Archive for June, 2010

How to setup Microsoft Standalone Root CA

If you need to create a Microsoft Standalone Root CA, this short paper tries to help you. Before creating the Microsoft Standalone Root CA, you must provide to create a text file called CAPolicy.inf. At a minimum, a file CAPolicy.inf should be done with:

; File %SystemRoot%\CAPolicy.inf
; File di configurazione della HomeWorks Root CA (Windows 2003 R2 Standard Server, fa parte di Active Directory)

Signature= “$Windows NT$”

renewalkeylength = 2048
RenewalValidityPeriodUnits = 10
RenewalValidtyPeriod = Years
CRLPeriod = Years
CRLPeriodUnits = 1



;Fine file

Once created the file CAPolicy.inf, copy it in the folder %SystemRoot% of your Windows system (in this paper we assume that you are working on a Windows 2008 Standard member of an Active Directory domain). To learn how to install a Microsoft Standalone Root CA you can watch this video:

If you only use the Standalone Root CA to provide your certificates, then it is good that you also install the Certification Authority Web Enrollment role.

Run a post-configuration scripts on Microsoft Standalone Root CA. A simple post-configuration script could be:

@echo off

rem Definiamo l’ambiente locale
setlocal enableextensions

rem Impostiamo le variabili
set Answer=

echo Questo script ha il compito di personalizzare la configurazione della Root CA.

Set _T=%temp%\~tmp
echo Set oFS=CreateObject(“Scripting.FileSystemObject”)>%_T%.vbs
echo oFS.OpenTextFile(“CON”,2).Write “Vuoi proseguire con l’esecuzione dello script [si/no]: “>>%_T%.vbs
echo S=(Trim(oFS.OpenTextFile(“CON”,1).Readline))>>%_T%.vbs
echo Wscript.Echo “set Answer=”+CStr(S)>>%_T%.vbs
cscript.exe //nologo %_T%.vbs > %_T%.bat
for %%v in (%_T%.bat del) do call  %%v %_T%.???
set _T=

rem Controlliamo l’esistenza della cartelle necessarie all’esecuzione dello script
if not exist %SystemDrive%\Logs md %SystemDrive%\Logs
set LOGFILE=%SystemDrive%\Logs\Root_CA_Post_Config.log

rem Intestiamo il file di log
echo. >> %LOGFILE%
echo Esecuzione del %DATE% alle %TIME% >> %LOGFILE%
echo. >> %LOGFILE%

rem Impostiamo le variabili per la gestione dei certificati delle Subordinate CA
set /p myADnamingcontext=”Inserisci il nome del dominio LDAP (ad es: DC=homeworks,DC=it): ”
echo Esempio:
set /p myCACertURL=”Inserisci URL del Certificato della Root CA: ”
echo Esempio:
set /p myCACRLURL=”Inserisci URL della Root CA CRL: ”

rem Impostiamo la configurazione dei Certificati Digitali rilasciati dalla Root CA
echo Impostiamo la configurazione della Root CA …
echo Dominio LDAP: %myADnamingcontext%
certutil -setreg CA\DSConfigDN “CN=Configuration,%myADnamingcontext%” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myCACRLURL%\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myCACertURL%\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriodUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriod “Years” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLDeltaPeriodUnits 0 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapPeriod “Days” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriodUnits 5 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriod “Years” >> %LOGFILE%

rem Riavviamo il servizio Certification Authority (Active Directory Certificate Services)
echo Riavviamo il servizio Active Directory Certificate Services …
net stop certsvc & net start certsvc >> %LOGFILE%

rem Attiviamo la Root CA
echo Attiviamo la Root CA …
certutil -vroot >> %LOGFILE%

rem Pubblichiamo la CRL
echo Pubblichiamo la CRL della Root CA …
certutil -CRL >> %LOGFILE%

echo Fine esecuzione dello script ….
echo. >> %LOGFILE%
echo Fine del file di log >> %LOGFILE%

exit /b

if /i “%Answer%” equ “si” goto EXEC
if /i “%Answer%” equ “no” goto END

echo La risposta che hai dato non e’ corretta !!!
echo Puoi rispondere solamente con un si o con un no.

Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory: certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>

The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll

Assign a digital certificate for HTTPS connection to IIS to access the website where you require your digital certificates. To learn how to do this work, read the article (use the action Create Domain Certificate …Installing an SSL Certificate in Windows Server 2008 (IIS 7.0). Now you’re ready to drop your digital certificates.

For more information, please consult the following article: Designing and Implementing a PKI Part II


Unable on Windows 7 to connet to shared folder via UNC path

Few days ago I have come across a really strange problem. On a Windows 7 workstation (but the same problem can occur on Windows Vista), it was impossible to connect to any shared folder via UNC path. Although the error message suggested that it was a problem linked to name resolution, in reality the workstation was perfectly able to solve the FQDN, or NetBIOS name of each server. The same problem presented itself even if I used instead of the machine name, its IP address. Very strange …

Error Message

Error Message 0x800704CF

After a quick search on google I finally found a solution to the strange problem, reading the various posts in the Microsoft forum. The problem seems related to the presence of an abnormal number of network devices (such network devices there are not on my laptop with Windows 7). Opening the Device Manager and highlight the hidden devices (open View and then select Show Hidden Device), appeared about two hundred network cards calls Microsoft Device 6to4:

Microsoft Device 6to4

Microsoft Device 6to4

To solve the strange problem was simply delete all the network adapters called Microsoft Device 6to4. If you do not want to risk the carpal tunnel, I suggest you to use the Microsoft program called devcon.exe, that allows to run on Windows 2000/XP/Vista/7 the operations that usually take place with the Device Manager from the command line. For example, to delete all network adapters called Microsoft Device 6to4 you could use the command : devcon remove *6to4MP*

Instead to see all devices on your system, just use the command: devcon status *

Devcon.exe command does not work very well on workstations with Windows Vista/7  64bits. In these cases, it is not rare remove all network adapters Microsoft Device 6to4 by hand!

Categories: Guide, Tips, Windows 7 Tags: , , ,