Enter the requested information in the next dialog box and click Next. In the subsequent dialog box, verify the storage location for configuration data, and click Next. Insert the Windows Server CD at the prompt. Miss a column? Editor's Picks. The best programming languages to learn in The backup folder is supposed to be empty; the wizard will warn you if it isn't.
You have to put each backup in a different location; for example, if you do one full and two incremental backups each week, you'll need three separate folders to store the backed-up files. Once you complete the Backup wizard process, you'll have a set of files in the specified folder.
Use your preferred backup tool to make a good copy of these files and you'll be able to restore the CA when you need to. It requires that the CA service be stopped, and it lets you restore the data you backed up using the Backup wizard. You can selectively restore any combination of the private key and CA certificate, the configuration data, and the issued certificate log and pending request queue.
Select the appropriate check boxes, tell the wizard where your backup files are, confirm that you want the data restored, and restart the CA when you're done. One caveat: if you want to restore a series of incremental backups, you must first restore the corresponding full backup and then repeat the process for each incremental backup—in the right order! Occasionally, you might need to renew your CA certificate.
How often you do this depends on the lifetime you set for your CA certificate when you generate it, as well as on whether the CA's key has been compromised and how big your current CRL is. The Microsoft CA allows you to reissue a CA certificate with the existing key material or to generate a new key pair and use it in the new certificate. The former option is useful when you just want a new certificate for example, because your current certificate is about to expire , while the latter is what you use when you need new key material as in the case of a compromise.
When you right-click the CA and choose the Renew CA Certificate command, the snap-in will first warn you that the CA service must be stopped to generate the renewal.
If you choose to proceed, a dialog box will explain why you might need a new certificate and ask you whether you want to generate a new key pair. Whichever option you choose, the snap-in will do its work quietly, issue the new certificate, and restart the CA service.
Each CA has a set of properties that you can define, including properties for its policy and exit modules. You change these properties in the CA Properties window, which appears when you right-click a CA object and choose Properties from the context menu. You're stuck with all of these values—you can't modify them after the CA is created. You can also use the View Certificate button to see a certificate's details.
NOTE Remember that you can selectively enable and disable certificate capabilities like code signing, client authentication, and so on by opening the individual certificate's Properties window and selecting the purposes for which you want to use the certificate.
However, you can't add or remove purposes not specified in the original template used to issue the certificate. The Policy Module tab shows you which policy module is currently active on your CA. In almost all cases, this will be the Enterprise and Stand-Alone Policy module that Microsoft provides with Windows If you want to use an alternate module, you can use the Select button on the tab to select another one.
More interesting is the Configure button, which opens the two-tabbed policy module Properties window. The Default Action tab lets you control what happens to incoming requests. The X. Both of these sets of locations are encoded as X.
You can enable, disable, add, and remove publication points and access points by using the controls in this dialog box. Table lists the variables you can use to insert the server name, CA name, and other useful variables into the URLs you use to specify these points. Note that the URLs you provide are encoded into the certificate, but you must still make sure the CRLs and certificates are available at those places.
Figure Table Variables used to specify distribution points and authority access points. This requirement holds true for most changes to the CA. The Exit Module tab looks and works much like the Policy Module tab—it shows which exit modules your CA is configured to use.
Unlike policy modules, which are strictly one to a customer, you can have more than one exit module in use at once; each is executed in sequence. Since Microsoft provides only one exit module, though, this point is moot unless you're using a third-party module.
The Configure button on the Exit Module tab opens the exit module Properties dialog box, which has only one tab: Certificate Publication. The Microsoft exit module automatically publishes certificates into Active Directory if present or to the location that the certificate request specified.
By using the Certificate Publication tab of the exit module's Properties window click the Configure button on the Exit Module tab to see this window , you can turn publication on and off in two ways:.
If more than one CRL is generated on the same day, a suffix number is added. For example, c You can take these files and publish them via HTTP, FTP, or other means, including manually or automatically loading them onto smart cards. The Storage tab, shown in Figure , shows you where configuration and certificate data are stored. You can't change any of these values once the CA is set up, but having a way to double-check the file locations in case you need them can be useful.
The Security tab gives you control over which users and groups can do what with your CA. You can apply up to 10 permission settings to the CA, shown in Table By default, four groups have access control lists ACLs that give them some combination of these permissions:.
The Administrators group has the allow flag turned on for the Manage, Enroll, and Read Configuration permissions. Even though the Manage permission enables the other permissions, you can turn it off if you want to allow administrators to enroll users without managing the CA. Due to its position at the root of the certificate hierarchy, all certificates within the organization can ultimately be traced back to the Enterprise Root CA. Enterprise Root CAs sign their own certificates, thereby asserting their place at the root of the chain.
Select the Certificate Services check box. Figure D You must tell Certificate Services what to do with incoming certificate requests. The expected data does not exist in this directory. Please choose a different directory. In the Certification Authority snap-in, manually add or remove certificate templates to duplicate the Certificate Templates settings that you noted in step 1.
Click Next , and then click Issued certificate log and pending certificate request queue. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Note This article applies to Windows Important This section, method, or task contains steps that tell you how to modify the registry.
Note This step removes objects from Active Directory. Note The new server must have the same computer name as the old server.
0コメント