Tag Archives: Root CA

Post Installation Script (Post_Install.bat) Template for Windows Server 2008 R2 Root CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Post Installation Script below is specifically for a Root CA in a three tier hierarchy.  With this policy, your Root CA certificate will last 20 years and you will only need to update your CRL once a year, allowing you to keep the Root CA offline all but a few minutes a year.  We did that in the CAPolicy.inf file as well, but this makes doubly sure that those settings were set.

Additionally, we are using this batch file to set publication points in Active Directory as well as on two web servers.  Those web servers will be listed on the Root CA Certificate, but you will need to copy the CRL’s and CRT’s there from %SystemRoot%\System32\CertSrv\CertEnroll.  As your Root CA should not be a member of the domain, you will also need to import the certificates into Active Directory.

Copy the text below into a file named Post_Install.bat and run it on your Root CA immediately after Active Directory Certificate Services role installation.


::Root CA Post Installation Script
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration, DC=DOMAIN,DC=TLD

::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 52
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\CRLOverlapUnits 2

::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10.ldap:///CN=%%7%%8,CN%%2,CN=CDP,CD=Public Key Services,CN=Services,%%6%%10\n2:http://WEBSERVER1/Certdata/%%3%%8%%9.crl\n2:http://WEBSERVER2/Certdata/%%3%%8%%9.crl"

::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://WEBSERVER1/CertData/%%1_%%3^^4.crt\n2:http://WEBSERVER2/CertData/%%1_%%3^^4.crt"

::Enable all auditing events for the Root CA
certutil -setreg CA\AuditFilter 127

::Set Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"

::Enable discrete signatures in subordinate CA certificates
Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1

::Restart Certificate Services
net stop certsvc & net start certsvc

Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Root CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Install Policy below is specifically for a Root CA in a three tier hierarchy.  With this policy, your Root CA certificate will last 20 years and you will only need to update your CRL once a year, allowing you to keep the Root CA offline all but a few minutes a year.

Copy the text below into a file named “CAPolicy.inf” and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Root CA.


[Version - ROOT CAPolicy]
Signature="$Windows NT$"

[certserv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=years

CRLPeriod=weeks
CRLPeriodUnits=52
CRLOverlapPeriod=weeks
CRLOverlapUnits=2
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

AlternativeSignatureAlgorithm=1