I have been spending several days trying to understand CA stuff in Windows 2012 and have surfed a bunch of Internet postings and am slowly getting there. I've experimented a bit, but this is taking too long. The postings are not fully detailed and seem to be a mishmash from W2K3 onwards.
I have a bunch of questions here, specifically for a Two Tier Architecture with an Offline Standalone Root CA and Enterprise Issuing CA on Windows 2012.
1. DSPublish
Cmd: certutil -dspublish -f RootCertFile.CRT RootCA
Cmd: certutil -dspublish -f RootCRLFile.CRL
- Adds a certificate and CRL to Active Directory
- Why can we not see the full certificate in adsiedit?
- Should this command be run from the CA, DC, or can it be run from any machine?
- Should it be run for both the Root and Issuing Certificates?
- Should RootCertFile.CRT and RootCRLFile.CRL be the actual path to the actual public storage locations or can they be a copy stored elsewhere? (That is are we storing path or content?)
2. Trade-Offs between using DSPubish and GPO for Trusted Root Certification Authorities and Intermediate Certification Authorities
- DSPublish is domain wide
- GPO can be targeted to OUs
- In practice, is one approach better/preferred/recommended than the other?
- will using both create two certificate instances on client machines?
- Which machine (CA, DC, or anything else) should/can it be run on?
3. The use of CAPolicy.inf
- Is it REALLY necessary?
- Why do examples show OIDs of 1.2.3.4.1455.67.89.5 (Which don't seem to appear in any other Microsoft documentation) and sometimes 1.2.3.4.5, 1.2.3.4.6 when the ones produced without CApolicy.inf contain 2.5.29.15, 2.5.29.19, 2/5/29/14. and 1.3.6.1.4.1.311.21.1
(not 311.21.10) and seem to work perfectly well?
4. Does certutil -setreg ca\DSConfigDN etc ONLY affect the registry or does it do anything else behind the scenes?
5. In CA Properties, the Extensions Tab, by default, has four entries each for CDP and AIA. The first one is C\Windows\System32\CertSrv\CertEnroll... but it does not appear in the AIA or CRL extensions of the certificate. Am I correct in assuming it is only
used when generating the Cert or CRL?
6. When using ADSIEdit:
- How safe is it to delete containers in CN=Public Key Services, specifically the contents of CN=AIA, CN=CDP, CN=Certificate Authorties, and CN=Enrollment Services? Are there are any other cross references that would be affected? Assume a test scenario where
all issued certificates will be wiped from client test machines; and a production scenario where someone simply goofed in the setup.
7. Why does setting CAPathLength (either directly in the registry or with certutil) and then restarting the CA and renewing the Root Certificate, not change the Path Length in the Root Certificate?
Thanks,
Bob.