Configuration of Microsoft CA with PowerShell

Steps to configure Microsoft CA with PowerShell in my Lab for testing purpose

  • Default 5 years for CA Root Certificate
  • Default 2 years for Web Certificate

Installation of Microsoft CA Server with PowerShell

Install Active Directory Certificate Services and the Certificate Authority with management tools

Install-WindowsFeature AD-Certificate -IncludeManagementTools 

Configure CA Root as Enterprise Root CA with SHA256 & 2048 with 5 years of validity period

$CA_Name = "AventisLab Root CA"
Install-AdcsCertificationAuthority -CACommonName $CA_Name -CAType EnterpriseRootCa `
-HashAlgorithmName SHA256 -KeyLength 2048 

It can be configure with longer period with

$CA_Name = "AventisLab Root CA"
Install-AdcsCertificationAuthority -CACommonName $CA_Name -CAType EnterpriseRootCa `
-HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 10

Install Certificate Authority Web Enrollment with Management tools

Install-WindowsFeature ADCS-Web-Enrollment -IncludeManagementTools

Go to http://192.168.1.200/certsrv/ to verify the CA Server is running fine

CA-20

New Finding

I following the steps above to deploy Root CA in Windows 2019 Server Core, but i just failed to connect to http://192.168.1.200/cert even rebooted the server.

Go to any member server, and connect to the Server Core with Server Manager to complete configuration of AD Certificate Services

Microsoft CA with PowerShell

Finally, we can access to http://192.168.1.200/certsrv now

Extend CA Root Expired Date beyond 5 years for installed CA Server

Open Certificate Snap-in for Computer with certlm.msc, and go to Trusted Root Certification Authorities – Certificates to verify the existing CA Root Cert is valid for 5 years

Create a new file called C:\Windows\CAPolicy.inf with RenewalValidityPeriodUnits longer than 5

[Version]
Signature=”$Windows NT$”

[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10

Restart Certificate Service

Restart-Services –name certsvc

Open Management Console for CA with certsrv.msc and right click on the CA Server – Renew CA Certificate

Click Yes to stop the AD Certificate Service

Click OK to Renew

Open Certificate Snap-in for Computer with certlm.msc, and go to Trusted Root Certification Authorities – Certificates to verify the renewed CA Root Cert is valid for 10 years now

Extend Web Server Template Expired Date beyond 2 years

Generate a new Web Server Certificate by following the steps in my previous post to verify the default validate is only 2 years

CA-26

Verify the existing Validity Period is 2 years

certutil -getreg ca\ValidityPeriodUnits

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AventisLab Root CA\ValidityPeriodUnits:

  ValidityPeriodUnits REG_DWORD = 2
CertUtil: -getreg command completed successfully.

Extend it to 5 years

certutil -setreg ca\ValidityPeriodUnits 5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AventisLab Root CA\ValidityPeriodUnits:

Old Value:
  ValidityPeriodUnits REG_DWORD = 2

New Value:
  ValidityPeriodUnits REG_DWORD = 5
CertUtil: -setreg command completed successfully.

Restart AD Certificate Service

Restart-Service –name certsvc

Open Management Console for CA with certsrv.msc and right click on Certificate Template – Manage

CA-27

Right Click on Web Server and Select Duplicate Template

CA-28

Change the Validity Period to 5 and provide a new Template Name called WebServerwith5years

CA-29

Right click on Certificate Template – New – Certificate Template to issue

CA-30

Select Web Server with 5 years to enable Certificate Template

CA-31

Generate a new Certificate with the new Template Name

cmd /c "certreq.exe -attrib "CertificateTemplate:webserverwith5years" -submit $ReqFile"

Verify the New SSL Certificate is valid for 5 years now

CA-32

You can proceed to generate a SSL Certificate from CA following to my next post request-ssl-certificate-from-microsoft-ca-with-certreq

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top