:: Create a folder in the C: drive root. This folder will be used to store CA files. md C:\CertData :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Configure CA settings :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Set CRL and CA certificate files publishing locations and extension publishing options. certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n65:C:\CertData\Adatum_PICA%%8%%9.crl\n2:http://www.adatum.com/pki/Adatum_PICA%%8%%9.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n6:http://www.adatum.com/pki/Adatum_PICA%%4.crt\n32:http://www.adatum.com/ocsp" :: As long as we cannot manage CRT file publishing locations :: we rename original name to desired and copy it to CertData folder ren %windir%\system32\CertSrv\CertEnroll\*.crt Adatum_PICA.crt copy %windir%\system32\CertSrv\CertEnroll\Adatum_PICA.crt C:\CertData :: Set issued certificate maximum validity period to 5 years certutil -setreg CA\ValidityPeriodUnits 5 certutil -setreg CA\ValidityPeriod "Years" :: set CRL publication periods as defined in CAPolicy.inf certutil -setreg CA\CRLPeriodUnits 5 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLDeltaPeriodUnits 12 certutil -setreg CA\CRLDeltaPeriod "Hours" certutil -setreg CA\CRLOverlapPeriod "Days" certutil -setreg CA\CRLOverlapUnits 1 :: enable Issuer Statement extension in issued certificates certutil -setreg Policy\EnableRequestExtensionList +"2.5.29.32" :: enable AlternateSignatureAlgorithm extensions Certutil -setreg CA\csp\AlternateSignatureAlgorithm 1 :: enable CA server full audit certutil -setreg CA\AuditFilter 127 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Configuring AD settings :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: set current forest configuration naming context certutil -setreg CA\DSConfig "CN=Configuration,DC=adatum,DC=com" :: Publish CA certificates to AD certutil -dspublish -f C:\CertData\Adatum_PICA.crt Subca certutil -dspublish -f C:\CertData\Adatum_PICA.crt NTAuthCA net stop certsvc && net start certsvc :: Publish new CRLs. certutil -CRL