Edit

Share via

Install-AdcsCertificationAuthority

Module:
ADCSDeployment Module

Performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service.

Syntax

NewKeyParameterSet (Default) 

Install-AdcsCertificationAuthority
    [-AllowAdministratorInteraction]
    [-ValidityPeriod <ValidityPeriod>]
    [-ValidityPeriodUnits <Int32>]
    [-CACommonName <String>]
    [-CADistinguishedNameSuffix <String>]
    [-CAType <CAType>]
    [-CryptoProviderName <String>]
    [-DatabaseDirectory <String>]
    [-HashAlgorithmName <String>]
    [-IgnoreUnicode]
    [-KeyLength <Int32>]
    [-LogDirectory <String>]
    [-OutputCertRequestFile <String>]
    [-OverwriteExistingCAinDS]
    [-OverwriteExistingKey]
    [-ParentCA <String>]
    [-OverwriteExistingDatabase]
    [-Credential <PSCredential>]
    [-Force]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

ExistingCertificateParameterSet 

Install-AdcsCertificationAuthority
    [-AllowAdministratorInteraction]
    [-CertFilePassword <SecureString>]
    [-CertFile <String>]
    [-CAType <CAType>]
    [-CertificateID <String>]
    [-DatabaseDirectory <String>]
    [-LogDirectory <String>]
    [-OverwriteExistingKey]
    [-OverwriteExistingDatabase]
    [-Credential <PSCredential>]
    [-Force]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

ExistingKeyParameterSet 

Install-AdcsCertificationAuthority
    [-AllowAdministratorInteraction]
    [-ValidityPeriod <ValidityPeriod>]
    [-ValidityPeriodUnits <Int32>]
    [-CADistinguishedNameSuffix <String>]
    [-CAType <CAType>]
    [-CryptoProviderName <String>]
    [-DatabaseDirectory <String>]
    [-HashAlgorithmName <String>]
    [-IgnoreUnicode]
    [-KeyContainerName <String>]
    [-LogDirectory <String>]
    [-OutputCertRequestFile <String>]
    [-OverwriteExistingCAinDS]
    [-ParentCA <String>]
    [-OverwriteExistingDatabase]
    [-Credential <PSCredential>]
    [-Force]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service. To remove the certification authority role service use the Uninstall-AdcsCertificationAuthority cmdlet.

You can import the cmdlet by running the following commands from Windows PowerShell:

  • Install-WindowsFeature Adcs-Cert-Authority

To include the Certification Authority and Certificate Templates consoles in a CA installation, you must use the IncludeManagementTools parameter at the end of the Install-WindowsFeature Adcs-Cert-Authority command.

Int is equivalent to Int32 in the .NET Framework.

Examples

Example 1: Install a new Standalone Root CA with default settings

Install-AdcsCertificationAuthority -CAType StandaloneRootCa

This command installs a new Standalone Root CA with default settings.

Example 2: Install a new Enterprise Root CA using a specific provider and key length

$params = @{
    CAType             = EnterpriseRootCa
    CryptoProviderName = "ECDSA_P256#Microsoft Software Key Storage Provider"
    KeyLength          = 256
    HashAlgorithmName  = SHA256
}
Install-AdcsCertificationAuthority @params

This command installs a new Enterprise Root CA using the provider named ECDSA_P256 Microsoft Software Key Storage Provider, key length of 256, and the hash algorithm named SHA 256.

Example 3: Install a new Enterprise Root CA using a specific provider and a validity period

$params = @{
    CAType              = EnterpriseRootCa
    CryptoProviderName  = "RSA#Microsoft Software Key Storage Provider"
    KeyLength           = 2048
    HashAlgorithmName   = SHA1
    ValidityPeriod      = Years
    ValidityPeriodUnits = 3
}
Install-AdcsCertificationAuthority @params

This command installs a new Enterprise Root CA using the RSA algorithm using the provider named Microsoft Software Key Storage Provider, a key length of 2048, a hash algorithm named SHA 1, and validity period of three years.

Example 4: Install a new Enterprise Subordinate CA using a parent CA

$params = @{
    CAType   = EnterpriseSubordinateCa
    ParentCA = "SERVER75.corp.contoso.com\SERVER75-CA"
}
Install-AdcsCertificationAuthority @params

This command installs a new Enterprise subordinate CA, the parent CA is SERVER75 in the CORP domain of Contoso.com.

Example 5: Install a new Enterprise Subordinate CA using an existing certificate

$params = @{
    CAType           = EnterpriseSubordinateCa
    CertFile         = "C:\Cert\SERVER80-CA.p12"
    CertFilePassword = (Read-Host "Set user password" -AsSecureString)
}
Install-AdcsCertificationAuthority @params

This command installs an Enterprise Subordinate CA using an existing certificate from a PFX/P12 file that is located on the local C:\Cert folder named SERVER80-CA.p12.

Parameters

-AllowAdministratorInteraction

Indicates that the cmdlet enables prompting when the private key is accessed. This is not required for any of the Microsoft default providers. For enhanced security components, such as a hardware security module (HSM), review the enhanced security component vendor documentation.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CACommonName

Specifies the certification authority common name.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CADistinguishedNameSuffix

Specifies the certification authority distinguished name suffix.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CAType

Specifies the type of certification authority that this cmdlet installs. The acceptable values for this parameter are:

  • EnterpriseRootCA
  • EnterpriseSubordinateCA
  • StandaloneRootCA
  • StandaloneSubordinateCA

Parameter properties

Type:CAType
Default value:None
Accepted values:EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CertFile

Specifies the file name of certification authority PKCS #12 formatted certificate file.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ExistingCertificateParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CertFilePassword

Specifies the password for certification authority certificate file.

Parameter properties

Type:SecureString
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ExistingCertificateParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CertificateID

Specifies the thumbprint or serial number of certification authority certificate.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ExistingCertificateParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Credential

Specifies a PSCredential object for the connection to AD DS. To obtain a credential object, use the Get-Credential cmdlet. For more information, type Get-Help Get-Credential. To install an enterprise certification authority, the computer must be joined to an AD DS domain and a user account that is a member of the Enterprise Admin group is required. To install a standalone certification authority, the computer can be in a workgroup or AD DS domain. If the computer is in a workgroup, a user account that is a member of Administrators is required. If the computer is in an AD DS domain, a user account that is a member of Domain Admins is required.

Parameter properties

Type:PSCredential
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CryptoProviderName

Specifies the name of the cryptographic service provider (CSP) or key storage provider (KSP) that is used to generate or store the private key for the CA.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-DatabaseDirectory

Specifies the folder location of the certification authority database.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Force

Forces the command to run without asking for user confirmation.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-HashAlgorithmName

Specifies the signature hash algorithm used by the certification authority.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-IgnoreUnicode

Indicates that the cmdlet allows Unicode characters in the certification authority name string.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-KeyContainerName

Specifies the name of an existing private key container.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-KeyLength

Specifies the bit length for new certification authority key.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-LogDirectory

Specifies the folder location of the certification authority database log.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-OutputCertRequestFile

Specifies the folder location for the certificate request file.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-OverwriteExistingCAinDS

Indicates that the cmdlet overwrites the computer object in the Active Directory Domain Service domain with the same computer name.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-OverwriteExistingDatabase

Indicates that the cmdlet overwrites the existing certification authority database.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-OverwriteExistingKey

Indicates that the cmdlet overwrites the existing key container with the same name.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingCertificateParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ParentCA

Specifies the configuration string of the parent certification authority that will certify this CA.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ValidityPeriod

Specifies the validity period of the certification authority (CA) certificate in hours, days, weeks, months, or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.

Parameter properties

Type:ValidityPeriod
Default value:None
Accepted values:Hours, Days, Weeks, Months, Years
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ValidityPeriodUnits

Specifies the validity period of the CA certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

NewKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ExistingKeyParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

SwitchParameter

SecureString

String

Microsoft.CertificateServices.Deployment.Common.CA.ValidityPeriod

Int32

Microsoft.CertificateServices.Deployment.Common.CA.CAType

PSCredential

Outputs

Microsoft.CertificateServices.Deployment.Common.CA.CertificationAuthoritySetupResult

Notes

  • Ensure you run Windows PowerShell as an administrator. You can use the force parameter to bypass the prompt for confirmation. To see parameters, run the following command:

    `Install-AdcsCertificationAuthority -?`

  • If you have installation issues, try using the verbose parameter to get verbose output and review the information in the %windir%\cerocm.log file.