HOW TO: Change the Policy Settings for a Certification Authority (CA) in Windows 2000 (313234)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q313234

IN THIS TASK

SUMMARY

You can configure Microsoft Certificate Server to support a number of different policy settings, including policy settings that allow you to perform the following tasks:
  • Publish certificates to Active Directory.
  • Publish certificates to the file system.
  • Specify CA certificate access points in issued certificates.
To publish certificates to Active Directory, the server on which the CA is installed must be a member of the Certificate Publishers group in an Active Directory domain. If you install Certificate Services on a server, the server is automatically made a member of the domain Certificate Publishers group, and you are able to publish certificates to Active Directory by default.

To request a certificate, you must include "certfile:file_name" in your request to have the certificate published to the file system. After the request is granted, the certificate is copied to the file_name file that you include in your request.

CA certificate access points are either File Transfer Protocol (FTP) locations, Hypertext Transfer Protocol (HTTP) locations, Lightweight Directory Access Protocol (LDAP) locations, or file system locations that contain certificate information. Certificate access points include the certificate revocation list (CRL) distribution points (CDPs) and authority information access (AIA) points.

back to the top

How to Publish Certificates to Active Directory

  1. Log on as an administrator.
  2. Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
  3. Right-click the CA and click Properties.
  4. Click the Exit Module tab, and then click Configure.
  5. Do one of the following steps, and then click OK:
    • If you do not want to publish certificates in Active Directory, click to clear the Allow certificates to be published in Active Directory check box.

      -or-
    • If you want to publish certificates in Active Directory, click to select the Allow certificates to be published in Active Directory check box.
  6. Click OK.
  7. Right-click the CA in the left pane, point to All Tasks, and then click Stop Service.
  8. Right-click the CA in the left pane, point to All Tasks, and then click Start Service.

back to the top

How to Specify CA Certificate Access Points

  1. Log on as an administrator.
  2. Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
  3. Right-click the CA and click Properties.
  4. Click the Policy Module tab, and then click Configure.
  5. Click the X.509 Extensions tab, and then either click Add CDP to add a new CDP or click Remove to remove a CDP.
  6. Either click Add AIA to add a new AIA point or click Remove to remove an existing AIA point.

    NOTE: To make the file system location available for both CDPs and AIA points, click to select the check box to the left of the file location.
  7. Click OK, and then click OK.
  8. Right-click the CA in the left pane, point to All Tasks, and then click Stop Service.
  9. Right-click the CA in the left pane, point to All Tasks, and then click Start Service.
back to the top
Modification Type:MajorLast Reviewed:10/29/2003
Keywords:kbhowto kbHOWTOmaster KB313234 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.