I did all the steps on my test infrastructure, though I had a reduced set of virtual machines.
It seems to me that there is an error in section 5 (maybe my comment will help other people)
You suggest to execute the command: certutil -f -dspublish "E: \ ROOTCA_windows noob Root CA.crt" RootCA
Where RootCA, as you write, is the host name of offline Root CA, however certutil helps us:
CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] ...
CertFile - certificate file to publish
NTAuthCA - Publish cert to DS Enterprise store
RootCA - Publish cert to DS Trusted Root store
SubCA - Publish CA cert to DS CA object
CrossCA - Publish cross cert to DS CA object
...
So RootCA in this case is not the host name here, but the store name.
Your host name matches the store name, and your command has been executed.
My Root CA name was different, and when I will have tried to execute the command certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RCA01
i got an error CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.
however command certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RootCA
performed correctly.
Next command in your manual certutil -f -dspublish "E: \ windows noob Root CA.crl" RootCA
is correct, because to publish CRL you must specify the host name:
CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
....
CRLFile - CRL file to publish
DSCDPContainer - DS CDP container CN, usually the CA machine name
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
How can I configure PKI in a lab on Windows Server 2016 - Part 5
in PKI
Posted
Thanks for your guidance, it is a very helpful!
I did all the steps on my test infrastructure, though I had a reduced set of virtual machines.
It seems to me that there is an error in section 5 (maybe my comment will help other people)
You suggest to execute the command:
certutil -f -dspublish "E: \ ROOTCA_windows noob Root CA.crt" RootCA
Where RootCA , as you write, is the host name of offline Root CA, however certutil helps us:
CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
...
CertFile - certificate file to publish
NTAuthCA - Publish cert to DS Enterprise store
RootCA - Publish cert to DS Trusted Root store
SubCA - Publish CA cert to DS CA object
CrossCA - Publish cross cert to DS CA object
...
So RootCA in this case is not the host name here, but the store name.
Your host name matches the store name, and your command has been executed.
My Root CA name was different, and when I will have tried to execute the command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RCA01
i got an error
CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.
however command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RootCA
performed correctly.
Next command in your manual
certutil -f -dspublish "E: \ windows noob Root CA.crl" RootCA
is correct, because to publish CRL you must specify the host name:
CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
....
CRLFile - CRL file to publish
DSCDPContainer - DS CDP container CN, usually the CA machine name