- Install standalone CA
- Change validity period to longer, so it can issue a longer period certificates.
certutil -getreg ca\ValidityPeriod
certutil -getreg ca\ValidityPeriodUnits
certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "20" - Make standalone CA to support AD. Don’t joint the standalone CA to domain.
certutil -setreg ca\DSConfigDN "CN=Configuration,DC=yourdomain,DC=com"
certutil -setreg ca\DSDomainDN "DC=yourdomain,DC=com" - Change Extensions, CDP and AIA. CRT and CRL are published to new locations instead of default, so they can be accessed by clients.
- Right click on the RootCA server name -> Properties -> Extensions tab -> extension type: CRL Distribution Point (CDP):.
- Select the line begins with “LDAP”, and click ‘Include in the CDP extension of issued certificates’.
- Select the line begins with “HTTP”, and click remove. Do the same for the line begins with “file”.
- Click Add button, put: http://caservername.yourdomain.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl. Check “Include in CRLs.” and “Include in the CDP extension of issued certificates”. You can put in different location.
- Select the line begins with “C:\Windows”, and check “Publish CRLs to this location” and “Publish Delta CRLs to this location”.
- Change Extension type to Authority Information Access (AIA)
- Select the line begins with “LDAP”, and check “Include in the AIA extension of issued certificates”.
- Select the line begins with “HTTP”, and click remove. Do the same for the line begins with “file”.
- Click Add button, put: http://caservername.yourdomain.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt. Check “Include in the AIA extension of issued certificates”
- Click OK and allow the CA server to restart its service. If you did this before certutil -setreg, then you need restart CA service after certutil -setreg.
- Right click on “Revoked certificates”-> Properties:
- CRL publication interval: 6 months
- Make sure “Publish Delta CRLs” is not checked
- Click OK
- Right click on “Revoked certificates” -> Publish. or run this command
certutil -crl
- Publish CRL & CRT to http location. Copy the CRL & CRT file from %systemroot%\system32\CertSrv\CertEnroll of standalone CA to %systemroot%\system32\CertSrv\CertEnroll of SubCA, or the new location added in last steps if it is different. If subca is not installed, just copy them to temperately location.
- Publish CRL & CRT to domain. Run these commands
certutil -dspublish -f <CAserverName>_<RootcaName>.crt RootCA
certutil -dspublish -f <RootcaName>.crl - Don’t issue SubCA certificate if these steps are not done.
- Install SubCA
- Test CRL & AIA on client certificates, export any client certificate to a .CER file. Run the following command against the .CER file.
certutil -url file.cer or certutil -url file.crl
-
Recent Posts
Archives
Categories
Meta