Steps to configure Microsoft CA with PowerShell in my Lab for testing purpose
- Default 5 years for CA Root Certificate
- Default 2 years for Web Certificate
Installation of Microsoft CA Server with PowerShell
Install Active Directory Certificate Services and the Certificate Authority with management tools
Install-WindowsFeature AD-Certificate -IncludeManagementTools
Configure CA Root as Enterprise Root CA with SHA256 & 2048 with 5 years of validity period
$CA_Name = "AventisLab Root CA"
Install-AdcsCertificationAuthority -CACommonName $CA_Name -CAType EnterpriseRootCa `
-HashAlgorithmName SHA256 -KeyLength 2048
It can be configure with longer period with
$CA_Name = "AventisLab Root CA"
Install-AdcsCertificationAuthority -CACommonName $CA_Name -CAType EnterpriseRootCa `
-HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 10
Install Certificate Authority Web Enrollment with Management tools
Install-WindowsFeature ADCS-Web-Enrollment -IncludeManagementTools
Go to http://192.168.1.200/certsrv/ to verify the CA Server is running fine
New Finding
I following the steps above to deploy Root CA in Windows 2019 Server Core, but i just failed to connect to http://192.168.1.200/cert even rebooted the server.
Go to any member server, and connect to the Server Core with Server Manager to complete configuration of AD Certificate Services
Finally, we can access to http://192.168.1.200/certsrv now
Extend CA Root Expired Date beyond 5 years for installed CA Server
Open Certificate Snap-in for Computer with certlm.msc, and go to Trusted Root Certification Authorities – Certificates to verify the existing CA Root Cert is valid for 5 years
Create a new file called C:\Windows\CAPolicy.inf with RenewalValidityPeriodUnits longer than 5
[Version]
Signature=”$Windows NT$”
[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
Restart Certificate Service
Restart-Services –name certsvc
Open Management Console for CA with certsrv.msc and right click on the CA Server – Renew CA Certificate
Click Yes to stop the AD Certificate Service
Click OK to Renew
Open Certificate Snap-in for Computer with certlm.msc, and go to Trusted Root Certification Authorities – Certificates to verify the renewed CA Root Cert is valid for 10 years now
Extend Web Server Template Expired Date beyond 2 years
Generate a new Web Server Certificate by following the steps in my previous post to verify the default validate is only 2 years
Verify the existing Validity Period is 2 years
certutil -getreg ca\ValidityPeriodUnits
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AventisLab Root CA\ValidityPeriodUnits:
ValidityPeriodUnits REG_DWORD = 2
CertUtil: -getreg command completed successfully.
Extend it to 5 years
certutil -setreg ca\ValidityPeriodUnits 5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AventisLab Root CA\ValidityPeriodUnits:
Old Value:
ValidityPeriodUnits REG_DWORD = 2
New Value:
ValidityPeriodUnits REG_DWORD = 5
CertUtil: -setreg command completed successfully.
Restart AD Certificate Service
Restart-Service –name certsvc
Open Management Console for CA with certsrv.msc and right click on Certificate Template – Manage
Right Click on Web Server and Select Duplicate Template
Change the Validity Period to 5 and provide a new Template Name called WebServerwith5years
Right click on Certificate Template – New – Certificate Template to issue
Select Web Server with 5 years to enable Certificate Template
Generate a new Certificate with the new Template Name
cmd /c "certreq.exe -attrib "CertificateTemplate:webserverwith5years" -submit $ReqFile"
Verify the New SSL Certificate is valid for 5 years now
You can proceed to generate a SSL Certificate from CA following to my next post request-ssl-certificate-from-microsoft-ca-with-certreq