none
CA Config Files RRS feed

  • Question

  • It's been a while since I have done this, so I just want a double-check on these capolicy.inf files and scripts. Running Windows Server 2016.

    ROOT CA:

    [Version]
    Signature="$Windows NT$"
    [Certsrv_Server]
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=20
    CRLPeriod=weeks
    CRLPeriodUnits=52
    CRLDeltaPeriod=Days
    CRLDeltaPeriodUnits=0
    LoadDefaultTemplates=0

    ------

    certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://pki.company.com/pki/%3%8.crl"

    certutil –setreg CA\CACertPublicationURLs "2:http://pki.company.com/pki/%1_%3%4.crt"

    Certutil -setreg CA\CRLOverlapPeriodUnits 12

    Certutil -setreg CA\CRLOverlapPeriod "Hours"

    Certutil -setreg CA\ValidityPeriodUnits 10

    Certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\DSConfigDN "CN=Configuration,DC=company,DC=com"

    restart-service certsvc

    certutil -crl

    -------------
    copy C:\Windows\system32\certsrv\certenroll\*.cr* C:\Users\Administrator\Documents

    -------------

    Issuing CA:

    [Version]
    Signature="$Windows NT$"
    [Certsrv_Server]
    RenewalKeyLength=2048
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=5
    LoadDefaultTemplates=0

    -------------

    certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://pki.company.com/pki/%3%8%9.crl"

    certutil -setreg CA\CACertPublicationURLs "2:http://pki.company.com/pki/%1_%3%4.crt\n1:file://\\ServerName......\pki\%1_%3%4.crt"

    Certutil -setreg CA\CRLPeriodUnits 1

    Certutil -setreg CA\CRLPeriod "Weeks"

    Certutil -setreg CA\CRLDeltaPeriodUnits 1

    Certutil -setreg CA\CRLDeltaPeriod "Days"

    Certutil -setreg CA\CRLOverlapPeriodUnits 12

    Certutil -setreg CA\CRLOverlapPeriod "Hours"

    Certutil -setreg CA\ValidityPeriodUnits 5

    Certutil -setreg CA\ValidityPeriod "Years"

    restart-service certsvc

    certutil -crl

    Tuesday, October 3, 2017 8:00 PM

Answers

All replies

  • Hi,

    The capolicy.inf file and script seems right.

    And a useful link for your reference:

    AD CS step by step Guide:2 Tier PKI Hierarchy Deployment

    https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Vegas577 Wednesday, October 4, 2017 11:36 AM
    Wednesday, October 4, 2017 2:33 AM
    Moderator
  • thanks. I found another resource online that had a great example, so I used some of the ideas in there as well. 
    Wednesday, October 4, 2017 11:36 AM
  • Your files will 'work', but I would have lots of little suggestions.

    RootCA

    I would remove the Digital Signature from your CA's key usage field.

    I would use a standalone CA, and thus not bother with templates. (no reason then configure the .inf file to not load them)

    If you are not using LDAP based CDP then there is no reason to specify the 'dsconfigdn' setting at the root.

    I would make sure that the root CA CRL Overlap (yours is 12 hrs) is reflective of your ability to recover the root CA.

    Issuing CA.

    I would remove the Digital Signature from the key usage field.

    I would attach all policy information to the CA certificate.

    I would use constraints to limit cert chain depth and/or naming restrictions.

    I would make sure that the sub CA CRL Overlap (yours is 12 hrs) is reflective of your ability to recover the  sub CA.

    I would generally not recommend the use of delta CRLs. While Delta CRLs do have a valid use, I have found the genuine need for them to be exceedingly rare.

    Again, your files will work, but if your really wanted critical commentary on your files, these are the thoughts that come to mind.

    Good Luck,

    -Wayne

    Wednesday, October 4, 2017 11:59 AM