# Root-CA inf [Version] Signature=”$Windows NT$” [PolicyStatementExtension] Policies = InternalUseOnly [InternalUseOnly] OID=1.2.3.4.1455.67.89.5 Notice = “This PKI is intended for internal use only Baby ;-).” [BasicConstraintsExtension] PathLength = 2 Critical = Yes [Certsrv_Server] LoadDefaultTemplates=False # Gültigkeit von Zertifikaten auslesen Certutil -getreg ca\validityperiod Certutil -getreg ca\validityperiodunits # Stellt die maximale Zeit von 6 Jahren ein die ein Zertifikat gültig seien darf Certutil -setreg ca\validityperiodunits 6 # Active Directory Configuration Partition Distinguished Name setzen (Standalone Root-CA) certutil –setreg ca\dsconfigdn cn=configuration,dc=nds-edv,dc=de # CDP Konfigurieren ROOT certutil -setreg CA\CRLPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n2:http://ca2.lab.local/CertEnroll/%%3%%8%%9.crl\n2:http://ca.lab.local/CertEnroll/%%3%%8%%9.crl\n2:http://pki.nds-edv.de.de/CertEnroll/%%3%%8%%9.crl” # AIA Konfigurieren ROOT certutil -setreg CA\CACertPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://ca.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://ca2.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://pki.nds-edv.de/CertEnroll/%%1_%%3%%4.crt\n32:http://ca2.lab.local/ocsp” # CDP Konfigurieren SUB certutil -setreg CA\CRLPublicationURLs “65:%WinDir%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n71:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://ca2.lab.local/CertEnroll/%%3%%8%%9.cr\n6:http://ca.lab.local/CertEnroll/%%3%%8%%9.crl\n6:http://pki.ndsedv.de/CertEnroll/%%3%%8%%9.crl\n65:file://\\ca.lab.local\CertEnroll\%%3%%8%%9.crl” # AIA Konfigurieren SUB certutil -setreg CA\CACertPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n3:http://ca.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://ca2.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://pki.ndsedv.de/CertEnroll/%%1_%%3%%4.crt\n32:http://ca2.lab.local/ocsp” # Auditing aktivieren certutil -setreg CA\AuditFilter 127 # Backup CA certutil -backupDB C:\BackupIssuingCA\nurDB certutil -backup C:\BackupIssuingCA\komplettmitCert # SAN Zertifikat CA Konfiguration certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 certutil -setreg policy\EditFlags +0x40000 # SAN Attribute san:dns=ca2.lab.local&dns=ca2&dns=10.1.1.6&ipaddress=10.1.1.6 # OverLapPeriod Issuing-CA einstellen certutil -setreg CA\CRLPeriodUnits 7 certutil -setreg CA\CRLPeriod “Days” certutil -setreg CA\CRLOverlapUnits 3 certutil -setreg CA\CRLOverlaPeriod “Days” certutil -setreg CA\CRLDeltaPeriodUnits 1 certutil -setreg CA\CRLDeltaPeriod “Days” certutil -setreg CA\CRLDeltaOverlapUnits 2 certutil -setreg CA\CRLDeltaOverlaPeriod “Hours” # CRL und AIA certutil -setreg CA\CRLPublicationURLs “65:%WinDir%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n71:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://ca2.lab.local/CertEnroll/%%3%%8%%9.crl\n6:http://ca.lab.local/CertEnroll/%%3%%8%%9.crl\n6:http://pki.experteach.de/CertEnroll/%%3%%8%%9.crl\n65:file://\\ca.lab.local\CertEnroll\%%3%%8%%9.crl” certutil -setreg CA\CACertPublicationURLs “1:%WinDir%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n3:http://ca.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://ca2.lab.local/CertEnroll/%%1_%%3%%4.crt\n2:http://pki.experteach.de/CertEnroll/%%1_%%3%%4.crt\n32:http://ca2.lab.local/ocsp” # CDP UND AIA WERTE Sperrliste ROOT-CA CDP HTTP Wert 2 LDAP Wert 10 WinDir Wert 1 ROOT-CA AIA HTTP Wert 2 LDAP Wert 2 WinDir Wert 1 OCSP Wert 32 SUB-CA CDP HTTP Wert 6 LDAP Wert 71 WinDir Wert 65 SUB-CA AIA HTTP Wert 2 LDAP Wert 3 WinDir Wert 1 OCSP Wert 32 # Zertifikate aus der Datenbank löschen Abgelaufene und zurückgezogene certutil –deleterow 11/10/2016 cert Fehlgeschlagene und wartende certutil –deleterow 11/10/2016 request # Key Recovery Agent certutil -getkey 1e000000106923ba36674869e9000000000010 outputblob dir outputblob certutil -recoverkey outputblob recoverd.pfx