Install-AdcsCertificationAuthority
Performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service.
Syntax
Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-ValidityPeriod <ValidityPeriod>]
[-ValidityPeriodUnits <Int32>]
[-CACommonName <String>]
[-CADistinguishedNameSuffix <String>]
[-CAType <CAType>]
[-CryptoProviderName <String>]
[-DatabaseDirectory <String>]
[-HashAlgorithmName <String>]
[-IgnoreUnicode]
[-KeyLength <Int32>]
[-LogDirectory <String>]
[-OutputCertRequestFile <String>]
[-OverwriteExistingCAinDS]
[-OverwriteExistingKey]
[-ParentCA <String>]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-CertFilePassword <SecureString>]
[-CertFile <String>]
[-CAType <CAType>]
[-CertificateID <String>]
[-DatabaseDirectory <String>]
[-LogDirectory <String>]
[-OverwriteExistingKey]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-ValidityPeriod <ValidityPeriod>]
[-ValidityPeriodUnits <Int32>]
[-CADistinguishedNameSuffix <String>]
[-CAType <CAType>]
[-CryptoProviderName <String>]
[-DatabaseDirectory <String>]
[-HashAlgorithmName <String>]
[-IgnoreUnicode]
[-KeyContainerName <String>]
[-LogDirectory <String>]
[-OutputCertRequestFile <String>]
[-OverwriteExistingCAinDS]
[-ParentCA <String>]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Install-AdcsCertificationAuthority
cmdlet performs installation and configuration of the
Active Directory Certificate Services (AD CS) Certification Authority (CA) role service. To remove
the certification authority role service use the Uninstall-AdcsCertificationAuthority
cmdlet.
You can import the cmdlet by running the following commands from Windows PowerShell:
Install-WindowsFeature Adcs-Cert-Authority
To include the Certification Authority and Certificate Templates consoles in a CA installation, you
must use the IncludeManagementTools parameter at the end of the
Install-WindowsFeature Adcs-Cert-Authority
command.
Int is equivalent to Int32 in the .NET Framework.
Examples
Example 1: Install a new Standalone Root CA with default settings
Install-AdcsCertificationAuthority -CAType StandaloneRootCa
This command installs a new Standalone Root CA with default settings.
Example 2: Install a new Enterprise Root CA using a specific provider and key length
$params = @{
CAType = EnterpriseRootCa
CryptoProviderName = "ECDSA_P256#Microsoft Software Key Storage Provider"
KeyLength = 256
HashAlgorithmName = SHA256
}
Install-AdcsCertificationAuthority @params
This command installs a new Enterprise Root CA using the provider named ECDSA_P256 Microsoft Software Key Storage Provider, key length of 256, and the hash algorithm named SHA 256.
Example 3: Install a new Enterprise Root CA using a specific provider and a validity period
$params = @{
CAType = EnterpriseRootCa
CryptoProviderName = "RSA#Microsoft Software Key Storage Provider"
KeyLength = 2048
HashAlgorithmName = SHA1
ValidityPeriod = Years
ValidityPeriodUnits = 3
}
Install-AdcsCertificationAuthority @params
This command installs a new Enterprise Root CA using the RSA algorithm using the provider named Microsoft Software Key Storage Provider, a key length of 2048, a hash algorithm named SHA 1, and validity period of three years.
Example 4: Install a new Enterprise Subordinate CA using a parent CA
$params = @{
CAType = EnterpriseSubordinateCa
ParentCA = "SERVER75.corp.contoso.com\SERVER75-CA"
}
Install-AdcsCertificationAuthority @params
This command installs a new Enterprise subordinate CA, the parent CA is SERVER75
in the CORP domain
of Contoso.com.
Example 5: Install a new Enterprise Subordinate CA using an existing certificate
$params = @{
CAType = EnterpriseSubordinateCa
CertFile = "C:\Cert\SERVER80-CA.p12"
CertFilePassword = (Read-Host "Set user password" -AsSecureString)
}
Install-AdcsCertificationAuthority @params
This command installs an Enterprise Subordinate CA using an existing certificate from a PFX/P12 file
that is located on the local C:\Cert
folder named SERVER80-CA.p12
.
Parameters
-AllowAdministratorInteraction
Indicates that the cmdlet enables prompting when the private key is accessed. This is not required for any of the Microsoft default providers. For enhanced security components, such as a hardware security module (HSM), review the enhanced security component vendor documentation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-CACommonName
Specifies the certification authority common name.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-CADistinguishedNameSuffix
Specifies the certification authority distinguished name suffix.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-CAType
Specifies the type of certification authority that this cmdlet installs. The acceptable values for this parameter are:
- EnterpriseRootCA
- EnterpriseSubordinateCA
- StandaloneRootCA
- StandaloneSubordinateCA
Type: | CAType |
Accepted values: | EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-CertFile
Specifies the file name of certification authority PKCS #12 formatted certificate file.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-CertFilePassword
Specifies the password for certification authority certificate file.
Type: | SecureString |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-CertificateID
Specifies the thumbprint or serial number of certification authority certificate.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Credential
Specifies a PSCredential object for the connection to AD DS. To obtain a credential object, use
the Get-Credential
cmdlet. For more information, type Get-Help Get-Credential
. To install an
enterprise certification authority, the computer must be joined to an AD DS domain and a user
account that is a member of the Enterprise Admin group is required. To install a standalone
certification authority, the computer can be in a workgroup or AD DS domain. If the computer is in a
workgroup, a user account that is a member of Administrators is required. If the computer is in an
AD DS domain, a user account that is a member of Domain Admins is required.
Type: | PSCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-CryptoProviderName
Specifies the name of the cryptographic service provider (CSP) or key storage provider (KSP) that is used to generate or store the private key for the CA.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-DatabaseDirectory
Specifies the folder location of the certification authority database.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-HashAlgorithmName
Specifies the signature hash algorithm used by the certification authority.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-IgnoreUnicode
Indicates that the cmdlet allows Unicode characters in the certification authority name string.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-KeyContainerName
Specifies the name of an existing private key container.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-KeyLength
Specifies the bit length for new certification authority key.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-LogDirectory
Specifies the folder location of the certification authority database log.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-OutputCertRequestFile
Specifies the folder location for the certificate request file.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-OverwriteExistingCAinDS
Indicates that the cmdlet overwrites the computer object in the Active Directory Domain Service domain with the same computer name.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-OverwriteExistingDatabase
Indicates that the cmdlet overwrites the existing certification authority database.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-OverwriteExistingKey
Indicates that the cmdlet overwrites the existing key container with the same name.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ParentCA
Specifies the configuration string of the parent certification authority that will certify this CA.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ValidityPeriod
Specifies the validity period of the certification authority (CA) certificate in hours, days, weeks, months, or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.
Type: | ValidityPeriod |
Accepted values: | Hours, Days, Weeks, Months, Years |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ValidityPeriodUnits
Specifies the validity period of the CA certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.CertificateServices.Deployment.Common.CA.ValidityPeriod
Microsoft.CertificateServices.Deployment.Common.CA.CAType
Outputs
Microsoft.CertificateServices.Deployment.Common.CA.CertificationAuthoritySetupResult
Notes
Ensure you run Windows PowerShell as an administrator. You can use the force parameter to bypass the prompt for confirmation. To see parameters, run the following command:
`Install-AdcsCertificationAuthority -?`
If you have installation issues, try using the verbose parameter to get verbose output and review the information in the %windir%\cerocm.log file.
Related Links
Commentaires
https://aka.ms/ContentUserFeedback.
Bientôt disponible : Tout au long de 2024, nous allons supprimer progressivement GitHub Issues comme mécanisme de commentaires pour le contenu et le remplacer par un nouveau système de commentaires. Pour plus d’informations, consultezEnvoyer et afficher des commentaires pour