Jump to content


Alex Shumilin

New Members
  • Content Count

    1
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by Alex Shumilin

  1. Thanks for your guidance, it is a very helpful!


    I did all the steps on my test infrastructure, though I had a reduced set of virtual machines.
    It seems to me that there is an error in section 5 (maybe my comment will help other people)


    You suggest to execute the command:
    certutil -f -dspublish "E: \ ROOTCA_windows noob Root CA.crt" RootCA
    Where RootCA , as you write, is the host name of offline Root CA, however certutil helps us:

    CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
    ...
        CertFile - certificate file to publish
        NTAuthCA - Publish cert to DS Enterprise store
        RootCA - Publish cert to DS Trusted Root store
        SubCA - Publish CA cert to DS CA object
        CrossCA - Publish cross cert to DS CA object
    ...

    So RootCA in this case is not the host name here, but the store name.

    Your host name matches the store name, and your command has been executed.
    My Root CA name was different, and when I will have tried to execute the command
    certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RCA01
    i got an error
    CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
    CertUtil: The parameter is incorrect.

    however command
    certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RootCA
    performed correctly.

    Next command in your manual
    certutil -f -dspublish "E: \ windows noob Root CA.crl" RootCA
    is correct, because to publish CRL you must specify the host name:

      CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
      ....
        CRLFile - CRL file to publish
        DSCDPContainer - DS CDP container CN, usually the CA machine name

    • Thanks 2
×
×
  • Create New...