Setup Microsoft AD CS via PowerShell
The following example shows the standalone root CA procedure done previously via GUI, now via Powershell.
- Run PowerShell as admin user.
- Install AD CS feature including management tools
note
The following command installs only AD CS binaries. Almost everything on Windows Server can be configured via PowerShell, for more information refer to Microsoft documentation.
Install-WindowsFeature AD-Certificate
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Configure AD CS with the below command examples. There are three parameter sets for the CA PowerShell deployment cmdlet (refer to Microsoft documentation for further parameters and details):
- Using new certificate and private key. Run the following command in PowerShell:
Install-AdcsCertificationAuthority –caType <CA-Type> -caCommonName "<CA-Name>" –CryptoProviderName "<Key Storage Provider Name>" –KeyLength <2048> –HashAlgorithm <SHA256> […]
Example:
Install-AdcsCertificationAuthority -CAType "StandaloneRootCa" -CryptoProviderName "RSA# Securosys Primus HSM Key Storage Provider" -KeyLength 4096 -HashAlgorithmName SHA256 -CACommonName myDemoCA -OverwriteExistingKey -Force
- Using existing private key. Run the following command in PowerShell:
Install-AdcsCertificationAuthority –caType <CA-Type> –CryptoProviderName "<Key Storage Provider Name>" -caCommonName "<CA-Name>" –KeyContainerName <NAME_OF_KEY> –hashAlgorithm SHA256 […]
Example:
Install-AdcsCertificationAuthority -CAType "StandaloneRootCa" -CryptoProviderName "RSA# Securosys Primus HSM Key Storage Provider" -KeyContainerName myDemoCA -HashAlgorithmName SHA256 -CACommonName myDemoCA
- Using existing certificate and private key. Using a certificate already present on local machine in MY store, run the command:
Install-AdcsCertificationAuthority –AllowAdministratorInteraction –caType <CA-Type> –certificateID [cert hash | cert serial number] […]
Example:
Install-AdcsCertificationAuthority -CAType "StandaloneRootCa" -CryptoProviderName "RSA# Securosys Primus HSM Key Storage Provider" -certificateID CertSerial