Export (0) Print
Expand All

Install-AdcsCertificationAuthority

Windows Server 2012 R2 and Windows 8.1

Updated: October 17, 2013

Applies To: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2

Install-AdcsCertificationAuthority

Performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service.

Syntax

Parameter Set: NewKeyParameterSet
Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CACommonName <String> ] [-CADistinguishedNameSuffix <String> ] [-CAType <CAType> ] [-Credential <PSCredential> ] [-CryptoProviderName <String> ] [-DatabaseDirectory <String> ] [-Force] [-HashAlgorithmName <String> ] [-IgnoreUnicode] [-KeyLength <Int32> ] [-LogDirectory <String> ] [-OutputCertRequestFile <String> ] [-OverwriteExistingCAinDS] [-OverwriteExistingDatabase] [-OverwriteExistingKey] [-ParentCA <String> ] [-ValidityPeriod <ValidityPeriod> ] [-ValidityPeriodUnits <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: ExistingCertificateParameterSet
Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CAType <CAType> ] [-CertFile <String> ] [-CertFilePassword <SecureString> ] [-CertificateID <String> ] [-Credential <PSCredential> ] [-DatabaseDirectory <String> ] [-Force] [-LogDirectory <String> ] [-OverwriteExistingDatabase] [-OverwriteExistingKey] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: ExistingKeyParameterSet
Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CADistinguishedNameSuffix <String> ] [-CAType <CAType> ] [-Credential <PSCredential> ] [-CryptoProviderName <String> ] [-DatabaseDirectory <String> ] [-Force] [-HashAlgorithmName <String> ] [-IgnoreUnicode] [-KeyContainerName <String> ] [-LogDirectory <String> ] [-OutputCertRequestFile <String> ] [-OverwriteExistingCAinDS] [-OverwriteExistingDatabase] [-ParentCA <String> ] [-ValidityPeriod <ValidityPeriod> ] [-ValidityPeriodUnits <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]




Detailed Description

The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. To remove the certification authority role service use the Uninstall-AdcsCertificationAuthority cmdlet.

You can import the cmdlet by running the following commands from Windows PowerShell:
Import-Module ServerManager
Add-WindowsFeature Adcs-Cert-Authority

To include the Certification Authority and Certificate Templates consoles in a CA installation, you must add -IncludeManagementTools to the end of the AddWindowsFeature Adcs-Cert-Authority command.

Int is equivalent to Int32 in the .NET Framework (http://msdn.microsoft.com/en-us/library/ya5y69ds.aspx).

Parameters

-AllowAdministratorInteraction

Specifies whether prompting is enabled when the private key is accessed. This is not required for any of the Microsoft default providers. For enhanced security components, such as a hardware security module (HSM), review the enhanced security component vendor documentation.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CACommonName<String>

Specifies the certification authority common name.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CADistinguishedNameSuffix<String>

Specifies the certification authority distinguished name suffix.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CAType<CAType>

Specifies the type of certification authority to install. The possible values are: EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, or StandaloneSubordinateCA.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CertFile<String>

Specifies the file name of certification authority PKCS #12 formatted certificate file.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CertFilePassword<SecureString>

Specifies the password for certification authority certificate file.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CertificateID<String>

Specifies the thumbprint or serial number of certification authority certificate.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Credential<PSCredential>

To install an enterprise certification authority, the computer must be joined to an Active Directory Domain Services (AD DS) domain and a user account that is a member of the Enterprise Admin group is required. To install a standalone certification authority, the computer can be in a workgroup or AD DS domain. If the computer is in a workgroup, a user account that is a member of Administrators is required. If the computer is in an AD DS domain, a user account that is a member of Domain Admins is required.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-CryptoProviderName<String>

The name of the cryptographic service provider (CSP) or key storage provider (KSP) that is used to generate or store the private key for the CA.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-DatabaseDirectory<String>

Specifies the folder location of the certification authority database.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Force

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-HashAlgorithmName<String>

Specifies the signature hash algorithm used by the certification authority.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-IgnoreUnicode

Specifies that Unicode characters are allowed in certification authority name string.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-KeyContainerName<String>

Specifies the name of an existing private key container.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-KeyLength<Int32>

Specifies the bit length for new certification authority key.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-LogDirectory<String>

Specifies the folder location of the certification authority database log.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-OutputCertRequestFile<String>

Specifies the folder location for certificate request file.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-OverwriteExistingCAinDS

Specifies that the computer object in the Active Directory Domain Service domain should be overwritten with the same computer name.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-OverwriteExistingDatabase

Specifies that the existing certification authority database should be overwritten.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-OverwriteExistingKey

Overwrite existing key container with the same name


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-ParentCA<String>

Specifies the configuration string of the parent certification authority that will certify this CA.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-ValidityPeriod<ValidityPeriod>

Specifies the validity period of the certification authority (CA) certificate in hours, days, weeks, months or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-ValidityPeriodUnits<Int32>

Validity period of the certification authority (CA) certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

true (ByPropertyName)

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before running the cmdlet.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters.

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • bool, string, string, enum, string, SecureString, string, string, string, string, bool, string, long, string, string, bool, bool, bool, string, enum, long

Outputs

The output type is the type of the objects that the cmdlet emits.

  • Microsoft.CertificateServices.Deployment.Commands.CA.CertificationAuthoritySetupResult

Notes

  • Ensure you run Windows PowerShell as an administrator. You can use the -f switch to bypass the prompt for confirmation.
    To see parameters, run the following command: install-adcscertificationauthority -?
    If you have installation issues, try using the -verbose switch to get verbose output and review the information in the %windir%\cerocm.log.

Examples

-------------------------- EXAMPLE 1 --------------------------

Description

-----------

This command installs a new Standalone Root CA with default settings.


C:\PS>Install-AdcsCertificationAuthority -CAType StandaloneRootCa

-------------------------- EXAMPLE 2 --------------------------

Description

-----------

This command installs a new Enterprise Root CA using a specific provider (ECDSA_P256 Microsoft Software Key Storage Provider), key length (256), hash algorithm (SHA 256)


C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "ECDSA_P256#Microsoft Software Key Storage Provider" -KeyLength 256 -HashAlgorithmName SHA256

-------------------------- EXAMPLE 3 --------------------------

Description

-----------

This command installs a new Enterprise Root CA with the Microsoft Software Key Storage Provider using the RSA algorithm, key length (2048), hash algorithm (SHA 256), and validity period (3 years).


C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 3

-------------------------- EXAMPLE 4 --------------------------

Description

-----------

This command installs a new Enterprise subordinate CA, the parent CA is SERVER75 in the CORP domain of Contoso.com


C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -ParentCA SERVER75.corp.contoso.com\SERVER75-CA

-------------------------- EXAMPLE 5 --------------------------

Description

-----------

This command installs an Enterprise Subordinate certification authority using an existing certificate from a PFX/P12 file that is located on the local C:\Cert folder named SERVER80-CA.p12.


C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -CertFile C:\Cert\SERVER80-CA.p12 -CertFilePassword (read-host "Set user password" -assecurestring)

Related topics

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft