On RootCA, copy and paste this into notepad, and save it as C:\Windows\CAPolicy.inf ########################################################### notepad C:\Windows\CAPolicy.inf [Version] Signature=”$Windows NT$” [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 CRLPeriod=Years CRLPeriodUnits=20 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0 LoadDefaultTemplates=0 ######################################################## Define the Active Directory Configuration Partitions Distinguished Name. certutil -setreg ca\DSConfigDN "CN=configuration,dc=mylab,dc=local" certutil -setreg ca\DSDomain "dc=mylab,dc=local" _________________________________________________________ This will sets the overlap period between the CRL and the Delta CRL. certutil.exe -setreg CA\CRLOverlapPeriodUnits 3 _________________________________________________________ This command will sets the CRL Overlap Period to weeks. certutil.exe -setreg CA\CRLOverlapPeriod “Weeks” _________________________________________________________ This command will sets the maximum certificate validity period of certificates issued by this. CA certutil.exe -setreg CA\ValidityPeriodUnits 10 ####################################################### Restart the AD CS service. net stop certsvc net start certsvc
Great work thanks for your help and keep us updated can you please enable Subtitles for this playlist it will help us more and if there link direct to your explanation blog like other playlist that will be amazing
@2:07 - PeriodUnits=20, can we change this to 50 years ???? @5:49 - is RSA the only option you have here, can you select another type ???? @6:11 - what can be entered in "Distinguished name suffix" ????
It is up to us what settings we want to define for our CA. That file is used to defines the extensions, constraints, and other configuration settings that are applied to a root Certification Authority certificate and all certificates issued by the root CA.
How to remove file location from cdp extentions if we forgot to remove? I removed from cdp and publish the CRL again but still I can see error for file location in pkiview.msc
I have checked one more time and it is correct. Reference: learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731104(v=ws.11)?redirectedfrom=MSDN and
@@MSFTWebCast Thanks for the reply. I installed ADCS for Server 2016 and that registry key is not there by default as all the others are. If I navigate to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/CertSvc/Configuration/ the two registry entries there are CRLOverlapPeriod and CRLOverlapUnits. CRLDeltaOverlapPeriodUnits is not there unless i create it. Though interesting others such as ValidityPeriodUnits and does exists. It seems that they may have changed the name of these in 2016? what are your thoughts? After following along with your video i have both entries (CRLOverlapUnits and CRLOverlapPeriodUnits) but not sure i need both.
CAPolicy.inf file tells the server how to configure itself when the Certificate Services role is installed. If you dont want to use it, it is ok but it is best practice to have it.
Yes, you can deploy standalone root CA on domain joined server. The process will remain same but in domain joined server, you need to select standalone CA option while specifying the type of the CA.
@@MSFTWebCast I already have AD CS which is Root. Now i want to add Subordinate or Intermediate CA. 1. Can i install on same server? 2. Do i need another Server for Subordinate CA . 3. Can i select Enterprise CA as setup type and Subordinate CA as CA Type on domain joined server?
@@abhimanyuneupane9785 Generally if you are deploying 2 tier PKI then your Root CA will stand-alone offline CA. Then you deploy your subordinate CA as an enterprise CA. Yes you need dedicated server in order to setup another CA.
@@robertjude7880 Its up to your requirements. You can find a doc on those setting on TechNet, go through it and set up those settings as per your requirements. You can also find some recommended settings or you can say must have on Internet.
On RootCA, copy and paste this into notepad, and save it as C:\Windows\CAPolicy.inf
###########################################################
notepad C:\Windows\CAPolicy.inf
[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=20
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
########################################################
Define the Active Directory Configuration Partitions Distinguished Name.
certutil -setreg ca\DSConfigDN "CN=configuration,dc=mylab,dc=local"
certutil -setreg ca\DSDomain "dc=mylab,dc=local"
_________________________________________________________
This will sets the overlap period between the CRL and the Delta CRL.
certutil.exe -setreg CA\CRLOverlapPeriodUnits 3
_________________________________________________________
This command will sets the CRL Overlap Period to weeks.
certutil.exe -setreg CA\CRLOverlapPeriod “Weeks”
_________________________________________________________
This command will sets the maximum certificate validity period of certificates issued by this.
CA
certutil.exe -setreg CA\ValidityPeriodUnits 10
#######################################################
Restart the AD CS service.
net stop certsvc
net start certsvc
Great work thanks for your help and keep us updated
can you please enable Subtitles for this playlist it will help us more and if there link direct to your explanation blog like other playlist that will be amazing
You should have explained first two path in AIA and CDP which you did not delete. Why? what is the purpose of those? Thank you.
@2:07 - PeriodUnits=20, can we change this to 50 years ????
@5:49 - is RSA the only option you have here, can you select another type ????
@6:11 - what can be entered in "Distinguished name suffix" ????
very good impresive and easy set up thank you
You are welcome!
I saw another tutorial but using windows 2016. The are not using the those commands and the inf file. Are these commands necessary for windows 2019?
It is up to us what settings we want to define for our CA. That file is used to defines the extensions, constraints, and other configuration settings that are applied to a root Certification Authority certificate and all certificates issued by the root CA.
@@MSFTWebCast I understood now. Your method is the powershell, while others I watch was doing the gui.
How to remove file location from cdp extentions if we forgot to remove? I removed from cdp and publish the CRL again but still I can see error for file location in pkiview.msc
Hello, I can not find out Notepad file. Appreciate if you can share it with me
Can you check if you made a mistake with "CA\CRLOverlapPeriodUnits" should it actually be "CA\CRLOverlapUnits" ? Thank you.
I have checked one more time and it is correct. Reference: learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731104(v=ws.11)?redirectedfrom=MSDN and
@@MSFTWebCast Thanks for the reply. I installed ADCS for Server 2016 and that registry key is not there by default as all the others are. If I navigate to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/CertSvc/Configuration/ the two registry entries there are CRLOverlapPeriod and CRLOverlapUnits. CRLDeltaOverlapPeriodUnits is not there unless i create it. Though interesting others such as ValidityPeriodUnits and does exists. It seems that they may have changed the name of these in 2016? what are your thoughts? After following along with your video i have both entries (CRLOverlapUnits and CRLOverlapPeriodUnits) but not sure i need both.
@@MSFTWebCast I don't see CA\CRLOverlapPeriodUnits on this link. It is "CA\CRLOverlapUnits"
I could not find capolicy.inf content and other certutil commands you referenced
notepad C:\Windows\CAPolicy.inf
[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=20
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
@@MSFTWebCast Thank you for such quick response, and thank you for converting Microsoft Document in to a video.
hello, is it necessary to use the CAPolicy.inf? i mean, can i configure this series without it?
CAPolicy.inf file tells the server how to configure itself when the Certificate Services role is installed. If you dont want to use it, it is ok but it is best practice to have it.
@@MSFTWebCast Thank you for the explanation 😁
16:23
If i accidentally deleted the .crt file, how can I regenerate it again? Thanks
For that you need to generate (publish) CRL list again. Repeat steps from 14:48 to 15:18
@@MSFTWebCast its .Crt , not Crl file. and the time stamp generated are different
Hey where is the notepad file? It's not on your website either.
social.technet.microsoft.com/... Check this link and find the CA Policy.
can we do the same process on Online Standalone Root CA - domain joined
Yes, you can deploy standalone root CA on domain joined server. The process will remain same but in domain joined server, you need to select standalone CA option while specifying the type of the CA.
@@MSFTWebCast I already have AD CS which is Root. Now i want to add Subordinate or Intermediate CA.
1. Can i install on same server?
2. Do i need another Server for Subordinate CA .
3. Can i select Enterprise CA as setup type and Subordinate CA as CA Type on domain joined server?
@@abhimanyuneupane9785 Generally if you are deploying 2 tier PKI then your Root CA will stand-alone offline CA. Then you deploy your subordinate CA as an enterprise CA. Yes you need dedicated server in order to setup another CA.
@@MSFTWebCast Do i have to do all the change you have shown in this video for enterprise CA ..
@@robertjude7880 Its up to your requirements. You can find a doc on those setting on TechNet, go through it and set up those settings as per your requirements. You can also find some recommended settings or you can say must have on Internet.
Thank you! Please give link to CAPolicy.inf Offline root and Sub CA and instruction command
Excellent video, can you please cover SCEP/NDES?
Great suggestion! I will try.
thank you brother
How to know that it is already offline?
Most of time offline CA wont be running, it tuned off after the initial usage. If it running then it wont be connected to the network.
@@MSFTWebCast why you used an offline Root CA? Would this also worked in the Root CA is online and joined to the domain?
You failed to link to the notepad file.
I am extremely sorry about it. Check the comment section again I have added the content of the notepad file as a comment.