How to setup Microsoft Standalone Root CA
If you need to create a Microsoft Standalone Root CA, this short paper tries to help you. Before creating the Microsoft Standalone Root CA, you must provide to create a text file called CAPolicy.inf. At a minimum, a file CAPolicy.inf should be done with:
; File %SystemRoot%\CAPolicy.inf
;
; File di configurazione della HomeWorks Root CA (Windows 2003 R2 Standard Server, fa parte di Active Directory)[Version]
Signature= “$Windows NT$”[certsrv_server]
renewalkeylength = 2048
RenewalValidityPeriodUnits = 10
RenewalValidtyPeriod = Years
CRLPeriod = Years
CRLPeriodUnits = 1[AuthorityInformationAccess]
[CRLDistributionPoint]
;Fine file
Once created the file CAPolicy.inf, copy it in the folder %SystemRoot% of your Windows system (in this paper we assume that you are working on a Windows 2008 Standard member of an Active Directory domain). To learn how to install a Microsoft Standalone Root CA you can watch this video:
If you only use the Standalone Root CA to provide your certificates, then it is good that you also install the Certification Authority Web Enrollment role.
Run a post-configuration scripts on Microsoft Standalone Root CA. A simple post-configuration script could be:
@echo off
rem Definiamo l’ambiente locale
setlocal enableextensionsrem Impostiamo le variabili
set Answer=echo.
echo Questo script ha il compito di personalizzare la configurazione della Root CA.:QUESTION
echo.
Set _T=%temp%\~tmp
echo Set oFS=CreateObject(“Scripting.FileSystemObject”)>%_T%.vbs
echo oFS.OpenTextFile(“CON”,2).Write “Vuoi proseguire con l’esecuzione dello script [si/no]: “>>%_T%.vbs
echo S=(Trim(oFS.OpenTextFile(“CON”,1).Readline))>>%_T%.vbs
echo Wscript.Echo “set Answer=”+CStr(S)>>%_T%.vbs
cscript.exe //nologo %_T%.vbs > %_T%.bat
for %%v in (%_T%.bat del) do call %%v %_T%.???
set _T=
goto CONTINUE:EXEC
rem Controlliamo l’esistenza della cartelle necessarie all’esecuzione dello script
if not exist %SystemDrive%\Logs md %SystemDrive%\Logs
set LOGFILE=%SystemDrive%\Logs\Root_CA_Post_Config.logrem Intestiamo il file di log
echo FILE DI LOG DEL COMANDO ROOT_CA_POST_CONFIG.CMD >> %LOGFILE%
echo. >> %LOGFILE%
echo Esecuzione del %DATE% alle %TIME% >> %LOGFILE%
echo. >> %LOGFILE%
echo.rem Impostiamo le variabili per la gestione dei certificati delle Subordinate CA
set /p myADnamingcontext=”Inserisci il nome del dominio LDAP (ad es: DC=homeworks,DC=it): ”
echo Esempio: http://www.homeworks.it/ca/cert/HomeWorks_Root_CA_Public_Cert.crt
set /p myCACertURL=”Inserisci URL del Certificato della Root CA: ”
echo Esempio: http://www.homeworks.it/ca/crl/HomeWorks_Root_CA_Revocation_List.crl
set /p myCACRLURL=”Inserisci URL della Root CA CRL: ”
echo.rem Impostiamo la configurazione dei Certificati Digitali rilasciati dalla Root CA
echo Impostiamo la configurazione della Root CA …
echo Dominio LDAP: %myADnamingcontext%
certutil -setreg CA\DSConfigDN “CN=Configuration,%myADnamingcontext%” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myCACRLURL%\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myCACertURL%\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriodUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriod “Years” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLDeltaPeriodUnits 0 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapPeriod “Days” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriodUnits 5 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriod “Years” >> %LOGFILE%rem Riavviamo il servizio Certification Authority (Active Directory Certificate Services)
echo Riavviamo il servizio Active Directory Certificate Services …
net stop certsvc & net start certsvc >> %LOGFILE%rem Attiviamo la Root CA
echo Attiviamo la Root CA …
certutil -vroot >> %LOGFILE%rem Pubblichiamo la CRL
echo Pubblichiamo la CRL della Root CA …
certutil -CRL >> %LOGFILE%echo Fine esecuzione dello script ….
echo. >> %LOGFILE%
echo Fine del file di log >> %LOGFILE%:END
endlocal
exit /b:CONTINUE
if /i “%Answer%” equ “si” goto EXEC
if /i “%Answer%” equ “no” goto END
goto ERRATA:ERRATA
echo.
echo La risposta che hai dato non e’ corretta !!!
echo Puoi rispondere solamente con un si o con un no.
goto QUESTION
Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory: certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>
The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll
Assign a digital certificate for HTTPS connection to IIS to access the website where you require your digital certificates. To learn how to do this work, read the article (use the action Create Domain Certificate …) Installing an SSL Certificate in Windows Server 2008 (IIS 7.0). Now you’re ready to drop your digital certificates.
For more information, please consult the following article: Designing and Implementing a PKI Part II
Leave a reply to www.wikarta.com Cancel reply
Recent Comments
 | cristina on OpenOffice, Come Impostare l… |
| Active Directory – C… on How to get the last password c… | |
 | dan on How to get the last password c… |
 | caitlyn meyer on How to get the last password c… |
HomeWorks's Blog 
Thanks for going through all this, i have just started making a windows mail server at work, am i want to be able to use SSL so people and customers can use the mail server securely outside of the office. I have tried to follow the instruction i was given by a friend but it does not work it giving me a 404 error now with a blank page. Any idea what i should do?
If you want to create PKI with OpenSSL you could read this my article: http://www.homeworks.it/Html/OpenSSL_PKI_Articolo_Eng.html If you want to configure IIS6 or IIS7 to use SLL protocol (HTTPS), then you should read this blog: http://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html (for IIS7), https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO2657 (fors IIS6).
I hope I helped you.
Bye,
Alessandro
Hi there just wanted to give you a quick heads up.
The text in your post seem to be running off the screen in Safari.
I’m not sure if this is a format issue or something to do with internet browser compatibility but I thought I’d post
to let you know. The style and design look great though!
Hope you get the issue solved soon. Cheers
Excellent site you’ve got here.. It’s hard to find high quality writing like yours nowadays.
I truly appreciate people like you! Take care!!
I’m not that much of a online reader to be honest but your blogs really nice, keep it up!
I’ll go ahead and bookmark your website to come back in the future. Cheers
We’re a group of volunteers and opening a new scheme in our community.
Your website provided us with valuable info to work on.
You have done an impressive job and our entire
community will be thankful to you.