Set up Certification Authority with PowerShell

The script allows you to set up a Active Directory Certificate Services (AD CS) on local computer from a PowerShell console. In addition, the script supports AD CS role removal to decommission Certification Authority (CA) from your network.
4.7 Star
4,229 times
Add to favorites
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Set Storage Configuration data Parameters
    2 Posts | Last post December 10, 2013
    • Hi Vadim,
      I need to find out whether any parameter in the Install-CertificationAuthority set the  Storage Configuration data out of Active Directory to Shared Folder.
      Installing Standalone Root CA on the server in the domain, and he automatically give me the configuration data to Active Directory
      Ii is a Windows 2008R2 Core
    • 1) sorry for a late response. This sh*tty Gallery email notification doesn't work normally, I never got a notification about your question.
      2) configuration data is stored in the registry on the local computer and CA database in the CertLog (by default) folder on the local computer. CA do not store any configuration in Active Directory. CA just publishes it's own certificates to Active Directory. In addition Enterprise CAs (only) register themselves in AD, so clients are able to locate CA servers.
  • How to avoid errors with KeyLength?
    4 Posts | Last post July 19, 2012
    • When trying to set a KeyLength of 4096 for a Standalone Root using the following arguments:
      Install-CertificationAuthority -CAName "Foo" -CAType "StandAloneRoot" -KeyLength 4096 -ValidforYears 10
      I get the following error:
      Exception calling "GetKeyLengthList" with "1" argument(s): "CCertSrvSetup::GetKeyLengthList: Invalid pointer 0x80004003
      At C:\install\SetupCA.ps1:129 char:33
      +             if ($CASetup.GetKeyLengthList <<<< ($CSP).Length -eq 0) {
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : ComMethodTargetInvocation
    • if you specify custom key length, you need to specify a CSP name. Default CSP is 'RSA#Microsoft Software Key Storage Provider'. The same as with hash algorithm. So, your line would be something like this:
      Install-Certifi​cationAuthority -CAName "Foo" -CAType "StandAloneRoot​" -KeyLength 4096 -ValidforYears 10 -CSP "RSA#Microsoft Software Key Storage Provider".
    • I've updated the code and fixed (I believe) your issue. Now you can specify a different key length or hash algorithm without having to explicitly specify CSP name.
    • thanks vadims...
  • Multiple instances of a CA on the same server?
    2 Posts | Last post June 07, 2012
    • Can I use this script to load multiple instances of a CA on the same OS?  I heard mention this was possible in a few links on this page:
    • I laready answered you here:
      The answer is NO.
  • Is this script can be run on W2K8?
    8 Posts | Last post March 22, 2012
    • I found from MS site that says 'ocsetup'is only used for W2K8R2 and also 'ServerManager-PSH-Cmdlets' and 'ServerManager' cannot be found on W2K8. 
      What extra work should I do in order to run this script on W2K8?
    • This is definitely a bug. I'll fix it in next few days. Thanks for letting me know.
    • Look forward to your fixing:)
    • Uploaded fixed version. Please, let me know if this works for you.
    • It's not supported on w2k8 enterprise with version 6.0.6002. 
      I checked that the OS productType is '2'. So message "Client operating systems are not supported!" is returned.
      Also I omitted this and tried the following code to install CA but found that an exception is throwed indicates that InitializeDefaults is passed with invalid arguments["$CASetup.InitializeDefaults($true, $false)"].
    • > I checked that the OS productType is '2'.
      It's another bug. I never supposed to install CA server on domain controllers (it is really not recommended). In addition, I've switched ocsetup.exe with servermanagercmd.exe tool to install/remove required binaries on Windows Server 2008. The code is tested on a fresh Windows Server 2008 SP2 installation and works as expected. Code snippet and attached archive are updated. Please, let me know if it works in your scenario.
    • This cmd [cmd /c "servermanagercmd -install AD-Certificate 2> null"] executes successfully. But the AD CS cannot be started with an error dialog pops up saying "The system cannot find the file specified. ox80070002(WIN32:2)". I found that the subkey "Configuration" and "Security'  of "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc" do not exist. But when I manually install AD CS these subkeys will be added in the registry. So AD works well. I don't know whether it's something wrong with my VM(created based on a template)or not.
    • I've performed several tests, including Standalone Root/Subordinate (in workgroup) and in domain environments — all just works fine (though, sometimes an extra output is produced) and cannot repro your issue.
      Note that the specified cmd command (servermanager.exe) just installs required binary modules. CA role is installed by using the rest PowerShell code.