Microsoft KB Archive/313197

= HOW TO: Use the Directory Services Store Tool to Add a Non-Windows 2000 Certification Authority (CA) to the PKI in Windows 2000 =

Article ID: 313197

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q313197



IN THIS TASK
SUMMARY
 * Command-Line Options That Are Available with Dsstore.exe
 * Examples
 * AIA and CDP Locations for the New Root Certificates



SUMMARY
This step-by-step article describes how to use the Directory Services Store tool (Dsstore.exe) to add a non-Windows 2000 certification authority (CA) to the public key infrastructure (PKI). You can use Dsstore.exe to manage enterprise public key policies, to diagnose PKI and smart card logon problems, and to add non-Windows 2000 CAs to the PKI. This tool is included with the Windows 2000 Resource Kit.

For additional information about Dsstore.exe and how to use it to view Service Principal Names (SPNs), click the article number below to view the article in the Microsoft Knowledge Base:

298718 How to Retrieve SPNs from the Directory

back to the top

Command-Line Options That Are Available with Dsstore.exe
This section describes the Directory Service certificate management options. You can use the -addcrl, the -addroot, and the -addaia options to add non-Windows 2000 CAs to the PKI. When you use these options, you can add a CA to an enterprise PKI or add a third-party CA to the enterprise PKI list of trusted roots without having to use Group Policy methods.

IMPORTANT: The letters &quot;DC&quot; must be capitalized when you use the commands that are described in this section.

Sample command:

dsstore  [-del] [-display] [-addcrl] [-addroot]

NOTE: You must specify the distinguished name of the root domain as first parameter, for example:

dsstore DC=ntdev,DC=microsoft,DC=com

The following list describes the command-line options that you can use with Dsstore.exe:
 * -del: Use this option to get a list of roots, and then select the one you want to delete.
 * -display: Use this option to display a list of enterprise roots.
 * -addroot   : Use this option to add a root CA certificate to the enterprise root certificate store and to add the certificate to the Authority Information Access (AIA) location in Active Directory.
 * -addcrl  : Use this option to publish a Certificate Revocation List (CRL) to Active Directory.
 * -addaia  : Use this option to add an intermediate CA certificate to the AIA location in Active Directory.

You can also use the following additional diagnostic options:

dsstore -domain] [-dcmon [-tcainfo] [-pulse] [-entmon] [-macobj]


 * -domain : Use this option to modify the target domain when you use the -dcmon option.
 * -dcmon: Use this option to run the Key Distribution Center (KDC) Certificate monitoring tool.
 * -checksc: Use this option to check on smart card certificate validity.
 * -tcainfo: Use this option to display information about enterprise CAs on the domain.
 * -pulse: Use this option to pulse autoenrollment events.

The following command-line options use security account manager (SAM) computer names, for example, \ $:
 * -entmon : Use this option to examine PKI and autoenrollment on the remote computer.
 * -macobj : Use this option to list attributes on the Directory Service computer object of interest to the PKI.

back to the top

Examples

 * dsstore DC=ntdev,DC=microsoft,DC=com -addcrl c:\newcert.crl microsoft.com CERTSVR1
 * dsstore DC=ntdev,DC=microsoft,DC=com -addroot c:\newcert.crt microsoft.com
 * dsstore DC=ntdev,DC=microsoft,DC=com -addaia c:\newcert.crt microsoft.com

back to the top

AIA and CDP Locations for the New Root Certificates
 AIA location:

ldap:///CN= ,CN=AIA,CN=Public Key Services, CN=Services,CN=Configuration,DC=

 CDP location:

ldap:///CN= ,CN=, CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC =



You must use the Certification Authority snap-in to change the AIAs and CDPs of issued certificates to point to these locations. Otherwise, the certificate chain will not be built correctly.

back to the top

Keywords: kbhowto kbhowtomaster KB313197

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.