將憑證及 CRL 複製 Virtual DirectoryCopy the CA Certificate and CRL to the Virtual Directory

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

將憑證撤銷清單及企業根憑證從您的憑證授權單位複製到您的網頁伺服器上 virtual directory 並確定 AD CS 已正確設定,您可以使用此程序。You can use this procedure to copy the Certificate Revocation List and Enterprise root CA certificate from your certification authority to a virtual directory on your Web server, and to ensure that AD CS is configured correctly. 之前,請執行下列命令,請先確定您在使用的是適用於您的部署取代 directory 和伺服器的名稱。Before running the commands below, ensure that you replace directory and server names with those that are appropriate for your deployment.

若要執行此程序您必須的成員網域系統管理員To perform this procedure you must be a member of Domain Admins.

將憑證撤銷清單 CA1 從複製到 WEB1To copy the certificate revocation list from CA1 to WEB1

  1. 在 CA1,系統管理員的身分,以執行 Windows PowerShell,再發行 [使用下列命令 CRL:On CA1, run Windows PowerShell as an Administrator, and then publish the CRL with the following command:

    • 輸入certutil -crl,然後按 ENTER 鍵。Type certutil -crl, and then press ENTER.

    • 若要將 CA 憑證複製到您的網頁伺服器上的檔案共用中,輸入copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB1\pki,然後按 ENTER 鍵。To copy the CA certificate to the file share on your Web server, type copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB1\pki, and then press ENTER.

    • 若要在您的網頁伺服器上的檔案共用複製憑證撤銷清單,輸入copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB1\pki,然後按 ENTER 鍵。To copy the certificate revocation lists to the file share on your Web server, type copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB1\pki, and then press ENTER.
  2. 若要重新 AD CS,輸入Restart-Service certsvc,然後按 ENTER 鍵。To restart AD CS, type Restart-Service certsvc, and then press ENTER.

  3. 若要確認您 CDP 和 AIA 擴充功能的位置已正確設定,輸入pkiview.msc,然後按 ENTER 鍵。To verify that your CDP and AIA extension locations are correctly configured, type pkiview.msc, and then press ENTER. Pkiview 企業 PKI MMC 開啟。The pkiview Enterprise PKI MMC opens.

  4. 按一下您 CA 名稱。Click your CA name. 例如,如果您的 CA 名稱 corp CA1 CA,請按一下corp CA1 CAFor example, if your CA name is corp-CA1-CA, click corp-CA1-CA. 在詳細資料窗格中,確認狀態值為CA 憑證AIA 位置 #1,和CDP 位置 #1的所有[確定]In the details pane, verify that the Status value for the CA Certificate, AIA Location #1, and CDP Location #1 are all OK.

下圖描述 pkiview 結果窗格的 \ [確定 \ 狀態的所有項目。The following illustration depicts the pkiview results pane with a status of OK for all items.

![adcs_pkiviewmedia/adcs_pkiview.png)![adcs_pkiviewmedia/adcs_pkiview.png)

重要

如果狀態中的任何項目不是[確定],執行下列動作:If Status for any item is not OK, do the following:

  • 左在您的網頁伺服器驗證憑證和憑證撤銷列出檔案共用已順利複製共用。Open the share on your Web server to verify that the certificate and certificate revocation list files were successfully copied to the share. 如果已無法順利複製共用,修改複製命令與正確檔案來源分享目的地並重新執行指令。If they were not successfully copied to the share, modify your copy commands with the correct file source and share destination and run the commands again.
  • 確認您有任何額外空格或其他您所提供的位置的字元,請確定 CA 擴充功能] 索引標籤上輸入 CDP 和 AIA 正確的位置。Verify that you have entered the correct locations for the CDP and AIA on the CA Extensions tab. Ensure that there are no extra spaces or other characters in the locations that you have provided.
  • 確認正確的位置複製 CRL 和 CA 憑證,在您的網頁伺服器,並且位置符合您 CA 上 CDP 和 AIA 位置所提供的位置。Verify that you copied the CRL and CA certificate to the correct location on your Web server, and that the location matches the location you provided for the CDP and AIA locations on the CA.
  • 請確認正確設定儲存 CA 憑證和 CRL virtual 資料夾的權限。Verify that you correctly configured permissions for the virtual folder where the CA certificate and CRL are stored.