SUMMARY
This step-by-step article describes how to use the Directory Services Store tool (Dsstore.exe) to add a non-Windows 2000 certification authority (CA) to the public key infrastructure (PKI). You can use Dsstore.exe to manage enterprise public key policies, to diagnose PKI and smart card logon problems, and to add non-Windows 2000 CAs to the PKI. This tool is included with the Windows 2000 Resource Kit.
For additional information about Dsstore.exe and how to use it to view Service Principal Names (SPNs), click the article number below
to view the article in the Microsoft Knowledge Base:
298718 How to Retrieve SPNs from the Directory
Command-Line Options That Are Available with Dsstore.exe
This section describes the Directory Service certificate management options. You can use the
-addcrl, the
-addroot, and the
-addaia options to add non-Windows 2000 CAs to the PKI. When you use these options, you can add a CA to an enterprise PKI or add a third-party CA to the enterprise PKI list of trusted roots without having to use Group Policy methods.
IMPORTANT: The letters "DC" must be capitalized when you use the commands that are described in this section.
Sample command:
dsstore distinguished name of root domain [-del] [-display] [-addcrl] [-addroot]
: You must specify the distinguished name of the root domain as first parameter, for example:
dsstore DC=ntdev,DC=microsoft,DC=com
The following list describes the command-line options that you can use with Dsstore.exe:
- -del: Use this option to get a list of roots, and then select the one you want to delete.
- -display: Use this option to display a list of enterprise roots.
- -addroot .crt fileCA _nameComputer_name: Use this option to add a root CA certificate to the enterprise root certificate store and to add the certificate to the Authority Information Access (AIA) location in Active Directory.
- -addcrl .crl fileCA_name: Use this option to publish a Certificate Revocation List (CRL) to Active Directory.
- -addaia .crt fileCA _name: Use this option to add an intermediate CA certificate to the AIA location in Active Directory.
You can also use the following additional diagnostic options:
dsstore [[-domain] [-dcmon]] [-tcainfo] [-pulse] [-entmon] [-macobj]
- -domain domain name: Use this option to modify the target domain when you use the -dcmon option.
- -dcmon: Use this option to run the Key Distribution Center (KDC) Certificate monitoring tool.
- -checksc: Use this option to check on smart card certificate validity.
- -tcainfo: Use this option to display information about enterprise CAs on the domain.
- -pulse: Use this option to pulse autoenrollment events.
The following command-line options use security account manager (SAM) computer names, for example,
domain\
computer_name$:
- -entmon SAM computer_name: Use this option to examine PKI and autoenrollment on the remote computer.
- -macobj SAM computer_name: Use this option to list attributes on the Directory Service computer object of interest
to the PKI.
back to the top
Examples
- dsstore DC=ntdev,DC=microsoft,DC=com -addcrl c:\newcert.crl microsoft.com CERTSVR1
- dsstore DC=ntdev,DC=microsoft,DC=com -addroot c:\newcert.crt microsoft.com
- dsstore DC=ntdev,DC=microsoft,DC=com -addaia c:\newcert.crt microsoft.com
back to the top
AIA and CDP Locations for the New Root Certificates
- AIA location:
ldap:///CN=CA Name,CN=AIA,CN=Public Key Services, CN=Services,CN=Configuration,DC=root domain in enterprise
- CDP location:
ldap:///CN=CA Name,CN=Computer Name, CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC =root domain in enterprise
You must use the Certification Authority snap-in to change the AIAs and CDPs of issued certificates to point to these locations. Otherwise, the certificate chain will not be built correctly.
back to the top