It came to our attention that the Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure whitepaper provides wrong guidance in section Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File. The current documentation recommends that the CRL published by the Root CA is to be added to the Root certificate store.

There are two corrections needed for the commands in step #4 in the Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File section:

  1. The -f option should not be used for existing certificate stores. This is to avoid accidental creation of new certificate stores. If you are mistyping the certificate store and use the -f option, a new certificate store is created which becomes a dead store.
  2. The CRL should be added to the intermediate certificate store.

The correct commands would look like the following:

for %C in (FloppyDrive:\*.crt) do certutil –addstore Root %C
for %C in (FloppyDrive:\*.crl) do certutil –addstore
CA %C