Summary of above link to install Root Certificate Authority using powershell

From MyWiki
Jump to: navigation, search

Run command below to enable remote management of the Root CA 

Enable-NetFirewallRule -DisplayGroup "Remote Service Management"

Create file c:\windows\capolicy.inf with the following contents

[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Weeks
CRLPeriodUnits=26
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
[PolicyStatementExtension]
Policies=LegalPolicy
[LegalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://www/CertEnroll/cps.asp

Install the certificate authority

Import-Module ServerManager
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType StandaloneRootCA -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName <CA_Server_Name> -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

The commands below remove all default CRL Distribution points ( CDP ) 

$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};

Add new CDP

Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force
Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -Force

Remove all Authority Information Access 

$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};

Configure new AIA

Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crt

Run the commands below to configure the Root CA settings

certutil.exe -setreg CA\CRLPeriodUnits 26
certutil.exe -setreg CA\CRLPeriod "Weeks"
certutil.exe -setreg CA\CRLDeltaPeriodUnits 0
certutil.exe -setreg CA\CRLDeltaPeriod "Days"
certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
certutil.exe -setreg CA\CRLOverlapPeriod "Hours"
certutil.exe -setreg CA\ValidityPeriodUnits 20
certutil.exe -setreg CA\ValidityPeriod "Years"
certutil.exe -setreg CA\KeySize 4096
certutil.exe -setreg CA\AuditFilter 127

Run the commands below to publish in AD

certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"

Restart the CertSrv service

Restart-Service certsvc

Publish new CRL's 

certutil.exe -CRL
Retrieved from "https://wiki.twig.es/index.php?title=Summary_of_above_link_to_install_Root_Certificate_Authority_using_powershell&oldid=3343"