The preferred method of publishing root and policy CA certificates and CRLs in a forest environment is to publish them into Active Directory. When published into Active Directory, the CA certificates and CRLs are published in the configuration naming context and are automatically downloaded to all forest members running Windows 2000, Windows XP, or Windows Server 2003 through autoenrollment.
You can use the following script, which must be run by a member of the Enterprise Admins group, to publish the root and policy CA certificates and CRLs:
for %%c in ("FABINCCA01*.crt") do certutil -dspublish -f "%%c" RootCA for %%c in ("FABINCA02*.crt") do certutil -dspublish -f "%%c" SubCA for %%c in ("Fabrikam Corporate Root*.crl") do certutil -dspublish -f "%%c" for %%c in ("Fabrikam Corporate Policy*.crl") do certutil -dspublish -f "%%c" gpupdate /force
The next time Group Policy is applied to a computer that is a member of the forest, certificates will be automatically added to the trusted root or intermediate CA store of the local machine through the autoenrollment mechanism.
Tip When using this script in your environment, modify each line's search pattern to a pattern that uniquely describes the CA computer name for *.crt files and the CA logical name for *.crl files.
Was this article helpful?