installing Root CertificationAuthority 4 2 Installation 2.1 CAPolicy.inf File The CAPolicy.inf file provides Certificate Services configuration information, which is read during initial CA installation and whenever the CA certificate is renewed. The CAPolicy.inf file defines settings specific to root CAs, as well as settings that affect all CAs in the CA hierarchy. By default, the CAPolicy.inf file does not exist when l Microsoft Windows Server 2003 is installed. It should be manually created in the Windows operating system folder (%windir% folder). When Certificate Services are installed, the operating system applies any settings defined in the CAPolicy.inf file. This CAPolicy.inf file for Root CA makes the following assumptions:  The root CA will renew its key with one with length of 4,096 bits.  Hash algorithm: SHA-1  The validity period of the root CA certificate is 20 years.  Base CRLs are published every 50 weeks.  Delta CRLs are disabled.  The root CA does not contain a CDP or an AIA extension to prevent revocation checking of the root CA certificate.  Cryptographic service provider (CSP): Microsoft Strong Cryptographic Service Provider.  Database and log settings: Database files on C:CA_DB .Log files on C:CA_LOG  Empty CDP and AIA locations in the CAPolicy File. Based on these assumptions, the following CAPolicy.inf file can be installed in the %windir% of the ROOTCA computer:
  • 5.
    Installing Root CertificationAuthority 5 [Version] Signature="$Windows NT$" [certsrv_server] renewalkeylength=4096 RenewalValidityPeriodUnits=20 RenewalValidityPeriod=years CRLPeriod=weeks CRLPeriodUnits=50 CRLDeltaPeriodUnits=0 CRLDeltaPeriod=days [CRLDistributionPoint] Empty=True [AuthorityInformationAccess] Empty=True Notes:  The [Version] section defines that the .inf file uses the Windows NT format. This section must exist for both root and subordinate CA installations.  CRLDeltaPeriodUnits=0 means that Delta CRLs are disabled which is a recommendation in an offline root CA.  [CRLDistributionPoint] and [AuthorityInformationAccess] are assigned value empty as a best practice for the root CA certificate. Later after installation, those values should be redefined to locate the correct location for CDP and AIA for the Issuing/online CA Certificates. o renewalkeylength=4096 specifies the key length for the CA Root certificate when its key are renewed. In the other hand, the current key length is specified in the installation wizard.
  • 6.
    Installing Root CertificationAuthority 6 2.2 Installing Certificate Services Once the CAPolicy.inf file is installed, Certificate Services on the root CA computer can be installed. The installation must be performed by a member of the local Administrators account on the CA computer, and the computer must not be a member of a domain. This will allow the computer to be removed from the network for long periods of time. Note: IIS is not required for the installation of an offline root CA. The only certificate requests submitted to the root CA are for subordinate CA certificates, and these can be submitted by using the Certification Authority console. You can use the following procedure to install the root CA: 1. Ensure that the date and time on the root CA computer is correct. This is to ensure the correct time for publishing and stamping CLRs. (run this command from the root CA : net time jdcdc01.contoso.com /set) 2. From the Start menu, click Control Panel and click Add or Remove Programs. 3. In the Add or Remove Programs window, click Add/Remove Windows Components. 4. In the Windows Components Wizard, in the Windows Components list, click the Certificate Services check box. 5. In the Microsoft Certificate Services dialog box, click Yes. 6. On the Windows Components page, click Next. 7. On the CA Type page, click Standalone Root CA, enable the Use Custom Settings to Generate the Key Pair and CA Certificate check box, and click Next.
  • 7.
    Installing Root CertificationAuthority 7 8. On the Public and Private Key Pair page, set the following options:  CSP: Microsoft Strong Cryptographic Service Provider  Allow the CSP to interact with the desktop: Disabled  Hash algorithm: SHA-1  Key length: 4,096
  • 8.
    Installing Root CertificationAuthority 8 9. On the CA Identifying Information page, enter the following information:  Common Name for this CA: CONTOSO Corporate Root CA  (Optional) In Distinguished name suffix : DC=CONTOSO,DC=com  Validity Period: 20 Years <Validity time can only be set for a root CA> Note: If you type a name in the (Distinguished name suffix), confirm that you have typed it correctly so that it works in the context of the Active Directory domain name. If you install a CA on a computer that is a domain member with Enterprise Administrator privileges, the distinguished name suffix is automatically configured. You can also set the distinguished name suffix at a later time by using the Certutil.exe command.
  • 9.
    Installing Root CertificationAuthority 9 10. On the Certificate Database Settings page, provide the following settings and click Next:  Certificate database: C:CA_DB  Certificate database log: C:CA_Log  CA configuration: C:CA_Config 11. If prompted, insert the Windows Server 2003, Standard Edition, and CD in the CDROM drive and choose the i386 folder. 15. In the Microsoft Certificate Services dialog box, click OK to identify that IIS is not installed. 16. On the Completing the Windows Components Wizard page, click Finish. 17. Close the Add or Remove Programs dialog box.
  • 10.
    Installing Root CertificationAuthority 10 3 Post Installation Tasks After the stand-alone offline root CA is installed, you must configure the properties of the offline root CA for certificates that are subsequently issued from the CA. These extensions are necessary to ensure correct revocation and chain building. Note that any settings configured to the CA can be found in the following registry path: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration 3.1 To verify Installation:  At a command prompt, type certutil –cainfo and verify the CA type. The result will be similar to the following: CA type: 3 -- Stand-alone Root CA ENUM_STANDALONE_ROOTCA -- 3  At a command prompt, type certutil –getreg to verify the database settings 3.2 Map the Namespace of Active Directory to an Offline CA's Registry Configuration Because the offline root CA is not connected to the domain and does not automatically publish the CRL to Active Directory, you must set a key in the registry. To do this, at a command prompt, type the following command and then stop and start the CA service: certutil.exe –setreg caDSConfigDN CN=Configuration,DC=contoso,DC=com Where DC=concorp,DC=contoso,DC=com is the namespace of the forest root domain. This setting is primarily required for CRLs and CA certificates (AIA) that are published in Active Directory. This registry value sets the %6 replacement token that is required for the CRL location attribute.
  • 11.
    Installing Root CertificationAuthority 11 3.3 Configure Distribution Points for CRL and AIA by using GUI. The CRL and AIA distribution points must be set before any certificates are issued from the new CA. This configuration step ensures that the correct information is embedded in each of the issued certificates so that the certificate's signature and revocation status can be verified. CRL distribution point and AIA extension changes take effect only after the CA is restarted. We must configure the CRL and AIA distribution point for certificates issued by this CA. To configure these extensions in a Windows Server 2003 CA, perform the following steps: 1. Log on to the computer running certificate services with an account that has Certification Authority Management permissions. 2. Click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority 3. In the console tree, right-click the name of the CA that you want to work with, and then click Properties. Click the Extensions tab 4. To configure the Distribution Points for the CRL :  First, remove all of the CRL distribution point locations, except for the local CRL distribution point. Warning: Do not remove the local CRL distribution point location. The local distribution point will look similar to the following path: C:WindowsSystem32CertSrvCertEnrollCorporateRootCA.crl The CA must publish the CRL to the file system because all of the other distribution points are not accessible for this offline CA. The CA uses the local CRL to validate all certificates that are generated before the certificates are issued to users. The local path is not included in the CRL distribution point extension of issued certificates.  On the Extensions tab, in Select extension, select CRL Distribution Point (CDP).  In Specify location from which users can obtain a certificate revocation list (CRL), click the default LDAP location, click Remove, and then click Yes.  Repeat this for all CRL distribution point locations except for the local CRL distribution point  After you remove all of the appropriate locations, the remaining list of CRL distribution points will be similar to the following figure. Note: Don’t ever add CDP locations from the GUI interface and always use the CA variable instead of typing the explicit name of the server or certificate name. This is the best recommendation from Microsoft PKI Team.
  • 12.
    Installing Root CertificationAuthority 12  Create a folder on the www.contoso.com named (CA)  Add the folder to the IIS by creating a virtual directory. Give only read access to Everyone and clear all other checkboxes. Make sure that the file names that are published with HTTP exactly match the CA certificate and CRL distribution point as defined as part of the CA configuration. If the file names do not match, clients will fail to retrieve the CRL with the URL that was specified as the CRL distribution point.  On the offline root, copy the contents of the %Systemroot%System32CertsrvCertEnroll folder to a floppy disk.  Take the floppy disk to the online server and move the contents into the folder previously created.
  • 13.
    Installing Root CertificationAuthority 13  Record the URL for the virtual directory (http://www.contoso.com/CA/Contoso Root CA.crl)  Run the below script: certutil -setreg CACRLPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%3%%8%%9.crln14:LDAP:///CN=%%7%%8,CN= %%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"n2:http://www.contoso.com/ca/%%3%%8%%9.crl  Make sure to configure the properties for each URL as shown in the table below: CRL distribution point property File HTTP LDAP Publish CRLs to this location check box Select N/A Clear Include in all CRLs check box N/A N/A Select Include in CRLs check box N/A Select* Select Include in the CDP extension of issued certificates check box N/A Select Select Publish delta CRLs to this location check box Clear N/A Clear Note: In Publish CRLs to this location, since the CorporateRootCA computer is not attached to the network, the CA cannot automatically publish the CRL to the LDAP CRL distribution point. By default, this option is chosen on an enterprise CA to automate the CRL publishing to the LDAP CRL distribution point. In Publish CRLs to this location, a UNC file path can be specified to publish to clustered Web servers using IIS for CRL fault tolerance. If the Publish Delta CRLs to this location check box is selected, make sure that the delta CRL is also published
  • 14.
    Installing Root CertificationAuthority 14  In the Extensions tab ,In the select Extension ,Choose (Authority Information Access (AIA)  Remove Any existing places, and run the below script certutil -setreg CACACertPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:LDAP:///CN =%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11n2:http://www .contoso.com/ca/%%1_%%3%%4.crt" Access protocol AIA Distribution Point [local] D:WINDOWSsystem32CertSrvCertEnroll%1_%3%4.crt HTTP http://www.contoso.com/pki/%1_%3%4.crt LDAP ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11  Make sure to configure the properties for each URL as shown in the table below: AIA property FILE HTTP LDAP Include in the AIA extension of issued certificates check box N/A Select Select Include in the online certificate status protocol (OCSP) extension check box N/A Clear Clear
  • 15.
    Installing Root CertificationAuthority 15 3.4 Republish new CRLs It is important to republish the CRL because adapted configuration parameters such as DSConfigDN are included as attributes in the CRL. Also, CRL properties affect the publication of the CRL.  Log onto the CA server with CA Manager permissions  Open the Certification Authority MMC. To do this, click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority  Right-click Revoked Certificates, point to All Tasks, and then click Publish.  A new base CRL is published. A delta CRL is published only if you have also set the CRL delta publication schedule.  When you are prompted to confirm the type of CRL that should be published with this request, click New CRL  Because only base CRLs are published by the offline root CA, only the New CRL option is available.  To publish the CRL, at a command prompt, type certutil -CRL, and then press ENTER. When you do this, the CRL is published to the location that you configured. 3.5 Set the Validity Period for Issued Certificates at the Offline Root CA Note that during the installation, we specified the validity period for the CA certificate (20 years).This is because there is no parent CA from which the validity period can be specified. Because this CA will issue future certificate ,there must be a way to specify the validity period for issues certificates.To fo this ,apply the following Batch file on the root CA. certutil -setreg caValidityPeriodUnits 10 certutil -setreg caValidityPeriod "Years" net stop certsvc & net start certsvc
  • 16.
    Installing Root CertificationAuthority 16 3.6 Object Access Auditing The post-installation script enables all auditing events for Certificate Services. These events depend on enabling success and failure auditing for Object Access. Because the offline policy CA is not a member of a domain, auditing must be enabled in the Local Security Policy using the following procedure: 1. From Administrative Tools, open Local Security Policy. 2. In Security SettingsLocal PoliciesAudit Policy, enable the following auditing settings:  Account Logon: Success, Failure  Account Management: Success, Failure  Directory Service Access: Failure  Logon Events: Success, Failure  Object Access: Success, Failure  Policy Change: Success, Failure  Privilege Use: Failure  Process Tracking: No auditing  System Events: Success, Failure 3. Close the Local Security Policy console. 4. Close all windows. 5. Run this command (certutil -setreg CAAuditFilter 127) 6. Enable object access auditing in the following locations: a. %windir%system32certsrvcertenroll b. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc Configuration.
  • 17.
    Installing Root CertificationAuthority 17 Configure CRL Publication Interval by Using the User Interface After the CRL distribution point is set, you must configure the CRL publication interval. To configure the publication schedule, use the following procedure. 1. Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. This opens the Certification Authority MMC Snap-in. 2. In the console tree, right-click Revoked Certificates, and then click Properties. 3. In CRL publication interval, type a number for the CRL publication interval according to your CPS (50 weeks). 4. Verify that the Publish Delta CRLs check box is not selected. 3.7 Export Root Certificates and CRL to a floppy Make sure to insert a floppy disk on the root CA and run the below script certutil –crl ::Copy the Root CA certificates and CRLs to the Floppy Drive Echo Insert a Floppy disk in Drive A: sleep 5 copy /y %windir%system32certsrvcertenroll*.cr? a: Note: (Certutil –crl ) is used to publish new CRLs , and the Sleep command requires that Windows Server 2003 Resource Kit is installed on the root CA computer. After installing the resource kit tool ,search for sleep.exe and copy it to %windowsroot%system32
  • 18.
    Installing Root CertificationAuthority 18 3.8 All in one post installation batch file @ECHO OFF REM FileName Config-Root REM Contoso International REM CA configuration script for Windows Server 2003 CA REM REM Map name spcae for Active Directory certutil.exe –setreg caDSConfigDN "CN=Configuration,DC=CONTOSO,DC=com" REM REM Configure CRL and AIA CDP REM certutil -setreg CACRLPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%3%%8%%9.crln14:LDAP:///CN=%%7%%8,CN= %%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"n2:http://www.contoso.com/ca/%%3%%8%%9.crl” REM certutil -setreg CACACertPublicationURLs "1:%WINDIR%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:LDAP:///CN=%%7,CN=AIA, CN=Public Key Services,CN=Services,%%6%%11n2:http://www.contoso.com/ca/%%1_%%3%%4.crt" REM REM Configure CRL Publication REM certutil -setreg CACRLPeriod "Weeks" certutil -setreg CACRLPeriodUnits 50 REM REM Set the CRL Overlap REM
  • 19.
    Installing Root CertificationAuthority 19 certutil -setreg CACRLOverlapUnits 10 certutil -setreg CACRLOverlapPeriod "Days" REM REM Disable Delta CRL Publication REM certutil -setreg CACRLDeltaPeriodUnits 0 certutil -setreg CACRLDeltaPeriod "days" REM REM Set the validity period for issued certificates REM Certutil -setreg caValidityPeriodUnits 10 Certutil -setreg caValidityPeriod "Years" REM REM Enable all auditing events for the CONTOSO Corporate Issuing CA certutil -setreg CAAuditFilter 127 REM REM Restart the CA Server Services REM net stop certsvc & net start certsvc REM REM Publish CRL REM The CRL Publishing may immediately not work REM after you restart the CA server service. if this behavior REM occurs, try certutil CRL command at a command REM prompt again REM SLEEP 5
  • 20.
    Installing Root CertificationAuthority 20 Certutil -CRL REM REM Test if CAPolicy.inf file exists REM IF EXIST %SYSTEMROOT%capolicy.inf GOTO ENDCFG ECHO Warning, no capolicy.inf file used :ENDCFG pause 3.9 Publishing CA certificates and CRL in Active Directory On the offline root, copy the contents of the Systemroot%System32CertsrvCertEnroll into the root of the C drive of a domain controller and open a command prompt and type the following: cd for %%c in (*.crt) do certutil -dspublish -f “%%c” RootCA for %%c in (*.crl) do certutil -dspublish -f “%%c" Note: If the publication of the root CA certificate, append the Root CA NetBIOS name to the command as per the following: for %%c in (*.crt) do certutil -dspublish -f “%%c” RootCA CAName Where CANAME is the NetBIOS name of the Root CA server.