Configuration of Microsoft CA with PowerShell

  • by

Steps to configure Microsoft CA with PowerShell in my Lab for testing purpose

  • Default 5 years for CA Root Certificate
  • Default 2 years for Web Certificate

Installation of Microsoft CA Server with PowerShell

Install Active Directory Certificate Services and the Certificate Authority with management tools

Install-WindowsFeature AD-Certificate -IncludeManagementTools 

Configure CA Root as Enterprise Root CA with SHA256 & 2048 with 5 years of validity period

$CA_Name = "AventisLab Root CA"
Install-AdcsCertificationAuthority -CACommonName $CA_Name -CAType EnterpriseRootCa `
-HashAlgorithmName SHA256 -KeyLength 2048 

It can be configure with longer period with

$CA_Name = "AventisLab Root CA"
Install-AdcsCertificationAuthority -CACommonName $CA_Name -CAType EnterpriseRootCa `
-HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 10

Install Certificate Authority Web Enrollment with Management tools

Install-WindowsFeature ADCS-Web-Enrollment -IncludeManagementTools

Go to http://192.168.1.200/certsrv/ to verify the CA Server is running fine

CA-20

Extend CA Root Expired Date beyond 5 years for installed CA Server

Open Certificate Snap-in for Computer with certlm.msc, and go to Trusted Root Certification Authorities – Certificates to verify the existing CA Root Cert is valid for 5 years

Create a new file called C:\Windows\CAPolicy.inf with RenewalValidityPeriodUnits longer than 5

[Version]
Signature=”$Windows NT$”

[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10

Restart Certificate Service

Restart-Services –name certsvc

Open Management Console for CA with certsrv.msc and right click on the CA Server – Renew CA Certificate

Click Yes to stop the AD Certificate Service

Click OK to Renew

Open Certificate Snap-in for Computer with certlm.msc, and go to Trusted Root Certification Authorities – Certificates to verify the renewed CA Root Cert is valid for 10 years now

Extend Web Server Template Expired Date beyond 2 years

Generate a new Web Server Certificate by following the steps in my previous post to verify the default validate is only 2 years

CA-26

Verify the existing Validity Period is 2 years

certutil -getreg ca\ValidityPeriodUnits

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AventisLab Root CA\ValidityPeriodUnits:

  ValidityPeriodUnits REG_DWORD = 2
CertUtil: -getreg command completed successfully.

Extend it to 5 years

certutil -setreg ca\ValidityPeriodUnits 5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AventisLab Root CA\ValidityPeriodUnits:

Old Value:
  ValidityPeriodUnits REG_DWORD = 2

New Value:
  ValidityPeriodUnits REG_DWORD = 5
CertUtil: -setreg command completed successfully.

Restart AD Certificate Service

Restart-Service –name certsvc

Open Management Console for CA with certsrv.msc and right click on Certificate Template – Manage

CA-27

Right Click on Web Server and Select Duplicate Template

CA-28

Change the Validity Period to 5 and provide a new Template Name called WebServerwith5years

CA-29

Right click on Certificate Template – New – Certificate Template to issue

CA-30

Select Web Server with 5 years to enable Certificate Template

CA-31

Generate a new Certificate with the new Template Name

cmd /c "certreq.exe -attrib "CertificateTemplate:webserverwith5years" -submit $ReqFile"

Verify the New SSL Certificate is valid for 5 years now

CA-32