Update: Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File

Published 01-24-2020 01:42 PM 282 Views
Microsoft

First published on TECHNET on Feb 24, 2008

It came to our attention that the Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure whitepaper provides wrong guidance in section Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File . The current documentation recommends that the CRL published by the Root CA is to be added to the Root certificate store.

 

 

 

There are two corrections needed for the commands in step #4 in the Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File section:

 

 


    1. The -f option should not be used for existing certificate stores. This is to avoid accidental creation of new certificate stores. If you are mistyping the certificate store and use the -f option, a new certificate store is created which becomes a dead store.

       

 

  1. The CRL should be added to the intermediate certificate store.

     

 

The correct commands would look like the following:

 

 

 

for %C in ( FloppyDrive :\*.crt) do certutil –addstore Root %C
for %C in ( FloppyDrive :\*.crl) do certutil –addstore
CA %C

%3CLINGO-SUB%20id%3D%22lingo-sub-1128400%22%20slang%3D%22en-US%22%3EUpdate%3A%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1128400%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Feb%2024%2C%202008%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CFONT%20color%3D%22%23008080%22%20face%3D%22Lucida%20Sans%20Unicode%22%3E%20%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20It%20came%20to%20our%20attention%20that%20the%20%3CA%20href%3D%22http%3A%2F%2Ftechnet2.microsoft.com%2FWindowsServer%2Fen%2Flibrary%2F930b115d-1e3b-4b9f-818f-03900b2ead8e1033.mspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20%3CI%3E%20%3CSPAN%20style%3D%22COLOR%3A%20blue%3B%20mso-bidi-font-size%3A%2011.0pt%22%3E%20Best%20Practices%20for%20Implementing%20a%20Microsoft%20Windows%20Server%202003%20Public%20Key%20Infrastructure%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FA%3E%20whitepaper%20provides%20wrong%20guidance%20in%20section%20%3C%2FSPAN%3E%20%3CI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%3B%20mso-bidi-font-size%3A%2011.0pt%22%3E%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20.%20The%20current%20documentation%20recommends%20that%20the%20CRL%20published%20by%20the%20Root%20CA%20is%20to%20be%20added%20to%20the%20Root%20certificate%20store.%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%20%20%20%20%0A%20%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3EThere%20are%20two%20corrections%20needed%20for%20the%20commands%20in%20step%20%234%20in%20the%20%3C%2FSPAN%3E%20%3CI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%3B%20mso-bidi-font-size%3A%2011.0pt%22%3E%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20section%3A%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%20%20%20%20%0A%20%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3COL%20type%3D%221%22%3E%3CBR%20%2F%3E%3CLI%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-list%3A%20l0%20level1%20lfo1%3B%20tab-stops%3A%20list%2036.0pt%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20The%20-f%20option%20should%20not%20be%20used%20for%20existing%20certificate%20stores.%20This%20is%20to%20avoid%20accidental%20creation%20of%20new%20certificate%20stores.%20If%20you%20are%20mistyping%20the%20certificate%20store%20and%20use%20the%20-f%20option%2C%20a%20new%20certificate%20store%20is%20created%20which%20becomes%20a%20dead%20store.%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3CFONT%20color%3D%22%23000000%22%3E%3CP%3E%3C%2FP%3E%3C%2FFONT%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-list%3A%20l0%20level1%20lfo1%3B%20tab-stops%3A%20list%2036.0pt%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20The%20CRL%20should%20be%20added%20to%20the%20intermediate%20certificate%20store.%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%3CP%3E%3C%2FP%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%20%20%20%3C%2FOL%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20teal%3B%20FONT-FAMILY%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20The%20correct%20commands%20would%20look%20like%20the%20following%3A%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20FONT-FAMILY%3A%20'Arial'%2C'sans-serif'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3C%2FP%3E%0A%20%20%20%20%0A%20%20%20%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22MARGIN%3A%200cm%200cm%2010pt%3B%20LINE-HEIGHT%3A%20normal%3B%20mso-margin-top-alt%3A%20auto%3B%20mso-margin-bottom-alt%3A%20auto%22%3E%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20gray%3B%20FONT-FAMILY%3A%20'Courier%20New'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3Efor%20%25C%20in%20(%20%3CI%3E%20FloppyDrive%20%3C%2FI%3E%20%3A%5C*.crt)%20do%20certutil%20%E2%80%93addstore%20Root%20%25C%20%3CBR%20%2F%3E%20for%20%25C%20in%20(%20%3CI%3E%20FloppyDrive%20%3C%2FI%3E%20%3A%5C*.crl)%20do%20certutil%20%E2%80%93addstore%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20red%3B%20FONT-FAMILY%3A%20'Courier%20New'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20CA%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22FONT-SIZE%3A%2010pt%3B%20COLOR%3A%20gray%3B%20FONT-FAMILY%3A%20'Courier%20New'%3B%20mso-fareast-font-family%3A%20'Times%20New%20Roman'%3B%20mso-fareast-language%3A%20DE%22%3E%20%25C%3C%2FSPAN%3E%3C%2FP%3E%3C%2FFONT%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1128400%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Feb%2024%2C%202008%20It%20came%20to%20our%20attention%20that%20the%20Best%20Practices%20for%20Implementing%20a%20Microsoft%20Windows%20Server%202003%20Public%20Key%20Infrastructure%20whitepaper%20provides%20wrong%20guidance%20in%20section%20Import%20the%20Root%20CA%20Certificate%20and%20CRL%20into%20an%20Intermediate%20CA%20from%20a%20Batch%20File.%3C%2FLINGO-TEASER%3E
Version history
Last update:
‎Feb 20 2020 02:45 PM
Updated by: