%3CLINGO-SUB%20id%3D%22lingo-sub-1128400%22%20slang%3D%22en-US%22%3EUpdate%3A%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1128400%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Feb%2024%2C%202008%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CFONT%20color%3D%22%23008080%22%20face%3D%22Lucida%20Sans%20Unicode%22%3E%20%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20It%20came%20to%20our%20attention%20that%20the%20%3CA%20href%3D%22http%3A%2F%2Ftechnet2.microsoft.com%2FWindowsServer%2Fen%2Flibrary%2F930b115d-1e3b-4b9f-818f-03900b2ead8e1033.mspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3CI%3E%20%3CSPAN%20style%3D%22COLOR%3A%20blue%3B%20mso-bidi-font-size%3A%2011.0pt%22%3E%20Best%20Practices%20for%20Implementing%20a%20Microsoft%20Windows%20Server%202003%20Public%20Key%20Infrastructure%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FA%3E%20whitepaper%20provides%20wrong%20guidance%20in%20section%20%3C%2FSPAN%3E%20%3CI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%3B%20mso-bidi-font-size%3A%2011.0pt%22%3E%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20.%20The%20current%20documentation%20recommends%20that%20the%20CRL%20published%20by%20the%20Root%20CA%20is%20to%20be%20added%20to%20the%20Root%20certificate%20store.%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%20%20%20%20%0A%20%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3EThere%20are%20two%20corrections%20needed%20for%20the%20commands%20in%20step%20%234%20in%20the%20%3C%2FSPAN%3E%20%3CI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%3B%20mso-bidi-font-size%3A%2011.0pt%22%3E%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20section%3A%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%20%20%20%20%0A%20%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3COL%20type%3D%221%22%3E%3CBR%20%2F%3E%3CLI%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-list%3A%20l0%20level1%20lfo1%3B%20tab-stops%3A%20list%2036.0pt%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20The%20-f%20option%20should%20not%20be%20used%20for%20existing%20certificate%20stores.%20This%20is%20to%20avoid%20accidental%20creation%20of%20new%20certificate%20stores.%20If%20you%20are%20mistyping%20the%20certificate%20store%20and%20use%20the%20-f%20option%2C%20a%20new%20certificate%20store%20is%20created%20which%20becomes%20a%20dead%20store.%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3CFONT%20color%3D%22%23000000%22%3E%3CP%3E%3C%2FP%3E%3C%2FFONT%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-list%3A%20l0%20level1%20lfo1%3B%20tab-stops%3A%20list%2036.0pt%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20The%20CRL%20should%20be%20added%20to%20the%20intermediate%20certificate%20store.%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%3CP%3E%3C%2FP%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%20%20%20%3C%2FOL%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20The%20correct%20commands%20would%20look%20like%20the%20following%3A%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%20%20%20%20%0A%20%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20gray%3B%20FONT-FAMILY%3A%20'Courier%20New'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3Efor%20%25C%20in%20(%20%3CI%3E%20FloppyDrive%20%3C%2FI%3E%20%3A%5C*.crt)%20do%20certutil%20%E2%80%93addstore%20Root%20%25C%20%3CBR%20%2F%3E%20for%20%25C%20in%20(%20%3CI%3E%20FloppyDrive%20%3C%2FI%3E%20%3A%5C*.crl)%20do%20certutil%20%E2%80%93addstore%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20red%3B%20FONT-FAMILY%3A%20'Courier%20New'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20CA%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20gray%3B%20FONT-FAMILY%3A%20'Courier%20New'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%25C%3C%2FSPAN%3E%3C%2FP%3E%3C%2FFONT%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1128400%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Feb%2024%2C%202008%20It%20came%20to%20our%20attention%20that%20the%20Best%20Practices%20for%20Implementing%20a%20Microsoft%20Windows%20Server%202003%20Public%20Key%20Infrastructure%20whitepaper%20provides%20wrong%20guidance%20in%20section%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File.%3C%2FLINGO-TEASER%3E
Microsoft

First published on TECHNET on Feb 24, 2008

It came to our attention that the Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure whitepaper provides wrong guidance in section Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File . The current documentation recommends that the CRL published by the Root CA is to be added to the Root certificate store.

 

 

 

There are two corrections needed for the commands in step #4 in the Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File section:

 

 


    1. The -f option should not be used for existing certificate stores. This is to avoid accidental creation of new certificate stores. If you are mistyping the certificate store and use the -f option, a new certificate store is created which becomes a dead store.

       

 

  1. The CRL should be added to the intermediate certificate store.

     

 

The correct commands would look like the following:

 

 

 

for %C in ( FloppyDrive :\*.crt) do certutil –addstore Root %C
for %C in ( FloppyDrive :\*.crl) do certutil –addstore
CA %C