HRA Certification Authority Commands
Applies To: Windows Server 2008, Windows Server 2012, Windows Server 2012 R2
This section contains the following commands.
add caserver
delete caserver
rename caserver
reset caserver
set caserver
reset opmode
set opmode
reset templates
set templates
reset timeout
set timeout
reset usepolicyoids
set usepolicyoids
reset validityperiod
set validityperiod
HRA certification authority commands
HRA certification authority (CA) commands are used to assign one or more CAs that Health Regulation Authority (HRA) can use to obtain Network Access Protection (NAP) health certificates. You can also use these commands to configure the validity period of health certificates, and specify certain properties of the CA server. The following entries provide details for each command.
add caserver
Adds a CA server to the HRA configuration.
Syntax
add caserver [ [ name = ] name [ processingorder = ] processingorder ]
Parameters
- name
Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".
- processingorder
Optional. Specifies the priority of the CA server in the list of CA servers.
Example
In the following example, a CA server is added to the HRA configuration. This CA server has the name server1 with a certificate name of CA, and is assigned the highest processing order.
add caserver name= "\\server1\CA" processingorder = "1"
delete caserver
Deletes an existing CA server.
Syntax
delete caserver [ name= ] name
Parameters
- name
Required. Specifies the name of the CA server and the certificate. The required format is "\\computername\CAname".
Example
In the following example of command usage, a CA server with the name server1 and certificate name of CA is removed from the HRA configuration.
delete caserver name = "\\server1\CA"
rename caserver
Changes the name of a CA server.
Syntax
rename caserver [ [ name = ] name [ newname = ] newname ]
Parameters
- name
Required. Specifies the current name of the CA server and the certificate. The required format is "\\oldcomputername\CAname".
- newname
Required. Specifies the new name of the CA server and the certificate. The required format is "\\newcomputername\CAname".
Example
In the following example of command usage, a CA server with the name server1 is renamed to server2.
rename caserver name = "\\server1\CA" newname = "\\server2\CA"
reset caserver
Deletes all CA servers that are configured in HRA and resets the HRA configuration to default values.
Warning
Do not run this command if you want to maintain any of the CA server settings you have configured at the HRA server. This command deletes all CA server settings that you have configured, and after running this command, your settings cannot be recovered. Before you run this command, it is recommended that you use the export command to save the HRA server configuration to an XML file.
Syntax
reset caserver
set caserver
Changes the processing order of an existing CA server. This command cannot be used to change the name of a CA server.
Note
If you set the processing order to a number higher than the number of configured CA servers, the CA server will be assigned a processing order equal to the number of CA servers.
Syntax
setcaserver [ [ name = ] name [ processingorder = ] processingorder ]
Parameters
- name
Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".
- processingorder
Required. Specifies the priority of the CA server in the list of CA servers.
Example
In the following example of command usage, a CA server with the name server1 and a processing order of 2 is changed to a processing order of 1. server2.
set caserver name = "\\server1\CA" processingorder = "1"
reset opmode
Resets the CA server operational mode to the default value of standalone only.
Syntax
reset opmode
set opmode
Sets the CA server operational mode. Two modes are available: 1) standalone and 2) enterprise and standalone. A value of zero is default and configures the CA server to operate in standalone mode only. A value of one configures the CA server to operate in an enterprise and standalone mode. In this mode, the CA server can request health certificates from either enterprise or standalone CA servers.
Important
You must configure certificate templates prior to assigning the CA server to operate in a mode that includes enterprise CA servers.
Syntax
setopmode [ [ mode = ] 0 | 1 ]
Parameters
- 0
Required. Specifies the operational mode of CA server as standalone only. This is the default setting.
- 1
Required. Specifies the operational mode of the CA server as enterprise and standalone. This setting allows HRA to obtain health certificates from CA servers operating in either an enterprise or standalone mode.
Example
In the following example of command usage, the CA server operational mode is set to enterprise and standalone.
set opmode mode = 1
reset templates
Deletes the anonymous and authenticated CA server template configurations from HRA.
Syntax
reset templates
set templates
Configures certificate templates for use with an enterprise CA server. Certificate templates are required prior to configuring the CA server to operate in enterprise mode. Anonymous and authenticated certificate template names must both be configured at the same time.
Important
Certificate templates with identical certificate simple names to those specified in the set template command must be available prior to configuring CA server templates. Certificate template names are case-sensitive.
Syntax
settemplates [ [ anontemplate = ] anontemplate [ authtemplate = ] authtemplate ]
Parameters
- anontemplate
Required. Specifies the simple name of the health certificate template to use when requesting certificates that do not require client authentication. This template can be used to perform client health authentication in a workgroup environment. Certificate template names are case-sensitive.
- authtemplate
Required. Specifies the simple name of the health certificate template to use when requesting certificates that require both client authentication and system health authentication. This template can be used to perform client health authentication in a domain environment. Certificate template names are case-sensitive.
Note
Type certutil -template at the command line to display a list of available templates.
Example
In the following example of command usage, the CA server is configured to use a template simple name for anonymous certificate requests of AnonymousNAPCompliant and a template simple name for authenticated certificate requests of DomainNAPCompliant.
set templates anontemplate = AnonymousNAPCompliant authtemplate = DomainNAPCompliant
reset timeout
Resets the CA server timeout to defaults values. The default blackout time is five minutes, and the default no response time is 20 seconds.
Syntax
reset timeout
set timeout
Configures how long HRA will wait when no response is received from the CA server before sending another request. Two values are configurable, and these can be configured independently of each other. The blackout time specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time. The no response time specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.
Syntax
settimeout [ [ blackout = ] blackout [ noresponse = ] noresponse ]
Parameters
- blackout
Optional. Specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time.
- noresponse
Optional. Specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.
Example
Following is an example of the command usage. In this example, the CA server is configured to use a blackout time of 10 minutes and a no response time of 60 seconds.
set timeout blackout = "10" noresponse = "60"
reset usepolicyoids
Resets the CA server policyOID setting to the default value. By default, the use of policyOIDs by the CA server is disabled.
Syntax
reset usepolicyoids
set usepolicyoids
Changes the CA server policyOID setting to enable or disable. The default setting is disable.
Important
To enable policyOIDs, the CA server operational mode must be set to standalone only.
Syntax
setusepolicyoids [ state = ] enable | disable
Parameters
- enable
Required. Enables use of policy object identifiers with the CA server in standalone mode.
- disable
Required. Disables use of policy object identifiers with the CA server in standalone mode. This is the default setting.
Example
In the following example of the command usage, the CA server is configured to enable the use of policyOIDs.
set usepolicyoids state = "enable"
reset validityperiod
Resets the health certificate validity period the default value. The default health certificate validity period is four hours.
Syntax
reset validityperiod
set validityperiod
Configures the validity period in minutes of health certificates issued by the CA server. The default value is 240 minutes, and the minimum value allowed is five minutes. The validity period influences load on the CA server by affecting how often it issues new health certificates.
Syntax
setvalidityperiod [ duration = ] duration
Parameters
- duration
Required. The time in minutes that health certificates issued by the CA server are considered valid. Client computers must obtain a new health certificate prior to expiration of the validity period or they will be considered noncompliant with health requirements.
Example
In the following example of command usage, the health certificate validity period is set to 24 hours.
set validityperiod duration = 1440