Install-AdcsCertificationAuthority
Install-AdcsCertificationAuthority
Performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service.
Syntax
Parameter Set: NewKeyParameterSet
Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CACommonName <String> ] [-CADistinguishedNameSuffix <String> ] [-CAType <CAType> ] [-Credential <PSCredential> ] [-CryptoProviderName <String> ] [-DatabaseDirectory <String> ] [-Force] [-HashAlgorithmName <String> ] [-IgnoreUnicode] [-KeyLength <Int32> ] [-LogDirectory <String> ] [-OutputCertRequestFile <String> ] [-OverwriteExistingCAinDS] [-OverwriteExistingDatabase] [-OverwriteExistingKey] [-ParentCA <String> ] [-ValidityPeriod <ValidityPeriod> ] [-ValidityPeriodUnits <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: ExistingCertificateParameterSet
Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CAType <CAType> ] [-CertFile <String> ] [-CertFilePassword <SecureString> ] [-CertificateID <String> ] [-Credential <PSCredential> ] [-DatabaseDirectory <String> ] [-Force] [-LogDirectory <String> ] [-OverwriteExistingDatabase] [-OverwriteExistingKey] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: ExistingKeyParameterSet
Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CADistinguishedNameSuffix <String> ] [-CAType <CAType> ] [-Credential <PSCredential> ] [-CryptoProviderName <String> ] [-DatabaseDirectory <String> ] [-Force] [-HashAlgorithmName <String> ] [-IgnoreUnicode] [-KeyContainerName <String> ] [-LogDirectory <String> ] [-OutputCertRequestFile <String> ] [-OverwriteExistingCAinDS] [-OverwriteExistingDatabase] [-ParentCA <String> ] [-ValidityPeriod <ValidityPeriod> ] [-ValidityPeriodUnits <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
Detailed Description
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. To remove the certification authority role service use the Uninstall-AdcsCertificationAuthority cmdlet.
You can import the cmdlet by running the following commands from Windows PowerShell:
Import-Module ServerManager
Add-WindowsFeature Adcs-Cert-Authority
To include the Certification Authority and Certificate Templates consoles in a CA installation, you must add -IncludeManagementTools
to the end of the AddWindowsFeature Adcs-Cert-Authority
command.
Int is equivalent to Int32 in the .NET Framework (https://msdn.microsoft.com/en-us/library/ya5y69ds.aspx).
Parameters
-AllowAdministratorInteraction
Specifies whether prompting is enabled when the private key is accessed. This is not required for any of the Microsoft default providers. For enhanced security components, such as a hardware security module (HSM), review the enhanced security component vendor documentation.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-CACommonName<String>
Specifies the certification authority common name.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-CADistinguishedNameSuffix<String>
Specifies the certification authority distinguished name suffix.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-CAType<CAType>
Specifies the type of certification authority to install. The possible values are: EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, or StandaloneSubordinateCA.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-CertFile<String>
Specifies the file name of certification authority PKCS #12 formatted certificate file.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-CertFilePassword<SecureString>
Specifies the password for certification authority certificate file.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-CertificateID<String>
Specifies the thumbprint or serial number of certification authority certificate.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-Credential<PSCredential>
To install an enterprise certification authority, the computer must be joined to an Active Directory Domain Services (AD DS) domain and a user account that is a member of the Enterprise Admin group is required. To install a standalone certification authority, the computer can be in a workgroup or AD DS domain. If the computer is in a workgroup, a user account that is a member of Administrators is required. If the computer is in an AD DS domain, a user account that is a member of Domain Admins is required.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-CryptoProviderName<String>
The name of the cryptographic service provider (CSP) or key storage provider (KSP) that is used to generate or store the private key for the CA.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-DatabaseDirectory<String>
Specifies the folder location of the certification authority database.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-Force
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-HashAlgorithmName<String>
Specifies the signature hash algorithm used by the certification authority.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-IgnoreUnicode
Specifies that Unicode characters are allowed in certification authority name string.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-KeyContainerName<String>
Specifies the name of an existing private key container.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-KeyLength<Int32>
Specifies the bit length for new certification authority key.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-LogDirectory<String>
Specifies the folder location of the certification authority database log.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-OutputCertRequestFile<String>
Specifies the folder location for certificate request file.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-OverwriteExistingCAinDS
Specifies that the computer object in the Active Directory Domain Service domain should be overwritten with the same computer name.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-OverwriteExistingDatabase
Specifies that the existing certification authority database should be overwritten.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-OverwriteExistingKey
Overwrite existing key container with the same name
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-ParentCA<String>
Specifies the configuration string of the parent certification authority that will certify this CA.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-ValidityPeriod<ValidityPeriod>
Specifies the validity period of the certification authority (CA) certificate in hours, days, weeks, months or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-ValidityPeriodUnits<Int32>
Validity period of the certification authority (CA) certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
true (ByPropertyName) |
Accept Wildcard Characters? |
false |
-Confirm
Prompts you for confirmation before running the cmdlet.
Required? |
false |
Position? |
named |
Default Value |
false |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? |
false |
Position? |
named |
Default Value |
false |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
<CommonParameters>
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).
Inputs
The input type is the type of the objects that you can pipe to the cmdlet.
- bool, string, string, enum, string, SecureString, string, string, string, string, bool, string, long, string, string, bool, bool, bool, string, enum, long
Outputs
The output type is the type of the objects that the cmdlet emits.
- Microsoft.CertificateServices.Deployment.Commands.CA.CertificationAuthoritySetupResult
Notes
- Ensure you run Windows PowerShell as an administrator. You can use the -f switch to bypass the prompt for confirmation.
To see parameters, run the following command: install-adcscertificationauthority -?
If you have installation issues, try using the -verbose switch to get verbose output and review the information in the %windir%\cerocm.log.
Examples
-------------------------- EXAMPLE 1 --------------------------
Description
-----------
This command installs a new Standalone Root CA with default settings.
C:\PS>Install-AdcsCertificationAuthority -CAType StandaloneRootCa
-------------------------- EXAMPLE 2 --------------------------
Description
-----------
This command installs a new Enterprise Root CA using a specific provider (ECDSA_P256 Microsoft Software Key Storage Provider), key length (256), hash algorithm (SHA 256)
C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "ECDSA_P256#Microsoft Software Key Storage Provider" -KeyLength 256 -HashAlgorithmName SHA256
-------------------------- EXAMPLE 3 --------------------------
Description
-----------
This command installs a new Enterprise Root CA with the Microsoft Software Key Storage Provider using the RSA algorithm, key length (2048), hash algorithm (SHA 256), and validity period (3 years).
C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 3
-------------------------- EXAMPLE 4 --------------------------
Description
-----------
This command installs a new Enterprise subordinate CA, the parent CA is SERVER75 in the CORP domain of Contoso.com
C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -ParentCA SERVER75.corp.contoso.com\SERVER75-CA
-------------------------- EXAMPLE 5 --------------------------
Description
-----------
This command installs an Enterprise Subordinate certification authority using an existing certificate from a PFX/P12 file that is located on the local C:\Cert folder named SERVER80-CA.p12.
C:\PS>Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -CertFile C:\Cert\SERVER80-CA.p12 -CertFilePassword (read-host "Set user password" -assecurestring)