Install Offline standalone CA for Domain

1. Install standalone CA
2. Change validity period to longer, so it can issue a longer period certificates.
   certutil -getreg ca\ValidityPeriod
certutil -getreg ca\ValidityPeriodUnits
certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "20"
3. Make standalone CA to support AD.  Don’t joint the standalone CA to domain.
   certutil -setreg ca\DSConfigDN "CN=Configuration,DC=yourdomain,DC=com"
certutil -setreg ca\DSDomainDN "DC=yourdomain,DC=com"
4. Change Extensions, CDP and AIA.  CRT and CRL are published to new locations instead of default, so they can be accessed by clients.
   1. Right click on the RootCA server name -> Properties -> Extensions tab -> extension type: CRL Distribution Point (CDP):.
   2. Select the line begins with “LDAP”, and click ‘Include in the CDP extension of issued certificates’.
   3. Select the line begins with “HTTP”, and click remove.  Do the same for the line begins with “file”.
   4. Click Add button, put: http://caservername.yourdomain.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed&gt;.crl.  Check “Include in CRLs.” and “Include in the CDP extension of issued certificates”.  You can put in different location.
   5. Select the line begins with “C:\Windows”, and check “Publish CRLs to this location” and “Publish Delta CRLs to this location”.
   6. Change Extension type to Authority Information Access (AIA)
   7. Select the line begins with “LDAP”, and check “Include in the AIA extension of issued certificates”.
   8. Select the line begins with “HTTP”, and click remove.  Do the same for the line begins with “file”.
   9. Click Add button, put: http://caservername.yourdomain.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName&gt;.crt.  Check “Include in the AIA extension of issued certificates”
   10. Click OK and allow the CA server to restart its service.  If you did this before certutil -setreg, then you need restart CA service after certutil -setreg.
5. Right click on “Revoked certificates”-> Properties:
   1. CRL publication interval: 6 months
   2. Make sure “Publish Delta CRLs” is not checked
   3. Click OK
6. Right click on “Revoked certificates” -> Publish.  or run this command
   certutil -crl
7. Publish CRL & CRT to http location.  Copy the CRL & CRT file from %systemroot%\system32\CertSrv\CertEnroll of standalone CA to %systemroot%\system32\CertSrv\CertEnroll of SubCA, or the new location added in last steps if it is different.  If subca is not installed, just copy them to temperately location.
8. Publish CRL & CRT to domain.  Run these commands
   certutil -dspublish -f <CAserverName>_<RootcaName>.crt RootCA
certutil -dspublish -f <RootcaName>.crl
9. Don’t issue SubCA certificate if these steps are not done.
10. Install SubCA
11. Test CRL & AIA on client certificates, export any client certificate to a .CER file. Run the following command against the .CER file.
    certutil -url file.cer or certutil -url file.crl