AD CS Installation: CAPolicy.inf and post installation conf script
happy new year all!
ask few questions ca servers installation (offline root ca , onling issuing ca). questions offline ca installation.
offline root ca server have 10 years validity period. member of workgroup. online issuing ca have 10 years validity period too.
have specified capolicy.inf follows:
****************************************************************
[version]
signature= "$windows nt$"
[certsrv_server]
renewalkeylength=2048
renewalvalidityperiod=years
renewalvalidityperiodunits=10
[crldistributionpoint]
[authorityinformationaccess]
[legalpolicy]
oid=1.3.6.1.4.1.my_pen.21.43
notice = “legal policy statement text.”
url = “http://www.mycompany.com/certdata/cps.asp”
****************************************************************
hope right.
plan run following post-installation script on offline ca:
****************************************************************
set myadnamingcontext=dc....
certutil.exe -setreg ca\dsconfigdn "cn=configuration,%myadnamingcontext%"
certutil -setreg ca\crlpublicationurls "1:%windir%\system32\certsrv\certenroll\%%3%%8%%9.crl\n2:http://my_issuingca_server/certenroll/%25%253%25%258%25%259.crl/n10:ldap:/cn=%25%257%25%258,cn=%25%252,cn=cdp,cn=public key services,cn=services,%%6%%10"
certutil -setreg ca\cacertpublicationurls "1:%windir%\system32\certsrv\certenroll\%%1_%%3%%4.crt\n2:my_issuingca_server/certenroll/%25%251_%25%253%25%254.crt/n2:ldap:/cn=%25%257,cn=aia,cn=public key services,cn=services,%%6%%11"
certutil -setreg ca\crlperiodunits 180
certutil -setreg ca\crlperiod "days"
certutil -setreg ca\crldeltaperiodunits 0
certutil -setreg ca\validityperiodunits 10
certutil -setreg ca\validityperiod "years"
net stop certsvc & net start certsvc
certutil -vroot
certutil -crl
****************************************************************
not 100% understanding 2nd , 3rd lines:
certutil -setreg ca\crlpublicationurls "1:%windir%\ ...
certutil -setreg ca\cacertpublicationurls "1:%windir%\ ...
setting 180 days of crlperid, mean need re-publish crl offline root ca online issuing ca within every 180 days? have empty [crldistributionpoint] , [authorityinformationaccess].
basically, offline root ca issues or renew certificates subordinate ca (in case, online issuing ca). other tasks need take care regularly?
thanks,
sjj123
ask few questions ca servers installation (offline root ca , onling issuing ca). questions offline ca installation.
offline root ca server have 10 years validity period. member of workgroup. online issuing ca have 10 years validity period too.
have specified capolicy.inf follows:
****************************************************************
[version]
signature= "$windows nt$"
[certsrv_server]
renewalkeylength=2048
renewalvalidityperiod=years
renewalvalidityperiodunits=10
[crldistributionpoint]
[authorityinformationaccess]
[legalpolicy]
oid=1.3.6.1.4.1.my_pen.21.43
notice = “legal policy statement text.”
url = “http://www.mycompany.com/certdata/cps.asp”
****************************************************************
hope right.
plan run following post-installation script on offline ca:
****************************************************************
set myadnamingcontext=dc....
certutil.exe -setreg ca\dsconfigdn "cn=configuration,%myadnamingcontext%"
certutil -setreg ca\crlpublicationurls "1:%windir%\system32\certsrv\certenroll\%%3%%8%%9.crl\n2:http://my_issuingca_server/certenroll/%25%253%25%258%25%259.crl/n10:ldap:/cn=%25%257%25%258,cn=%25%252,cn=cdp,cn=public key services,cn=services,%%6%%10"
certutil -setreg ca\cacertpublicationurls "1:%windir%\system32\certsrv\certenroll\%%1_%%3%%4.crt\n2:my_issuingca_server/certenroll/%25%251_%25%253%25%254.crt/n2:ldap:/cn=%25%257,cn=aia,cn=public key services,cn=services,%%6%%11"
certutil -setreg ca\crlperiodunits 180
certutil -setreg ca\crlperiod "days"
certutil -setreg ca\crldeltaperiodunits 0
certutil -setreg ca\validityperiodunits 10
certutil -setreg ca\validityperiod "years"
net stop certsvc & net start certsvc
certutil -vroot
certutil -crl
****************************************************************
not 100% understanding 2nd , 3rd lines:
certutil -setreg ca\crlpublicationurls "1:%windir%\ ...
certutil -setreg ca\cacertpublicationurls "1:%windir%\ ...
setting 180 days of crlperid, mean need re-publish crl offline root ca online issuing ca within every 180 days? have empty [crldistributionpoint] , [authorityinformationaccess].
basically, offline root ca issues or renew certificates subordinate ca (in case, online issuing ca). other tasks need take care regularly?
thanks,
sjj123
> if root ca name "my-root-ca01" distinguished name "cn=my-root-ca01,dn=mydomainname,dn=mycompanyname,dn=.com", may assume "ca sanitized name" "my-root-ca01"?
ca 'sanitized' name name of ca (without dn suffixes). while ca allows different characters ca name, not characters (symbols) allowed in active directory. there limitation ca name length active directory in 52 characters only (there no special limitations ca name itself). convert long (52+ character length) unacceptable characters there special 'sanitization' process specific rules:
http://msdn.microsoft.com/en-us/library/cc226738(prot.10).aspx
http://msdn.microsoft.com/en-us/library/cc226737(prot.10).aspx
this knowledge. since ca name less 63 characters , doesn't contain special characters, no additional sanitization processes required (just type is).
> way, in acitive directory crl published?
they published in:
cn=ca name, cn=cdp, cn=public key services, cn=services,cn=configuration,dc=forestrootdomain dn
this common error when have multiple domains in forest. must publish these files in forest root domain context.
> ps: mentioned thread no link given. try search it.
i have posted link:
http://social.technet.microsoft.com/forums/en-us/winserversecurity/thread/c08096b7-0550-423f-b82f-bb30880d4bda
http://www.sysadmins.lv
ca 'sanitized' name name of ca (without dn suffixes). while ca allows different characters ca name, not characters (symbols) allowed in active directory. there limitation ca name length active directory in 52 characters only (there no special limitations ca name itself). convert long (52+ character length) unacceptable characters there special 'sanitization' process specific rules:
http://msdn.microsoft.com/en-us/library/cc226738(prot.10).aspx
http://msdn.microsoft.com/en-us/library/cc226737(prot.10).aspx
this knowledge. since ca name less 63 characters , doesn't contain special characters, no additional sanitization processes required (just type is).
> way, in acitive directory crl published?
they published in:
cn=ca name, cn=cdp, cn=public key services, cn=services,cn=configuration,dc=forestrootdomain dn
this common error when have multiple domains in forest. must publish these files in forest root domain context.
> ps: mentioned thread no link given. try search it.
i have posted link:
http://social.technet.microsoft.com/forums/en-us/winserversecurity/thread/c08096b7-0550-423f-b82f-bb30880d4bda
http://www.sysadmins.lv
Windows Server > Security
Comments
Post a Comment