PKI – Certificate Services – Certutil small guide

  • To add a root CA’s certificate to the trusted root CA store of the computer, you can use the following command:

certutil -addstore -f Root CACertificateFile.crt

Where CACertificateFile is the file name of the root CA’s certificate file.

  • Use the following command to add a root CA’s CRL to the trusted root CA store:

certutil -addstore -f Root CACRLFile.crl

Where CACRLFile is the file name of the root CA’s CRL file.

  • To add a subordinate CA’s certificate to the intermediate CA store, you can use the following command:

certutil -addstore -f CA CACertificateFile.crt

where CACertificateFile is the file name of the subordinate CA’s certificate file.

  • Use the following command to add a subordinate CA’s CRL to the intermediate CA store:

certutil -addstore -f CA CACRLFile.crl

Where CACRLFile is the file name of the subordinate CA’s CRL file.

  • Use the following certutil.exe command line to publish a CA’s CRL into Active Directory:

certutil -dspublish -f CAName.crl

Where CAName is the logical name of the root CA.

If publication fails, an error in the CRL might contain insufficient LDAP information regarding the CRL publication location. You can force publication into Active Directory by adding the CA’s NetBIOS name to the publi­cation command. For example, if the NetBIOS name of Fabrikam’s root CA is FABINCCA01, the command to publish the Fabrikam root CA’s CRL is certutil -dspublish -f “Fabrikam Corporate Root CA.crl” FABINCCA01. 

 

  • To define the configuration naming context for your forest, use the following certutil command, where ForestRootDomain is the LDAP distinguished name of your organization’s forest. This command defines the variable %6:

certutil -setreg CA\DSConfigDN CN=Configuration,ForestRootDomain

 

  • Defining CRL Publication Intervals :

certutil -setreg CA\CRLPeriodUnits 26

certutil -setreg CA\CRLPeriod “Weeks”

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg CA\CRLDeltaPeriod “days”

  • Defining CRL Distribution Points

certutil -setreg CA\CRLPublicationURLs “1:%windir%\system32\CertSrv\

CertEnroll\%%3%%8%%9.crl\n2:http://www.fabrikam.com/CertData/%%3%%8%%9.crl\

n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10”

Note Each URL is separated by \n. This character combination is the line separation indicator used for multi-valued registry entries.

 

  • Defining CA Certificate Distribution Points 

certutil -setreg CA\CACertPublicationURLs “1:%windir%\system32\CertSrv\

CertEnroll\%%1_%%3%%4.crt\n2:http://www.fabrikam.com/CertData/

%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11”

 

  • Validity period for issued certificates: 

certutil -setreg CA\ValidityPeriodUnits 10

certutil -setreg CA\ValidityPeriod “Years” 

 

  • Enabling Auditing at the CA

certutil -setreg CA\AuditFilter 127

  • To view CRL Configuration:

certutil -getreg ca\CRLPublicationURLs

  • To publish the CRL, at a command prompt, type

certutil –CRL

  • Display the next time the CA expects to wake up and publish the next CRL.

certutil -getreg ca\CRLNextPublish

  • To Enable all auditing events on a CA

certutil -setreg CA\AuditFilter 127

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s