Hello everyone,
I am installing an internal root CA at the moment. I came to a point, where I wondered, if everything is configured as intended.
Since I am not very experienced in setting up a PKI infrastructure, I could need some advice here.
I followed the following guide to install and configure my offline root ca (would like to post link, but Microsoft did not yet verify me):
please google for or add https: : timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-3/
Now I am a bit confused about this "rename the .crt-file" part and I dont even have the mentioned "second .crl-file. (the last part of this page)
I have the following settings for Certutil CRL Publication URL CACertPublication URL and the following files were created on the offline root ca, from where I would now copy them to the pki webshare and issuing ca:
(please notice, that I had to remove "http://" in front of the urls from the output, replaced by [...] and I am not allowed to post images... sorry for that)
PS C:\Users\Administrator> certutil -getreg ca\CACertPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CEMA AG Root CA\CACertPublicationURLs:
CACertPublicationURLs REG_MULTI_SZ =
0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
CSURL_SERVERPUBLISH -- 1
1: 2:[...]pki.cema.de/pki/CEMA AG ROOT CA%3%4.crt
CSURL_ADDTOCERTCDP -- 2
CertUtil: -getreg command completed successfully.
PS C:\Users\Administrator> certutil -getreg ca\CRLPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CEMA AG Root CA\CRLPublicationURLs:
CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\Windows\System32\CertSrv\CertEnroll\CEMA AG ROOT CA%8%9.crl
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)
1: 4:[...]pki.cema.de/pki/CEMA AG ROOT CA%8%9.crl -AddToCertificateCDP
CSURL_ADDTOFRESHESTCRL -- 4
CertUtil: -getreg command completed successfully.
My files on the offline root ca are named the following:
C:\Windows\System32\CertSrv\CertEnroll\CEMA AG ROOT CA.crl
C:\Windows\System32\CertSrv\CertEnroll\certrootma01_CEMA AG Root CA.crt
In the guide it says:
"Copy the CRT and CRL files
The last step in this part is to copy the .CRT and .CRL files to the other two servers. To the subordinate CA (issuingCA) and the web server (WebServ1).
The .CRT file is located at: “C:\Windows\System32\CertSrv\CertEnroll\RootCA_Bedrock Root Certificate Authority.crt”
First rename the above file to: “BEDROCK-ROOTBedrock Root Certificate Authority.crt”
This is what the certificates will be looking for. Edit appropriately for your environment."
Can anyone explain to me, if my values are set up correctly and/or if I really have to rename my .crt-file somehow?
I got confused with those %8%9 values.
Any help is very appreciated. Thank you very much!
Kind regards,
David