Install-AdcsCertificationAuthority
Performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service.
Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-ValidityPeriod <ValidityPeriod>]
[-ValidityPeriodUnits <Int32>]
[-CACommonName <String>]
[-CADistinguishedNameSuffix <String>]
[-CAType <CAType>]
[-CryptoProviderName <String>]
[-DatabaseDirectory <String>]
[-HashAlgorithmName <String>]
[-IgnoreUnicode]
[-KeyLength <Int32>]
[-LogDirectory <String>]
[-OutputCertRequestFile <String>]
[-OverwriteExistingCAinDS]
[-OverwriteExistingKey]
[-ParentCA <String>]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-CertFilePassword <SecureString>]
[-CertFile <String>]
[-CAType <CAType>]
[-CertificateID <String>]
[-DatabaseDirectory <String>]
[-LogDirectory <String>]
[-OverwriteExistingKey]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-ValidityPeriod <ValidityPeriod>]
[-ValidityPeriodUnits <Int32>]
[-CADistinguishedNameSuffix <String>]
[-CAType <CAType>]
[-CryptoProviderName <String>]
[-DatabaseDirectory <String>]
[-HashAlgorithmName <String>]
[-IgnoreUnicode]
[-KeyContainerName <String>]
[-LogDirectory <String>]
[-OutputCertRequestFile <String>]
[-OverwriteExistingCAinDS]
[-ParentCA <String>]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>] The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service. To remove the certification authority role service use the Uninstall-AdcsCertificationAuthority cmdlet.
You can import the cmdlet by running the following commands from Windows PowerShell:
Install-WindowsFeature Adcs-Cert-Authority
To include the Certification Authority and Certificate Templates consoles in a CA installation, you must use the IncludeManagementTools parameter at the end of the Install-WindowsFeature Adcs-Cert-Authority command.
Int is equivalent to Int32 in the .NET Framework.
PS C:\> Install-AdcsCertificationAuthority -CAType StandaloneRootCaThis command installs a new Standalone Root CA with default settings.
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "ECDSA_P256#Microsoft Software Key Storage Provider" -KeyLength 256 -HashAlgorithmName SHA256This command installs a new Enterprise Root CA using the provider named ECDSA_P256 Microsoft Software Key Storage Provider, key length of 256, and the hash algorithm named SHA 256.
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 3This command installs a new Enterprise Root CA using a RSA algorithm using the provider named Microsoft Software Key Storage Provider, a key length of 2048, a hash algorithm named SHA 1, and validity period of three years.
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -ParentCA SERVER75.corp.contoso.com\SERVER75-CAThis command installs a new Enterprise subordinate CA, the parent CA is SERVER75 in the CORP domain of Contoso.com.
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -CertFile C:\Cert\SERVER80-CA.p12 -CertFilePassword (read-host "Set user password" -assecurestring)This command installs an Enterprise Subordinate CA using an existing certificate from a PFX/P12 file that is located on the local C:\Cert folder named SERVER80-CA.p12.
Specifies whether prompting is enabled when the private key is accessed. This is not required for any of the Microsoft default providers. For enhanced security components, such as a hardware security module (HSM), review the enhanced security component vendor documentation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the certification authority common name.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the certification authority distinguished name suffix.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the type of certification authority that this cmdlet installs. The acceptable values for this parameter are:
- EnterpriseRootCA
- EnterpriseSubordinateCA
- StandaloneRootCA
- StandaloneSubordinateCA
| Type: | CAType |
| Accepted values: | EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the file name of certification authority PKCS #12 formatted certificate file.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the password for certification authority certificate file.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the thumbprint or serial number of certification authority certificate.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Specifies a PSCredential object for the connection to AD DS.
To obtain a credential object, use the Get-Credential cmdlet.
For more information, type Get-Help Get-Credential.
To install an enterprise certification authority, the computer must be joined to an AD DS domain and a user account that is a member of the Enterprise Admin group is required.
To install a standalone certification authority, the computer can be in a workgroup or AD DS domain.
If the computer is in a workgroup, a user account that is a member of Administrators is required.
If the computer is in an AD DS domain, a user account that is a member of Domain Admins is required.
| Type: | PSCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
The name of the cryptographic service provider (CSP) or key storage provider (KSP) that is used to generate or store the private key for the CA.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the folder location of the certification authority database.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Forces the command to run without asking for user confirmation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Specifies the signature hash algorithm used by the certification authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies that Unicode characters are allowed in certification authority name string.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the name of an existing private key container.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the bit length for new certification authority key.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the folder location of the certification authority database log.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the folder location for certificate request file.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies that the computer object in the Active Directory Domain Service domain should be overwritten with the same computer name.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies that the existing certification authority database should be overwritten.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Overwrite existing key container with the same name
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the configuration string of the parent certification authority that will certify this CA.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Specifies the validity period of the certification authority (CA) certificate in hours, days, weeks, months or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.
| Type: | ValidityPeriod |
| Accepted values: | Hours, Days, Weeks, Months, Years |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Validity period of the certification authority (CA) certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
bool, string, string, enum, string, SecureString, string, string, string, string, bool, string, long, string, string, bool, bool, bool, string, enum, long
Microsoft.CertificateServices.Deployment.Commands.CA.CertificationAuthoritySetupResult
- Ensure you run Windows PowerShell as an administrator. You can use the -f switch to bypass the prompt for confirmation. To see parameters, run the following command: Install-AdcsCertificationAuthority -? If you have installation issues, try using the -verbose switch to get verbose output and review the information in the %windir%\cerocm.log.