Install-AdcsCertificationAuthority

Performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service.

Syntax

Install-AdcsCertificationAuthority
       [-AllowAdministratorInteraction]
       [-ValidityPeriod <ValidityPeriod>]
       [-ValidityPeriodUnits <Int32>]
       [-CACommonName <String>]
       [-CADistinguishedNameSuffix <String>]
       [-CAType <CAType>]
       [-CryptoProviderName <String>]
       [-DatabaseDirectory <String>]
       [-HashAlgorithmName <String>]
       [-IgnoreUnicode]
       [-KeyLength <Int32>]
       [-LogDirectory <String>]
       [-OutputCertRequestFile <String>]
       [-OverwriteExistingCAinDS]
       [-OverwriteExistingKey]
       [-ParentCA <String>]
       [-OverwriteExistingDatabase]
       [-Credential <PSCredential>]
       [-Force]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]
Install-AdcsCertificationAuthority
       [-AllowAdministratorInteraction]
       [-CertFilePassword <SecureString>]
       [-CertFile <String>]
       [-CAType <CAType>]
       [-CertificateID <String>]
       [-DatabaseDirectory <String>]
       [-LogDirectory <String>]
       [-OverwriteExistingKey]
       [-OverwriteExistingDatabase]
       [-Credential <PSCredential>]
       [-Force]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]
Install-AdcsCertificationAuthority
       [-AllowAdministratorInteraction]
       [-ValidityPeriod <ValidityPeriod>]
       [-ValidityPeriodUnits <Int32>]
       [-CADistinguishedNameSuffix <String>]
       [-CAType <CAType>]
       [-CryptoProviderName <String>]
       [-DatabaseDirectory <String>]
       [-HashAlgorithmName <String>]
       [-IgnoreUnicode]
       [-KeyContainerName <String>]
       [-LogDirectory <String>]
       [-OutputCertRequestFile <String>]
       [-OverwriteExistingCAinDS]
       [-ParentCA <String>]
       [-OverwriteExistingDatabase]
       [-Credential <PSCredential>]
       [-Force]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]

Description

The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service. To remove the certification authority role service use the Uninstall-AdcsCertificationAuthority cmdlet.

You can import the cmdlet by running the following commands from Windows PowerShell:

  • Install-WindowsFeature Adcs-Cert-Authority

To include the Certification Authority and Certificate Templates consoles in a CA installation, you must use the IncludeManagementTools parameter at the end of the Install-WindowsFeature Adcs-Cert-Authority command.

Int is equivalent to Int32 in the .NET Framework.

Examples

Example 1: Install a new Standalone Root CA with default settings

Install-AdcsCertificationAuthority -CAType StandaloneRootCa

This command installs a new Standalone Root CA with default settings.

Example 2: Install a new Enterprise Root CA using a specific provider and key length

$params = @{
    CAType             = EnterpriseRootCa
    CryptoProviderName = "ECDSA_P256#Microsoft Software Key Storage Provider"
    KeyLength          = 256
    HashAlgorithmName  = SHA256
}
Install-AdcsCertificationAuthority @params

This command installs a new Enterprise Root CA using the provider named ECDSA_P256 Microsoft Software Key Storage Provider, key length of 256, and the hash algorithm named SHA 256.

Example 3: Install a new Enterprise Root CA using a specific provider and a validity period

$params = @{
    CAType              = EnterpriseRootCa
    CryptoProviderName  = "RSA#Microsoft Software Key Storage Provider"
    KeyLength           = 2048
    HashAlgorithmName   = SHA1
    ValidityPeriod      = Years
    ValidityPeriodUnits = 3
}
Install-AdcsCertificationAuthority @params

This command installs a new Enterprise Root CA using the RSA algorithm using the provider named Microsoft Software Key Storage Provider, a key length of 2048, a hash algorithm named SHA 1, and validity period of three years.

Example 4: Install a new Enterprise Subordinate CA using a parent CA

$params = @{
    CAType   = EnterpriseSubordinateCa
    ParentCA = "SERVER75.corp.contoso.com\SERVER75-CA"
}
Install-AdcsCertificationAuthority @params

This command installs a new Enterprise subordinate CA, the parent CA is SERVER75 in the CORP domain of Contoso.com.

Example 5: Install a new Enterprise Subordinate CA using an existing certificate

$params = @{
    CAType           = EnterpriseSubordinateCa
    CertFile         = "C:\Cert\SERVER80-CA.p12"
    CertFilePassword = (Read-Host "Set user password" -AsSecureString)
}
Install-AdcsCertificationAuthority @params

This command installs an Enterprise Subordinate CA using an existing certificate from a PFX/P12 file that is located on the local C:\Cert folder named SERVER80-CA.p12.

Parameters

-AllowAdministratorInteraction

Indicates that the cmdlet enables prompting when the private key is accessed. This is not required for any of the Microsoft default providers. For enhanced security components, such as a hardware security module (HSM), review the enhanced security component vendor documentation.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CACommonName

Specifies the certification authority common name.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CADistinguishedNameSuffix

Specifies the certification authority distinguished name suffix.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CAType

Specifies the type of certification authority that this cmdlet installs. The acceptable values for this parameter are:

  • EnterpriseRootCA
  • EnterpriseSubordinateCA
  • StandaloneRootCA
  • StandaloneSubordinateCA
Type:CAType
Accepted values:EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CertFile

Specifies the file name of certification authority PKCS #12 formatted certificate file.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CertFilePassword

Specifies the password for certification authority certificate file.

Type:SecureString
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CertificateID

Specifies the thumbprint or serial number of certification authority certificate.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Credential

Specifies a PSCredential object for the connection to AD DS. To obtain a credential object, use the Get-Credential cmdlet. For more information, type Get-Help Get-Credential. To install an enterprise certification authority, the computer must be joined to an AD DS domain and a user account that is a member of the Enterprise Admin group is required. To install a standalone certification authority, the computer can be in a workgroup or AD DS domain. If the computer is in a workgroup, a user account that is a member of Administrators is required. If the computer is in an AD DS domain, a user account that is a member of Domain Admins is required.

Type:PSCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-CryptoProviderName

Specifies the name of the cryptographic service provider (CSP) or key storage provider (KSP) that is used to generate or store the private key for the CA.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DatabaseDirectory

Specifies the folder location of the certification authority database.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Force

Forces the command to run without asking for user confirmation.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-HashAlgorithmName

Specifies the signature hash algorithm used by the certification authority.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-IgnoreUnicode

Indicates that the cmdlet allows Unicode characters in the certification authority name string.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-KeyContainerName

Specifies the name of an existing private key container.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-KeyLength

Specifies the bit length for new certification authority key.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-LogDirectory

Specifies the folder location of the certification authority database log.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-OutputCertRequestFile

Specifies the folder location for the certificate request file.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-OverwriteExistingCAinDS

Indicates that the cmdlet overwrites the computer object in the Active Directory Domain Service domain with the same computer name.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-OverwriteExistingDatabase

Indicates that the cmdlet overwrites the existing certification authority database.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-OverwriteExistingKey

Indicates that the cmdlet overwrites the existing key container with the same name.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ParentCA

Specifies the configuration string of the parent certification authority that will certify this CA.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ValidityPeriod

Specifies the validity period of the certification authority (CA) certificate in hours, days, weeks, months, or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.

Type:ValidityPeriod
Accepted values:Hours, Days, Weeks, Months, Years
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ValidityPeriodUnits

Specifies the validity period of the CA certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

SwitchParameter

SecureString

String

Microsoft.CertificateServices.Deployment.Common.CA.ValidityPeriod

Int32

Microsoft.CertificateServices.Deployment.Common.CA.CAType

PSCredential

Outputs

Microsoft.CertificateServices.Deployment.Common.CA.CertificationAuthoritySetupResult

Notes

  • Ensure you run Windows PowerShell as an administrator. You can use the force parameter to bypass the prompt for confirmation. To see parameters, run the following command:

    `Install-AdcsCertificationAuthority -?`
    
  • If you have installation issues, try using the verbose parameter to get verbose output and review the information in the %windir%\cerocm.log file.