将 CA 证书和 CRL 复制到虚拟目录Copy the CA Certificate and CRL to the Virtual Directory

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

可以使用此过程将证书吊销列表和企业根 CA 证书从证书颁发机构复制到 Web 服务器上的虚拟目录,并确保正确配置 AD CS。You can use this procedure to copy the Certificate Revocation List and Enterprise root CA certificate from your certification authority to a virtual directory on your Web server, and to ensure that AD CS is configured correctly. 在运行下面的命令之前,请确保将目录和服务器名称替换为适用于你的部署的名称。Before running the commands below, ensure that you replace directory and server names with those that are appropriate for your deployment.

若要执行此过程,您必须是Domain Admins的成员。To perform this procedure you must be a member of Domain Admins.

将证书吊销列表从 CA1 复制到 WEB1To copy the certificate revocation list from CA1 to WEB1

  1. 在 CA1 上,以管理员身份运行 Windows PowerShell,然后使用以下命令发布 CRL:On CA1, run Windows PowerShell as an Administrator, and then publish the CRL with the following command:

    • 键入 certutil -crl,然后按 Enter。Type certutil -crl, and then press ENTER.

    • 若要将 CA1 证书复制到 Web 服务器上的文件共享,请键入 copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB1\pki ,然后按 enter。To copy the CA1 certificate to the file share on your Web server, type copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB1\pki, and then press ENTER.

    • 若要将证书吊销列表复制到 Web 服务器上的文件共享中,请键入 copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB1\pki ,然后按 enter。To copy the certificate revocation lists to the file share on your Web server, type copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB1\pki, and then press ENTER.

  2. 若要验证是否正确配置了 CDP 和 AIA 扩展位置,请键入 pkiview.msc ,然后按 enter。To verify that your CDP and AIA extension locations are correctly configured, type pkiview.msc, and then press ENTER. Pkiview 企业 PKI MMC 随即打开。The pkiview Enterprise PKI MMC opens.

  3. 在左侧窗格中,单击你的 CA 名称。In the left pane, click your CA name.

    例如,如果 CA 名称是 CA1-CA,请单击 " CA1-ca"。For example, if your CA name is corp-CA1-CA, click corp-CA1-CA.

  4. 在结果窗格的 "状态" 列中,验证以下值是否显示 "确定"In the Status column of the results pane, verify that the values for the following shows OK:

    • CA 证书CA Certificate
    • AIA 位置 #1AIA Location #1
    • CDP 位置 #1CDP Location #1

提示

如果任何项目的状态不是 "正常",请执行以下操作:If Status for any item is not OK, do the following:

  • 打开 Web 服务器上的共享,验证是否已成功将证书和证书吊销列表文件复制到共享。Open the share on your Web server to verify that the certificate and certificate revocation list files were successfully copied to the share. 如果未成功将它们复制到共享,请用正确的文件源和共享目标修改复制命令,然后再次运行这些命令。If they were not successfully copied to the share, modify your copy commands with the correct file source and share destination and run the commands again.
  • 验证是否在 "CA 扩展" 选项卡上输入了 CDP 和 AIA 的正确位置。请确保你提供的位置中没有多余的空格或其他字符。Verify that you have entered the correct locations for the CDP and AIA on the CA Extensions tab. Ensure that there are no extra spaces or other characters in the locations that you have provided.
  • 验证是否已将 CRL 和 CA 证书复制到 Web 服务器上的正确位置,以及该位置是否与你为 CA 上的 CDP 和 AIA 位置提供的位置匹配。Verify that you copied the CRL and CA certificate to the correct location on your Web server, and that the location matches the location you provided for the CDP and AIA locations on the CA.
  • 验证是否为存储 CA 证书和 CRL 的虚拟文件夹正确配置了权限。Verify that you correctly configured permissions for the virtual folder where the CA certificate and CRL are stored.