HRA Certification Authority Commands

This section contains the following commands.

HRA certification authority commands

HRA certification authority (CA) commands are used to assign one or more CAs that Health Regulation Authority (HRA) can use to obtain Network Access Protection (NAP) health certificates. You can also use these commands to configure the validity period of health certificates, and specify certain properties of the CA server. The following entries provide details for each command.

add caserver

Adds a CA server to the HRA configuration.

Syntax

add caserver [ [ name = ] name [ processingorder = ] processingorder ]

Parameters

name


Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".
processingorder


Optional. Specifies the priority of the CA server in the list of CA servers.

Example

In the following example, a CA server is added to the HRA configuration. This CA server has the name server1 with a certificate name of CA, and is assigned the highest processing order.

add caserver name= "\\server1\CA" processingorder = "1"

delete caserver

Deletes an existing CA server.

Syntax

delete caserver [ name= ] name

Parameters

name


Required. Specifies the name of the CA server and the certificate. The required format is "\\computername\CAname".

Example

In the following example of command usage, a CA server with the name server1 and certificate name of CA is removed from the HRA configuration.

delete caserver name = "\\server1\CA"

rename caserver

Changes the name of a CA server.

Syntax

rename caserver [ [ name = ] name [ newname = ] newname ]

Parameters

name


Required. Specifies the current name of the CA server and the certificate. The required format is "\\oldcomputername\CAname".
newname


Required. Specifies the new name of the CA server and the certificate. The required format is "\\newcomputername\CAname".

Example

In the following example of command usage, a CA server with the name server1 is renamed to server2.

rename caserver name = "\\server1\CA" newname = "\\server2\CA"

reset caserver

Deletes all CA servers that are configured in HRA and resets the HRA configuration to default values.

Caution
Do not run this command if you want to maintain any of the CA server settings you have configured at the HRA server. This command deletes all CA server settings that you have configured, and after running this command, your settings cannot be recovered. Before you run this command, it is recommended that you use the export command to save the HRA server configuration to an XML file.

Syntax

reset caserver

set caserver

Changes the processing order of an existing CA server. This command cannot be used to change the name of a CA server.

Note
If you set the processing order to a number higher than the number of configured CA servers, the CA server will be assigned a processing order equal to the number of CA servers.

Syntax

set caserver [ [ name = ] name [ processingorder = ] processingorder ]

Parameters

name


Required. Specifies the name of the CA server and certificate. The required format is "\\computername\CAname".
processingorder


Required. Specifies the priority of the CA server in the list of CA servers.

Example

In the following example of command usage, a CA server with the name server1 and a processing order of 2 is changed to a processing order of 1. server2.

set caserver name = "\\server1\CA" processingorder = "1"

reset opmode

Resets the CA server operational mode to the default value of standalone only.

Syntax

reset opmode

set opmode

Sets the CA server operational mode. Two modes are available: 1) standalone and 2) enterprise and standalone. A value of zero is default and configures the CA server to operate in standalone mode only. A value of one configures the CA server to operate in an enterprise and standalone mode. In this mode, the CA server can request health certificates from either enterprise or standalone CA servers.

Important
You must configure certificate templates prior to assigning the CA server to operate in a mode that includes enterprise CA servers.

Syntax

set opmode [ [ mode = ] 0 | 1 ]

Parameters

0


Required. Specifies the operational mode of CA server as standalone only. This is the default setting.
1


Required. Specifies the operational mode of the CA server as enterprise and standalone. This setting allows HRA to obtain health certificates from CA servers operating in either an enterprise or standalone mode.

Example

In the following example of command usage, the CA server operational mode is set to enterprise and standalone.

set opmode mode = 1

reset templates

Deletes the anonymous and authenticated CA server template configurations from HRA.

Syntax

reset templates

set templates

Configures certificate templates for use with an enterprise CA server. Certificate templates are required prior to configuring the CA server to operate in enterprise mode. Anonymous and authenticated certificate template names must both be configured at the same time.

Important
Certificate templates with identical certificate simple names to those specified in the set template command must be available prior to configuring CA server templates. Certificate template names are case-sensitive.

Syntax

set templates [ [ anontemplate = ] anontemplate [ authtemplate = ] authtemplate ]

Parameters

anontemplate


Required. Specifies the simple name of the health certificate template to use when requesting certificates that do not require client authentication. This template can be used to perform client health authentication in a workgroup environment. Certificate template names are case-sensitive.
authtemplate


Required. Specifies the simple name of the health certificate template to use when requesting certificates that require both client authentication and system health authentication. This template can be used to perform client health authentication in a domain environment. Certificate template names are case-sensitive.
Note
Type certutil -template at the command line to display a list of available templates.

Example

In the following example of command usage, the CA server is configured to use a template simple name for anonymous certificate requests of AnonymousNAPCompliant and a template simple name for authenticated certificate requests of DomainNAPCompliant.

set templates anontemplate = AnonymousNAPCompliant authtemplate = DomainNAPCompliant

reset timeout

Resets the CA server timeout to defaults values. The default blackout time is five minutes, and the default no response time is 20 seconds.

Syntax

reset timeout

set timeout

Configures how long HRA will wait when no response is received from the CA server before sending another request. Two values are configurable, and these can be configured independently of each other. The blackout time specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time. The no response time specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.

Syntax

set timeout [ [ blackout = ] blackout [ noresponse = ] noresponse ]

Parameters

blackout


Optional. Specifies the time in minutes that the CA server remains identified as unavailable after no response has been received within the noresponse time.
noresponse


Optional. Specifies the time in seconds to wait for the CA server to respond before identifying it as unavailable and starting the blackout timer.

Example

Following is an example of the command usage. In this example, the CA server is configured to use a blackout time of 10 minutes and a no response time of 60 seconds.

set timeout blackout = "10" noresponse = "60"

reset usepolicyoids

Resets the CA server policyOID setting to the default value. By default, the use of policyOIDs by the CA server is disabled.

Syntax

reset usepolicyoids

set usepolicyoids

Changes the CA server policyOID setting to enable or disable. The default setting is disable.

Important
To enable policyOIDs, the CA server operational mode must be set to standalone only.

Syntax

set usepolicyoids [ state = ] enable | disable

Parameters

enable


Required. Enables use of policy object identifiers with the CA server in standalone mode.
disable


Required. Disables use of policy object identifiers with the CA server in standalone mode. This is the default setting.

Example

In the following example of the command usage, the CA server is configured to enable the use of policyOIDs.

set usepolicyoids state = "enable"

reset validityperiod

Resets the health certificate validity period the default value. The default health certificate validity period is four hours.

Syntax

reset validityperiod

set validityperiod

Configures the validity period in minutes of health certificates issued by the CA server. The default value is 240 minutes, and the minimum value allowed is five minutes. The validity period influences load on the CA server by affecting how often it issues new health certificates.

Syntax

set validityperiod [ duration = ] duration

Parameters

duration


Required. The time in minutes that health certificates issued by the CA server are considered valid. Client computers must obtain a new health certificate prior to expiration of the validity period or they will be considered noncompliant with health requirements.

Example

In the following example of command usage, the health certificate validity period is set to 24 hours.

set validityperiod duration = 1440