:: Create a folder in the C: drive root. This folder will be used to store CA files. md C:\CertData :: Set CRL and CA certificate files publishing locations and extension publishing options. certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n65:C:\CertData\{Adatum}_RCA%%8.crl\n2:http://www.{adatum.com}/pki/{Adatum}_RCA%%8.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://www.{adatum.com}/pki/{Adatum}_RCA%%4.crt" :: If Root CA will issue OCSP signing certificate enable appropriate flags. :: certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://www.{adatum.com}/pki/{Adatum}_RCA%%4.crt\n32:http://www.{adatum.com}/ocsp" :: Note that if OCSP is used for Root CA uncomment previous line and comment by double colon corresponding :: line above (certutil -setreg CA\CACertPublicationURLs <...>) :: As long as we cannot manage CRT file publishing locations :: we rename original name to desired and copy it to CertData folder ren %windir%\system32\CertSrv\CertEnroll\*.crt {Adatum}_RCA.crt copy %windir%\system32\CertSrv\CertEnroll\{Adatum}_RCA.crt C:\CertData :: Set issued certificate maximum validity period to 10 years certutil -setreg CA\ValidityPeriodUnits 10 certutil -setreg CA\ValidityPeriod "Years" :: set CRL publication periods as defined in CAPolicy.inf certutil -setreg CA\CRLPeriodUnits 90 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLDeltaPeriodUnits 0 certutil -setreg CA\CRLDeltaPeriod "Days" certutil -setreg CA\CRLOverlapPeriod "Weeks" certutil -setreg CA\CRLOverlapUnits 2 :: enable AlternateSignatureAlgorithm extensions Certutil -setreg CA\csp\AlternateSignatureAlgorithm 1 :: enable CA server full audit certutil -setreg CA\AuditFilter 127 :: Enable OCSP Response Signing certificate support on Root CA. certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK net stop certsvc && net start certsvc :: Publish new CRLs. certutil -CRL