Partager via


HRA Certification Authority Commands

Applies To: Windows Server 2008, Windows Server 2012, Windows Server 2012 R2

This section contains the following commands.

  • add caserver

  • delete caserver

  • rename caserver

  • reset caserver

  • set caserver

  • reset opmode

  • set opmode

  • reset templates

  • set templates

  • reset timeout

  • set timeout

  • reset usepolicyoids

  • set usepolicyoids

  • reset validityperiod

  • set validityperiod

HRA certification authority commands

HRA certification authority (CA) commands are used to assign one or more CAs that Health Regulation Authority (HRA) can use to obtain Network Access Protection (NAP) health certificates. You can also use these commands to configure the validity period of health certificates, and specify certain properties of the CA server. The following entries provide details for each command.

add caserver

Adds a CA server to the HRA configuration.

Syntax

add caserver [ [ name = ] name [ processingorder = ] processingorder ]

Parameters

  • name
    Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".
  • processingorder
    Optional. Specifies the priority of the CA server in the list of CA servers.

Example

In the following example, a CA server is added to the HRA configuration. This CA server has the name server1 with a certificate name of CA, and is assigned the highest processing order.

add caserver name= "\\server1\CA" processingorder = "1"

delete caserver

Deletes an existing CA server.

Syntax

delete caserver [ name= ] name

Parameters

  • name
    Required. Specifies the name of the CA server and the certificate. The required format is "\\computername\CAname".

Example

In the following example of command usage, a CA server with the name server1 and certificate name of CA is removed from the HRA configuration.

delete caserver name = "\\server1\CA"

rename caserver

Changes the name of a CA server.

Syntax

rename caserver [ [ name = ] name [ newname = ] newname ]

Parameters

  • name
    Required. Specifies the current name of the CA server and the certificate. The required format is "\\oldcomputername\CAname".
  • newname
    Required. Specifies the new name of the CA server and the certificate. The required format is "\\newcomputername\CAname".

Example

In the following example of command usage, a CA server with the name server1 is renamed to server2.

rename caserver name = "\\server1\CA" newname = "\\server2\CA"

reset caserver

Deletes all CA servers that are configured in HRA and resets the HRA configuration to default values.

Warning

Do not run this command if you want to maintain any of the CA server settings you have configured at the HRA server. This command deletes all CA server settings that you have configured, and after running this command, your settings cannot be recovered. Before you run this command, it is recommended that you use the export command to save the HRA server configuration to an XML file.

Syntax

reset caserver

set caserver

Changes the processing order of an existing CA server. This command cannot be used to change the name of a CA server.

Note

If you set the processing order to a number higher than the number of configured CA servers, the CA server will be assigned a processing order equal to the number of CA servers.

Syntax

setcaserver [ [ name = ] name [ processingorder = ] processingorder ]

Parameters

  • name
    Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".
  • processingorder
    Required. Specifies the priority of the CA server in the list of CA servers.

Example

In the following example of command usage, a CA server with the name server1 and a processing order of 2 is changed to a processing order of 1. server2.

set caserver name = "\\server1\CA" processingorder = "1"

reset opmode

Resets the CA server operational mode to the default value of standalone only.

Syntax

reset opmode

set opmode

Sets the CA server operational mode. Two modes are available: 1) standalone and 2) enterprise and standalone. A value of zero is default and configures the CA server to operate in standalone mode only. A value of one configures the CA server to operate in an enterprise and standalone mode. In this mode, the CA server can request health certificates from either enterprise or standalone CA servers.

Important

You must configure certificate templates prior to assigning the CA server to operate in a mode that includes enterprise CA servers.

Syntax

setopmode [ [ mode = ] 0 | 1 ]

Parameters

  • 0
    Required. Specifies the operational mode of CA server as standalone only. This is the default setting.
  • 1
    Required. Specifies the operational mode of the CA server as enterprise and standalone. This setting allows HRA to obtain health certificates from CA servers operating in either an enterprise or standalone mode.

Example

In the following example of command usage, the CA server operational mode is set to enterprise and standalone.

set opmode mode = 1

reset templates

Deletes the anonymous and authenticated CA server template configurations from HRA.

Syntax

reset templates

set templates

Configures certificate templates for use with an enterprise CA server. Certificate templates are required prior to configuring the CA server to operate in enterprise mode. Anonymous and authenticated certificate template names must both be configured at the same time.

Important

Certificate templates with identical certificate simple names to those specified in the set template command must be available prior to configuring CA server templates. Certificate template names are case-sensitive.

Syntax

settemplates [ [ anontemplate = ] anontemplate [ authtemplate = ] authtemplate ]

Parameters

  • anontemplate
    Required. Specifies the simple name of the health certificate template to use when requesting certificates that do not require client authentication. This template can be used to perform client health authentication in a workgroup environment. Certificate template names are case-sensitive.
  • authtemplate
    Required. Specifies the simple name of the health certificate template to use when requesting certificates that require both client authentication and system health authentication. This template can be used to perform client health authentication in a domain environment. Certificate template names are case-sensitive.

Note

Type certutil -template at the command line to display a list of available templates.

Example

In the following example of command usage, the CA server is configured to use a template simple name for anonymous certificate requests of AnonymousNAPCompliant and a template simple name for authenticated certificate requests of DomainNAPCompliant.

set templates anontemplate = AnonymousNAPCompliant authtemplate = DomainNAPCompliant

reset timeout

Resets the CA server timeout to defaults values. The default blackout time is five minutes, and the default no response time is 20 seconds.

Syntax

reset timeout

set timeout

Configures how long HRA will wait when no response is received from the CA server before sending another request. Two values are configurable, and these can be configured independently of each other. The blackout time specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time. The no response time specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.

Syntax

settimeout [ [ blackout = ] blackout [ noresponse = ] noresponse ]

Parameters

  • blackout
    Optional. Specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time.
  • noresponse
    Optional. Specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.

Example

Following is an example of the command usage. In this example, the CA server is configured to use a blackout time of 10 minutes and a no response time of 60 seconds.

set timeout blackout = "10" noresponse = "60"

reset usepolicyoids

Resets the CA server policyOID setting to the default value. By default, the use of policyOIDs by the CA server is disabled.

Syntax

reset usepolicyoids

set usepolicyoids

Changes the CA server policyOID setting to enable or disable. The default setting is disable.

Important

To enable policyOIDs, the CA server operational mode must be set to standalone only.

Syntax

setusepolicyoids [ state = ] enable | disable

Parameters

  • enable
    Required. Enables use of policy object identifiers with the CA server in standalone mode.
  • disable
    Required. Disables use of policy object identifiers with the CA server in standalone mode. This is the default setting.

Example

In the following example of the command usage, the CA server is configured to enable the use of policyOIDs.

set usepolicyoids state = "enable"

reset validityperiod

Resets the health certificate validity period the default value. The default health certificate validity period is four hours.

Syntax

reset validityperiod

set validityperiod

Configures the validity period in minutes of health certificates issued by the CA server. The default value is 240 minutes, and the minimum value allowed is five minutes. The validity period influences load on the CA server by affecting how often it issues new health certificates.

Syntax

setvalidityperiod [ duration = ] duration

Parameters

  • duration
    Required. The time in minutes that health certificates issued by the CA server are considered valid. Client computers must obtain a new health certificate prior to expiration of the validity period or they will be considered noncompliant with health requirements.

Example

In the following example of command usage, the health certificate validity period is set to 24 hours.

set validityperiod duration = 1440