Publishing Certificates and CRLs to the Local Computer Store

You must be a member of the local Administrators group to add CRLs and certificates to the local computer store. The combination of certificates and CRLs that must be installed depends on the where the target CA exists in the CA hierarchy:

■ If the new CA is installed at the second tier of the hierarchy, you only have to install the root CA's certificate and CRL.

■ If the new CA is at the third tier of the hierarchy or lower, you must install all CA certificates and CRLs in the certificate chain above the new CA.

To add a root CA's certificate to the trusted root CA store of the computer, you can use the following command:

certutil -addstore -f Root CACertificateFile.crt, where CACertificateFile is the file name of the root CA's certificate file.

Use the following command to add a root CA's CRL to the trusted root CA store:

certutil -addstore -f Root CACRLFHe.crl, where CACRLFile is the file name of the root CA's CRL file.

To add a subordinate CA's certificate to the intermediate CA store, you can use the following command:

certutil -addstore -f CA CACertificateFile .crt, where CACertificateFile is the file name of the subordinate CA's certificate file.

Use the following command to add a subordinate CA's CRL to the intermediate CA store:

certutil -addstore -f CA CACRLFile.crl, where CACRLFile is the file name of the subordinate CA's CRL file.

Note If you do not install the certificates and CRLs before installation of the subordinate CA, you might receive an error message when you install the subordinate CA certificate stating that the CA cannot determine the revocation status of the CA certificate.

+1 0

Post a comment