10/01/2012

What is the Certutil ?          from Technet

Certutil

Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003/2008 family.
You can also obtain Certutil.exe by downloading and installing the Windows Server 2003 Administration Tools Pack (http://go.microsoft.com/fwlink/?LinkID=8136).
You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.
you can use this tool on the command-line and for other parameters;
 
certutil /?
 
Let use cetutil for; configuring a Certification Authority (CA)
           
Configuring a Certification Authority (CA) with Certutil tool.
You can use certutil to perform a number of CA configuration tasks.
To view the syntax for a specific task, click a task:

To display CA property type information

Syntax
certutil-capropinfo[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]
Parameters
-capropinfo
Displays CA property type information.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
-?
Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To display the configuration string for a CA

Syntax
certutil-getconfig[-gmt] [-seconds] [-v] [-config CAMachineName\CAName]
Parameters
-getconfig
Retrieves the default configuration string.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
-?
Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To create or delete the standard set of virtual roots and file shares for the Certificate Services Web server

Syntax
certutil-vroot[-gmt] [-seconds] [-v] [delete]
Parameters
-vroot
Creates the virtual roots for the Certificate Services Web server.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
delete
Deletes the virtual roots for the Certificate Services Web server.
-?
Displays a list of certutil commands.
Remarks
  • If active server pages (ASP) is not enabled, this command enables ASP.
  • If you installed the CA Web enrollment pages before installing IIS, the required virtual roots are not created. To create the virtual roots after installing IIS, at a command prompt, type:

    "certutil -vroot"

    This command does not install the Web enrollment pages. Instead, it creates the IIS virtual roots that point to the Web enrollment pages, CA certificate, certificate revocation lists (CRLs), and enrollment controls (that is, xenroll.dll and scrdenrl.dll).

To display CA information

Syntax
certutil-cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [InfoName]
Parameters
-cainfo
Displays CA information.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
-v
Specifies verbose output.
-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
InfoName
Specifies the CA information that you want to display. Use one of the values in the following table.

ValueDescription
fileDisplays information about the file version.
productDisplays the product version.
exitcountDisplays the exit module count.
exit [Index]Displays the exit module description.
policyDisplays the policy module description.
nameDisplays the CA name.
sanitizednameDisplays the sanitized CA name.
sharedfolderDisplays the shared folder.
error1ErrorCodeDisplays the error code message in the local language. For ErrorCode, specify the error code that you want to retrieve.
error2ErrorCodeDisplays the error code message and the error code in the local language. For ErrorCode, specify the error code that you want to retrieve.
typeDisplays the CA type.
infoDisplays the CA info.
parentDisplays the parent CA.
certcountDisplays the CA certificate count.
xchgcountDisplays the CA Exchange certificate count.
kracountDisplays the number of key recovery agent (KRA) certificates.
krausedDisplays the number of KRA certificate that are being used.
propidmaxDisplays maximum CA PropID.
certstate [Index]Displays CA certificate status.
certstatuscode [Index]Displays CA certificate verification status.
crlstate [Index]Displays a certificate revocation list (CRL).
krastate [Index]Displays a KRA certificate.
crossstate+ [Index]Forward cross-certification.
crossstate- [Index]Backward cross-certification.
cert [Index]Displays a CA certificate.
certchain [Index]Displays a CA certificate chain.
certcrlchain [Index]Displays a CA certificate chain with CRLs.
xchg [Index]Displays a CA exchange certificate.
xchgchain [Index]Displays a CA exchange certificate chain.
xchgcrlchain [Index]Displays a CA exchange certificate chain with CRLs.
kra [Index]Displays a KRA certificate.
cross+ [Index]Forward cross-certification.
cross- [Index]Backwards cross-certification.
crl [Index]Displays a base CRL.
deltacrl [Index]Displays a delta CRL.
crlstatus [Index]Displays CRL publish status.
deltacrlstatus [Index]Displays delta CRL publish status.
dnsDisplays the DNS name.
roleDisplays role separation.
adsDisplays Advanced Server.
templatesDisplays the templates.
-?
Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
Examples
To display CA information, type:
certutil -cainfo
To display a CA certificate state disposition, type:
certutil -cainfo certstate
To display CRL information, type:
certutil -cainfo crlstate

To determine whether a CA has been renewed

Syntax
certutil-cainfo[-f] [-gmt] [-seconds] [-split] [-v] [-config CAMachineName\CAName] [certstate]
Parameters
-cainfo
Displays CA information.
-f
Overwrites existing files or keys.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-split
Splits the embedded Abstract Syntax Notation One (ASN.1) elements, and saves them to files.
-v
Specifies verbose output.
-config CAMachineName \ CAName
processes the operation by using the CA specified in the configuration string (that is, CAMachineName\CAName).
certstate
Returns a LONG containing a certificate state disposition.
-?
Displays a list of certutil commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
  • If the CA's index is greater than 0, the CA certificate has been renewed. The command output displays the index information.
  • If one of the older CA certificates expires and is regenerated by using the existing key, CRLs are not published for that CA key. If the CA has never been renewed for a new key, this prevents CRL generation. If you generate and publish a new CRL, you will not solve this problem, but you can use the CRL to help confirm the condition. To force the generation and publication a CRL, type:

    certutil -crl
  • The update for this condition is provided in Windows 2000 Service Pack 3.
Examples
To display a CA certificate state disposition, type:
certutil -cainfo certstate

To change the length of the validity period for certificates issued from a CA

Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriod{"days" | "weeks" | "months" | "years"}
certutil-setreg[-user] [-gmt] [-seconds] [-v] HKLM\system\currentcontrolset\services\certsvc\configuration[{\CAName | \ca}]\ValidityPeriodUnits"UnitValue"
Parameters
-setreg
Sets or edits the registry key value.
-user
Uses the HKEY_CURRENT_USER keys or certificate store.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
HKLM\system\currentcontrolset\services\certsvc\configuration\
Specifies the path to the ValidityPeriod and ValidityPeriodUnits registry keys.
CAName
Specifies the name of the CA.
ca
Specifies the default CA on the local computer.
\ValidityPeriod{ "days"| "weeks"| "months"| "years"}
Sets the period of time that you want the certificate to be valid. Specify days, weeks, months, or years. Wrap the time period in quotation marks.
\ValidityPeriodUnits " UnitValue "
Sets the numeric value for ValidityPeriod.
-?
Displays a list of certutil commands.
Caution
  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Note
Examples
You can set an enterprise qualified subordinate CA to have a different certificate validity period than the parent CA. On the CA computer that is issuing the subordinate CA certificate, type the following commands to set the validity period to three months:
certutil -setreg ca\ValidityPeriod "months"
certutil -setreg ca\ValidityPeriodUnits "3"

To force a CA to include expired certificates in future base and delta CRLs

Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\CRLFlags+CRLF_PUBLISH_EXPIRED_CERT_CRLS
Parameters
-setreg
Sets or edits the registry key value.
-user
Uses the HKEY_CURRENT_USER keys or certificate store.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
ca
Specifies the CA registry key.
CRLFlags
Specifies the registry value name.
CRLF_PUBLISH_EXPIRED_CERT_CRLS
Specifies the new numeric or string registry value.
-?
Displays a list of certutil commands.
Remarks
  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
  • With this command, you can verify the revocation status of a time-stamped certificate that has expired.
  • If a numeric registry value starts with a plus sign (+) or a dash (-), the bits specified in the new value are set or cleared in the existing registry value.
  • If a string registry value starts with a plus sign (+) or a dash (-) and the existing value is a REG_MULTI_SZ value, the string value is either added to or removed from the existing registry value.

To configure a CA to issue certificates beyond the default two year limit

Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\ValidityPeriod"years"
certutil-setregca\ValidityPeriodUnits"2"
Parameters
-setreg
Sets or edits the registry key value.
-user
Uses the HKEY_CURRENT_USER keys or certificate store.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
ca\ValidityPeriod "years"
Sets the validity length of the certificate to years.
ca\ValidityPeriodUnits "2"
Sets the "years" validity period value to two.
-?
Displays a list of certutil commands.
Caution
  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Note

To increase the session limit on the CA database

Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] dbsessioncount 30
Parameters
-setreg
Sets or edits the registry key value.
-user
Uses the HKEY_CURRENT_USER keys or certificate store.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
dbsessioncount 30
Specifies the new session limit.
-?
Displays a list of certutil commands.
Caution
  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Remarks

To disable or restore the enforcement of the distinguished name length on the CA

Syntax
certutil-setreg[-user] [-gmt] [-seconds] [-v] ca\ENFORCEX500NAMELENGTHS {0 | 1}
Parameters
-setreg
Sets or edits the specified registry value.
-user
Uses the HKEY_CURRENT_USER keys or certificate store.
-gmt
Displays time as Greenwich mean time.
-seconds
Displays time with seconds and milliseconds.
-v
Specifies verbose output.
ca \ ENFORCEX500NAMELENGTHS
Specifies the path to the REG_DWORD\ENFORCEX500NAMELENGTHS registry value.
{ 0| 1}
Specifies whether to disable (specify 0) or restore (specify 1) the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value.
-?
Displays a list of certutil commands.
Remarks
  • You must restart the certification authority for this change to take effect. For more information on restarting Certificate Services, see Start, stop, pause, resume, or restart a service.
  • Use this command in situations where the existing subject is okay, but the request is rejected by the certificate server.

    Examples
To disable the organizational unit length enforcement on the server, type:
certutil -setreg ca\enforceX500namelengths 0
To restore the default REG_DWORD\ENFORCEX500NAMELENGTHS registry value, type:
certutil -setreg ca\enforceX500namelengths 1

How to publish CRL with UAG ?

With 2 easy :) steps:
Create a HTTP Portal on UAG.
and  publish your http://crl.yourdomain.com/CertEnroll/*  on UAG as an application.

Deploying a Forefront UAG DirectAccess Array in 10 Easy Steps!

This is not an exhaustive step-by-step walkthrough, but it should cover the key high-level tasks involved. More detail can be found in the Forefront UAG DirectAccess TechNet documentation or by looking at Tom’s excellent Test Lab Guides (TLGs).
These steps are based upon deploying Forefront UAG DirectAccess using an array topology combined with ISATAP to support IPv6 intranet connectivity and NAT64 to support IPv4 intranet resources. This is a likely scenario for deployments with a larger number of users, or specific high availability needs, and an existing IPv4 based intranet.
Please Note: This deployment scenario does not include NAP or Smartcard authentication.
Step 1: Configure Supporting Infrastructure
  • Create ISATAP, NLS and IP-HTTPS DNS records
  • Create DirectAccess client and server security groups
  • Create DirectAccess certificate templates
  • Create service account for UAG array management
Step 2: Configure Network Location Servers
  • Create website and enrol/bind NLS certificate
  • Repeat for additional NLS servers and potentially implement NLB
Step 3: Prepare and Install UAG Servers
  • Install OS, activate, run Windows Update, join AD domain
  • Configure network interfaces and amend bind order – see here
  • Configure static routes – see here
  • Enrol IP-HTTPS and IPsec certificates
  • Install UAG + UAG Update 1 + UAG Update 2 + TMG SP1 + TMG SP1U1
  • Repeat for additional UAG servers
Step 4: Configure UAG Array
  • Configure first UAG server as the array manager
  • Add additional UAG servers to the ‘Managed Server Computers’ computer set in TMG
  • Join additional UAG servers to the array
Step 5: Configure UAG NLB
  • Define internal NLB virtual IP address with unicast mode
  • Define external NLB virtual IP addresses (at least two) with unicast mode
  • Start NLB on each array member
Step 6: Configure UAG DirectAccess
  • Enable NAT64/DNS64
  • Define appropriate NRPT entries
Step 7: Configure DirectAccess Clients
  • Enrol IPsec certificates
  • Add clients to DirectAccess security group and reboot
  • Install DCA client
Step 8: Configure Active Directory and DNS
  • Add IPv6 prefixes and assign to AD sites
  • Add DNS reverse lookup zones for IPv6 prefixes
Step 9: Test DirectAccess
  • Test internal ISATAP
  • Test external Teredo, 6to4 and IP-HTTPS
Step 10: Complete Post-Installation Tasks
  • Define custom TMG rules for systems management (SCOM, SCCM, Cert Enrolment etc.)
  • Apply UAG SCW hardening template using Group Policy
  • Install and run UAG BPA
Hopefully this provides some structure to the recommended deployment process and should allow you to define a high-level checklist of the key tasks for an array deployment.

9/30/2012


 

    Microsoft PKI Certificate Authority (CA) Design Overview

Before you configure a Public Key Infrastructure (PKI) and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). If your organization does not have such policy statements, you should consider creating them. When you do plan your CA hierarchy for your organization's PKI, you can use the following table to get an idea of the type of hierarchy and CAs to implement.
Design Option
Best for
Pros
Cons
Enterprise Root CA on a Domain Controller online
Not recommended.
Lab environments only when PKI design is no a priority.
Resources severely constrained (worst case scenario)
None
Configuration dependencies make domain controller maintenance and restore complex.
CA is online and more susceptible to compromise.
Enterprise Root CA online
Small organizations with limited security needs. environments that don’t have high security needs and don’t want to manage an offline system, large companies with limited certificate needs like internal SSL online
Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS)
CA is online an more susceptible to compromise.
Cannot revoke online CA if compromised
More difficult than multi-tier CA hierarchies to expand
Enterprise Root CA offline
Not ideal for any environment
When offline the CA is not exposed to network-based attacks.
• Cannot be installed offline because it requires Active Directory
• Enterprise Root CA would not be able to service requests when offline
• Enterprise Root CA would have to be online sometimes and a member of the domain
• Creation of an Enterprise Subordinate would be needed to utilize any of the benefits of having an Active Directory integrated CA
• Enterprise Root CA would be online during subordinate CA renewal (in a multi-tier CA hierarchy)
• In a single-tier hierarchy, the Enterprise Root CA would not be available when offline to issue certificates
• Secure channel password would likely need to be reset in order to communicate with domain when it was brought online, if it was offline for more than 30 days.
Standalone offline root CA
Secure environment, multiple Issuing CAs
Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company. Helps control physical and logical control to CA
Easy to forget about and allow CDP/AIA to expire and break PKI. Expensive – requires dedicated hardware that is infrequently used. More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment.
Two-tier CA hierarchy
Most environments that don’t have a need to create security boundaries in their CA architectures
No unnecessary offline systems. Less CAs to manage and renew offline
No ability to restrict subordinate CAs or administrators. Can/should also incur expense of an HSM
Three-tier CA hierarchy
Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted
Ability to restrict CAs from issuing certs that shouldn’t (DMZ CAs shouldn’t issue Smart cards, etc..). Allows greatest flexibility of PKI
Middle tier often never utilized and is wasted. Extra machine/OS/HSM expense, one more system to remember to renew and maintain in an offline state.