In Windows Explorer on the root CA, locate the certificate revocation list you just published. The CRL's default location is:%systemroot%\system32\CertSrv\CertEnroll\<CAname>.crl.
Right-click the CRL file and send it to a drive that has portable storage media.
↑ Return to Top
↑ Return to Top
There are several considerations related to building an offline root CA. The following sections link to additional information related to PKI design, offline root CA installation, and frequently asked questions (FAQ).
Very good ! :)
Thanks. Also, great links...
"Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) and then physically transported to the subordinate CAs..."
Q: Isn't it a bigger security threat to place your certs on a portable media that can be easily lost or stolen, than to allow a secured network to communicate them across the domain?
Ed Price - MSFT edited Revision 26. Comment: Removing "(en-US)" from titles. Adding tags.
I needed to run
certutil -dspublish -f yourCAcert.cer NTAuthCA
certutil -enterprise -addstore NTAuth yourCAcert.cer
on the domain controller source: support.microsoft.com/.../295663
since apparently, you need to add the certificate to the NTAuth store, because adding them to the "Trusted Root Certification Authorities" isn't good enough. This was very annoying, but now that it works, I'm happy.
Also, Rawsi, no, it is not a bigger security threat to put certs on portable media. Those certs do NOT have private keys in them, and it really doesn't matter if someone has your public keys.