07. Install and Configure Offline Standalone Root Certificate Authority
Рет қаралды 36,332
Күн бұрын
@MSFTWebCast 3 жыл бұрын
On RootCA, copy and paste this into notepad, and save it as C:\Windows\CAPolicy.inf ########################################################### notepad C:\Windows\CAPolicy.inf [Version] Signature=”$Windows NT$” [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 CRLPeriod=Years CRLPeriodUnits=20 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0 LoadDefaultTemplates=0 ######################################################## Define the Active Directory Configuration Partitions Distinguished Name. certutil -setreg ca\DSConfigDN "CN=configuration,dc=mylab,dc=local" certutil -setreg ca\DSDomain "dc=mylab,dc=local" _________________________________________________________ This will sets the overlap period between the CRL and the Delta CRL. certutil.exe -setreg CA\CRLOverlapPeriodUnits 3 _________________________________________________________ This command will sets the CRL Overlap Period to weeks. certutil.exe -setreg CA\CRLOverlapPeriod “Weeks” _________________________________________________________ This command will sets the maximum certificate validity period of certificates issued by this. CA certutil.exe -setreg CA\ValidityPeriodUnits 10 ####################################################### Restart the AD CS service. net stop certsvc net start certsvc
@abdelazizaqel 2 жыл бұрын
Great work thanks for your help and keep us updated can you please enable Subtitles for this playlist it will help us more and if there link direct to your explanation blog like other playlist that will be amazing
@MrIT1982 10 ай бұрын
very good impresive and easy set up thank you
@MSFTWebCast 10 ай бұрын
You are welcome!
@ArifKhan-uf3ml 2 жыл бұрын
You should have explained first two path in AIA and CDP which you did not delete. Why? what is the purpose of those? Thank you.
@fbifido2 3 жыл бұрын
@2:07 - PeriodUnits=20, can we change this to 50 years ???? @5:49 - is RSA the only option you have here, can you select another type ???? @6:11 - what can be entered in "Distinguished name suffix" ????
@jarves1231 3 жыл бұрын
I saw another tutorial but using windows 2016. The are not using the those commands and the inf file. Are these commands necessary for windows 2019?
@MSFTWebCast 3 жыл бұрын
It is up to us what settings we want to define for our CA. That file is used to defines the extensions, constraints, and other configuration settings that are applied to a root Certification Authority certificate and all certificates issued by the root CA.
@jarves1231 3 жыл бұрын
@@MSFTWebCast I understood now. Your method is the powershell, while others I watch was doing the gui.
@lahirunimnajith3519 Жыл бұрын
thank you brother
@mokk1961 Жыл бұрын
I could not find capolicy.inf content and other certutil commands you referenced
@MSFTWebCast Жыл бұрын
notepad C:\Windows\CAPolicy.inf [Version] Signature=”$Windows NT$” [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 CRLPeriod=Years CRLPeriodUnits=20 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0 LoadDefaultTemplates=0
@mokk1961 Жыл бұрын
@@MSFTWebCast Thank you for such quick response, and thank you for converting Microsoft Document in to a video.
@jarifin776 2 жыл бұрын
hello, is it necessary to use the CAPolicy.inf? i mean, can i configure this series without it?
@MSFTWebCast 2 жыл бұрын
CAPolicy.inf file tells the server how to configure itself when the Certificate Services role is installed. If you dont want to use it, it is ok but it is best practice to have it.
@jarifin776 2 жыл бұрын
@@MSFTWebCast Thank you for the explanation 😁
@JasonForte-fw3uj 2 жыл бұрын
Can you check if you made a mistake with "CA\CRLOverlapPeriodUnits" should it actually be "CA\CRLOverlapUnits" ? Thank you.
@MSFTWebCast 2 жыл бұрын
I have checked one more time and it is correct. Reference: learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731104(v=ws.11)?redirectedfrom=MSDN and
@JasonForte-fw3uj 2 жыл бұрын
@@MSFTWebCast Thanks for the reply. I installed ADCS for Server 2016 and that registry key is not there by default as all the others are. If I navigate to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/CertSvc/Configuration/ the two registry entries there are CRLOverlapPeriod and CRLOverlapUnits. CRLDeltaOverlapPeriodUnits is not there unless i create it. Though interesting others such as ValidityPeriodUnits and does exists. It seems that they may have changed the name of these in 2016? what are your thoughts? After following along with your video i have both entries (CRLOverlapUnits and CRLOverlapPeriodUnits) but not sure i need both.
@atifmbaig Жыл бұрын
@@MSFTWebCast I don't see CA\CRLOverlapPeriodUnits on this link. It is "CA\CRLOverlapUnits"
@ricflair4052 4 жыл бұрын
16:23 If i accidentally deleted the .crt file, how can I regenerate it again? Thanks
@MSFTWebCast 4 жыл бұрын
For that you need to generate (publish) CRL list again. Repeat steps from 14:48 to 15:18
@ricflair4052 4 жыл бұрын
@@MSFTWebCast its .Crt , not Crl file. and the time stamp generated are different
@mohammedpasha3649 2 жыл бұрын
Excellent video, can you please cover SCEP/NDES?
@MSFTWebCast 2 жыл бұрын
Great suggestion! I will try.
@shitalpawar9467 2 жыл бұрын
How to remove file location from cdp extentions if we forgot to remove? I removed from cdp and publish the CRL again but still I can see error for file location in pkiview.msc
@rajd2145 5 жыл бұрын
Hello, I can not find out Notepad file. Appreciate if you can share it with me
@abhimanyuneupane9785 2 жыл бұрын
can we do the same process on Online Standalone Root CA - domain joined
@MSFTWebCast 2 жыл бұрын
Yes, you can deploy standalone root CA on domain joined server. The process will remain same but in domain joined server, you need to select standalone CA option while specifying the type of the CA.
@abhimanyuneupane9785 2 жыл бұрын
@@MSFTWebCast I already have AD CS which is Root. Now i want to add Subordinate or Intermediate CA. 1. Can i install on same server? 2. Do i need another Server for Subordinate CA . 3. Can i select Enterprise CA as setup type and Subordinate CA as CA Type on domain joined server?
@MSFTWebCast 2 жыл бұрын
@@abhimanyuneupane9785 Generally if you are deploying 2 tier PKI then your Root CA will stand-alone offline CA. Then you deploy your subordinate CA as an enterprise CA. Yes you need dedicated server in order to setup another CA.
@robertjude7880 2 жыл бұрын
@@MSFTWebCast Do i have to do all the change you have shown in this video for enterprise CA ..
@MSFTWebCast 2 жыл бұрын
@@robertjude7880 Its up to your requirements. You can find a doc on those setting on TechNet, go through it and set up those settings as per your requirements. You can also find some recommended settings or you can say must have on Internet.
@DmitryMalyshok 5 жыл бұрын
Thank you! Please give link to CAPolicy.inf Offline root and Sub CA and instruction command
@riddler9552 5 жыл бұрын
Hey where is the notepad file? It's not on your website either.
@subhrojeetmukherjee8030 4 жыл бұрын
social.technet.microsoft.com/... Check this link and find the CA Policy.
@caseybriones1085 10 ай бұрын
How to know that it is already offline?
@MSFTWebCast 10 ай бұрын
Most of time offline CA wont be running, it tuned off after the initial usage. If it running then it wont be connected to the network.
@ninja2807 9 ай бұрын
@@MSFTWebCast why you used an offline Root CA? Would this also worked in the Root CA is online and joined to the domain?
@Paul-oi2wz 3 жыл бұрын
You failed to link to the notepad file.
@MSFTWebCast 3 жыл бұрын
I am extremely sorry about it. Check the comment section again I have added the content of the notepad file as a comment.
Troy Berg
Рет қаралды 24 М.
sass drew
Рет қаралды 12 М.
Andy Malone MVP
Рет қаралды 99 М.
Tutorials Pedia
Рет қаралды 38 М.