Set the DSConfigDN for Standalone Root CAs

Are you setting up a new PKI implementation in your organization?  Are you using a Standalone Root CA with an Enterprise Subordinate CA?  If so, don’t forget to properly set the DSConfigDN attribute for your Standalone Root CA (since it can’t read or write in AD!).  If you do forget to do this and then you install your Enterprise Subordinate CA…well, you’ll be unhappy and end up having to uninstall and then reinstall that Enterprise Subordinate CA after making this change or reissue it’s certificate after making this change.  (honestly, the uninstall and reinstall is a cleaner approach if you need to fix this problem).

To properly set the DSConfigDN attribute on the Standalone CA:

1. From an administrative command prompt, enter the following command to set the Configuration container DN for the Root CA. 
   certutil -setreg ca\DSConfigDN “CN=Configuration,DC=mycompany,DC=local”
2. You should get the following output back:
   • SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOTCANAME\DSConfigDN:
   • NewValue:  DSConfigDN REG_SZ  = CN=Configuration,DC=mycomapny,DC=local
   • CertUtil -setreg command completed successfully.
   • The CertSvc service may need to be restarted for changes to take effect.
3. Stop and then start the Active Directory Certificate Services service as required.  This can be done from the command prompt, the Services console or the CA console.

The change looks like that seen in the figure below when viewed in the Registry Editor.

RFC 3647 Certification Practice Statement (CPS) template

Are you implementing a  Public Key Infrastructure solution?  If so, do you want to fully comply with RFC 3647 and ensure maximum credibility for your PKI solution?

If you answered yes to both of these questions then you’re going to be spending a lot (A LOT) of time working on the writing and approval of a Certification Practice Statement (CPS) and possibly also a Certificate Policy.  Per RFC 3647, there is a specific template should should be followed in most, if not all, cases.

Download a template here and don’t forget to also get your organization a Private Enterprise Number (PEN) from IANA…you’ll want that PEN to create your OID tree and assign a globally unique OID to your CPS.

Disclaimer:  The template is provided with no warranty or guarantee to suitabiltiy in your orgniazation.  The template was created using Microsoft Word 2007 and may open or appear differently in other versions.

Get the template: 

  CPS_Template.zip (23.8 KiB, 649 hits)

• 

• Translator

• Categories

  • Active Directory (13)
  • Certification (2)
  • Data Protection Manager 2007 (7)
  • Exchange Server 2007 (26)
  • Microsoft Office Communications Server 2007 (1)
  • Networking (3)
  • Operations Manager (24)
  • PKI & Certificate Services (2)
  • Powershell (10)
  • Server Hardware (5)
  • Storage (4)
  • Visual Basic Script (3)
  • Windows Server 2003 (6)
  • Windows Server 2008 (4)

• Tag Cloud

  • Active Directory | AD LDS | ADAM | Agents | Alerts | antivirus | bug | C-Class Blades | CCR | Certification | Cisco | Cluster | Clustering | Data Protection Manager 2007 | Data Warehouse | DBCreateWizard | dbdsutil | DHCP | DNS | Doh! | Error 5 | EVA | Event Logs | Exchange | Exchange Server 2007 | Fibre Channel | ForeFront | HBA | Health Service | HP | iLo | IMAP | Management | Management Pack | MOSS | Operations Manager | Overrides | PKI & Certificate Services | Powershell | Printers | Reboot | Recipients | Registry | robocopy | Root Server | SAN | Scripting | SDDL | secedit | Self Tuning Threshold | Servers | Sharepoint | SMTP | SSL | strange | Terminal Services | Tools | Updates | Virtualization | VPN | VSS | Whitepaper | Windows Server 2008 |

• Blogroll

  • Ramblings of the Mad Cow

• Archives

  • September 2009
  • August 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008

• Users Online

  • 5 Users Online