Post Installation Script (Post_Install.bat) Template for Windows Server 2008 R2 Issuing CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy. While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Post Installation Script below is specifically for an Issuing CA in a three tier hierarchy. With this policy, your Issuing CA will issue certificates lasting a maximum of 2 years and your CRL will be valid for up to three days (that should be updated automatically anyway). We did that in the CAPolicy.inf file as well, but this makes doubly sure that those settings were set.

Additionally, we are using this batch file to set publication points in Active Directory as well as on two web servers.

Change the areas in bold to fit your environment. After that, simply copy the text below into a file named Post_Install.bat and run it on your Issuing CA immediately after Active Directory Certificate Services role installation.

::Issuing CA Post Installation Script
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration,DC=DOMAIN,DC=TLD

::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 3
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLOverlapUnits 4
certutil -setreg CA\CRLOverlapPeriod "Hours"
certutil -setreg CA\CRLDeltaPeriodUnits 12
certutil -setreg CA\CRLDeltaPeriod "Hours"

::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://%%1/CertEnroll/%%3%%8%%9.crl\n6:http://WEBSERVER1/CertData/%%3%%8%%9.crl\n6:http://WEBSERVER2/CertData/%%3%%8%%9.crl"

::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://WEBSERVER1/CertData/%%1_%%3%%4.crt\n2:http://WEBSERVER2/CertData/%%1_%%3%%4.crt\n2:http://%%1/CertEnroll/%%1_%%3%%4.crt"

::Enable all auditing events for the Issuing CA
certutil -setreg CA\AuditFilter 127

:: Enable discrete signatures in issued certificates
Certutil –setreg CA\csp\DiscreteSignatureAlgorithm 1

::Set Maximum Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 2
certutil -setreg CA\ValidityPeriod "Years"

::Restart Certificate Services
net stop certsvc & net start certsvc


No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s