PKI – Commandline certutil

image_pdfimage_print

# Root-CA inf
[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]
Policies = InternalUseOnly
[InternalUseOnly]
OID=1.2.3.4.1455.67.89.5
Notice = “This PKI is intended for internal use only Baby ;-).”
[BasicConstraintsExtension]
PathLength = 2
Critical = Yes
[Certsrv_Server]
LoadDefaultTemplates=False

# Gültigkeit von Zertifikaten auslesen
Certutil -getreg ca\validityperiod
Certutil -getreg ca\validityperiodunits

# Stellt die maximale Zeit von 6 Jahren ein die ein Zertifikat gültig seien darf
Certutil -setreg ca\validityperiodunits 6

# Active Directory Configuration Partition Distinguished Name setzen (Standalone Root-CA)
certutil –setreg ca\dsconfigdn cn=configuration,dc=nds-edv,dc=de

# CDP Konfigurieren ROOT
certutil -setreg CA\CRLPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n2:http://ca2.lab.local/CertEnroll/%%3%%8%%9.crl\n2:http://ca.lab.local/CertEnroll/%%3%%8%%9.crl\n2:http://pki.nds-edv.de.de/CertEnroll/%%3%%8%%9.crl”

# AIA Konfigurieren ROOT
certutil -setreg CA\CACertPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://ca.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://ca2.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://pki.nds-edv.de/CertEnroll/%%1_%%3%%4.crt\n32:http://ca2.lab.local/ocsp”

# CDP Konfigurieren SUB
certutil -setreg CA\CRLPublicationURLs “65:%WinDir%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n71:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://ca2.lab.local/CertEnroll/%%3%%8%%9.cr\n6:http://ca.lab.local/CertEnroll/%%3%%8%%9.crl\n6:http://pki.ndsedv.de/CertEnroll/%%3%%8%%9.crl\n65:file://\\ca.lab.local\CertEnroll\%%3%%8%%9.crl”

# AIA Konfigurieren SUB
certutil -setreg CA\CACertPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n3:http://ca.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://ca2.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://pki.ndsedv.de/CertEnroll/%%1_%%3%%4.crt\n32:http://ca2.lab.local/ocsp”

# Auditing aktivieren
certutil -setreg CA\AuditFilter 127

#  Backup CA
certutil -backupDB C:\BackupIssuingCA\nurDB
certutil -backup C:\BackupIssuingCA\komplettmitCert

# SAN Zertifikat CA Konfiguration
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
certutil -setreg policy\EditFlags +0x40000

# SAN Attribute
san:dns=ca2.lab.local&dns=ca2&dns=10.1.1.6&ipaddress=10.1.1.6

# OverLapPeriod Issuing-CA einstellen
certutil -setreg CA\CRLPeriodUnits 7
certutil -setreg CA\CRLPeriod “Days”
certutil -setreg CA\CRLOverlapUnits 3
certutil -setreg CA\CRLOverlaPeriod “Days”
certutil -setreg CA\CRLDeltaPeriodUnits 1
certutil -setreg CA\CRLDeltaPeriod “Days”
certutil -setreg CA\CRLDeltaOverlapUnits 2
certutil -setreg CA\CRLDeltaOverlaPeriod “Hours”

# CRL und AIA
certutil -setreg CA\CRLPublicationURLs “65:%WinDir%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n71:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://ca2.lab.local/CertEnroll/%%3%%8%%9.crl\n6:http://ca.lab.local/CertEnroll/%%3%%8%%9.crl\n6:http://pki.experteach.de/CertEnroll/%%3%%8%%9.crl\n65:file://\\ca.lab.local\CertEnroll\%%3%%8%%9.crl”
certutil -setreg CA\CACertPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n3:http://ca.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://ca2.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://pki.experteach.de/CertEnroll/%%1_%%3%%4.crt\n32:http://ca2.lab.local/ocsp”

# CDP UND AIA WERTE Sperrliste

ROOT-CA CDP
HTTP Wert 2
LDAP Wert 10
WinDir Wert 1

ROOT-CA AIA
HTTP Wert 2
LDAP Wert 2
WinDir Wert 1
OCSP Wert 32

SUB-CA CDP
HTTP Wert 6
LDAP Wert 71
WinDir Wert 65

SUB-CA AIA
HTTP Wert 2
LDAP Wert 3
WinDir Wert 1
OCSP Wert 32

# Zertifikate aus der Datenbank löschen
Abgelaufene und zurückgezogene
certutil –deleterow 11/10/2016 cert

Fehlgeschlagene und wartende
certutil –deleterow 11/10/2016 request

# Key Recovery Agent
certutil -getkey 1e000000106923ba36674869e9000000000010 outputblob
dir outputblob
certutil -recoverkey outputblob recoverd.pfx