Installing a offline root CA

Jun 28, 2012 at 6:18 PM

Hi

A tried to create a script to install a offline root CA. This isn't possible with you PS scripts, because you do a check for Domain Member ship. Some PS commando's need a Domain so I understand the check. But a offline root CA is never domain member. Any change that you will make a separate setup for een CA that is not domain joint?

Martijn

Coordinator
Jun 28, 2012 at 6:32 PM

You can copy Install-CertificationAuthority.ps1 file to your offline server. In fact, this function is standalone and do not use other module commands/variables.

Jul 6, 2012 at 10:03 AM
Camelot wrote:

You can copy Install-CertificationAuthority.ps1 file to your offline server. In fact, this function is standalone and do not use other module commands/variables.

I also need to use the command's get-ca, get-cdp, Remove-CrlDistributionPoint, Add-CrlDistributionPoint, Remove-AuthorityInformationAccess, Add-AuthorityInformationAccess and get-AIA

 

The first command faild, because my server is not a domain member. Is it possible to use these commands on a standalone server?

Coordinator
Jul 6, 2012 at 10:50 AM

this functionality is not available yet. I'm working on this.

Jul 12, 2012 at 10:07 PM

You can still use a capolicy.inf file in %systemroot% directory (e.g. c:\Windows) to get rid of the default CDP/AIA entries for the root cert, however it will still be configured for issuing the subordinate certs until you update them.  Example:

[Version]
Signature="Windows NT$"
[CRLDistributionPoint]
empty=true
[AuthorityInformationAccess]
empty=true
[BasicConstraintsExtension]
critical=true
IsCA=true
[Extensions]
2.5.29.15 = AwIBBg==
Critical = 2.5.29.15

You can use the following basic installation command for the offline root install (note there are many other options you can add into this):

Install-CertificationAuthority -CAName "YourRootCAName" -CADNSuffix "YourDomainDN -or- O=Your Company Name,C=2 letter country code" -CAType "Standalone Root"  -KeyLength 2048 -HashAlgorithm SHA256 -ValidForYears 15

for -CADNSSuffix value see this article:

http://blogs.microsoft.co.il/blogs/yuval14/archive/2011/09/01/finding-dsconfigdn-and-dsdomaindn-values-by-using-certutil.aspx

(even though it is not part of your domain, if it is used internally to your domain then you might want to use the AD value, otherwise just use an organizational identifier so it has more meaning than just the CA name).

 

The CDP & AIA values need to get done manually or via batch file (certutil -setreg) - figuring out the batch file values tends to be a long discussion - it is usually just easier to put the values you want into a txt file and copy/paste via the GUI.  If there is no GUI then I would suggest configuring on a test box CA and exporting the following registry key and parse the following values (note they are encoded when you export them):

HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\(CAName)\

CACertPublicationURLs

CRLPublicationURLs

 

You can view them with 'certutil -getreg ca\CRLPublicationURLs' etc.

Coordinator
Jul 13, 2012 at 6:19 AM

2Paranormastic

Since Install-CertificationAuthority cmdlet is supported by Windows Server 2008 and newer systems, there is no need to put CDP/AIA extensions in CAPolicy.inf, because they are not appear in root certificates by default. Moreover, there is a bunch of commands to edit CDP/AIA extensions on CA servers:

 

HTH