Install Offline standalone CA for Domain

  1. Install standalone CA
  2. Change validity period to longer, so it can issue a longer period certificates.
    certutil -getreg ca\ValidityPeriod
    certutil -getreg ca\ValidityPeriodUnits
    certutil -setreg ca\ValidityPeriod "Years"
    certutil -setreg ca\ValidityPeriodUnits "20"
  3. Make standalone CA to support AD.  Don’t joint the standalone CA to domain.
    certutil -setreg ca\DSConfigDN "CN=Configuration,DC=yourdomain,DC=com"
    certutil -setreg ca\DSDomainDN "DC=yourdomain,DC=com"
  4. Change Extensions, CDP and AIA.  CRT and CRL are published to new locations instead of default, so they can be accessed by clients.
    1. Right click on the RootCA server name -> Properties -> Extensions tab -> extension type: CRL Distribution Point (CDP):.
    2. Select the line begins with “LDAP”, and click ‘Include in the CDP extension of issued certificates’.
    3. Select the line begins with “HTTP”, and click remove.  Do the same for the line begins with “file”.
    4. Click Add button, put: http://caservername.yourdomain.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed&gt;.crl.  Check “Include in CRLs.” and “Include in the CDP extension of issued certificates”.  You can put in different location.
    5. Select the line begins with “C:\Windows”, and check “Publish CRLs to this location” and “Publish Delta CRLs to this location”.
    6. Change Extension type to Authority Information Access (AIA)
    7. Select the line begins with “LDAP”, and check “Include in the AIA extension of issued certificates”.
    8. Select the line begins with “HTTP”, and click remove.  Do the same for the line begins with “file”.
    9. Click Add button, put: http://caservername.yourdomain.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName&gt;.crt.  Check “Include in the AIA extension of issued certificates”
    10. Click OK and allow the CA server to restart its service.  If you did this before certutil -setreg, then you need restart CA service after certutil -setreg.
  5. Right click on “Revoked certificates”-> Properties:
    1. CRL publication interval: 6 months
    2. Make sure “Publish Delta CRLs” is not checked
    3. Click OK
  6. Right click on “Revoked certificates” -> Publish.  or run this command
    certutil -crl
  7. Publish CRL & CRT to http location.  Copy the CRL & CRT file from %systemroot%\system32\CertSrv\CertEnroll of standalone CA to %systemroot%\system32\CertSrv\CertEnroll of SubCA, or the new location added in last steps if it is different.  If subca is not installed, just copy them to temperately location.
  8. Publish CRL & CRT to domain.  Run these commands
    certutil -dspublish -f <CAserverName>_<RootcaName>.crt RootCA
    certutil -dspublish -f <RootcaName>.crl
  9. Don’t issue SubCA certificate if these steps are not done.
  10. Install SubCA
  11. Test CRL & AIA on client certificates, export any client certificate to a .CER file. Run the following command against the .CER file.
    certutil -url file.cer or certutil -url file.crl
Advertisements
This entry was posted in Windows. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s