Install-Adcs
Syntax
Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-ValidityPeriod <ValidityPeriod>]
[-ValidityPeriodUnits <Int32>]
[-CACommonName <String>]
[-CADistinguishedNameSuffix <String>]
[-CAType <CAType>]
[-CryptoProviderName <String>]
[-DatabaseDirectory <String>]
[-HashAlgorithmName <String>]
[-IgnoreUnicode]
[-KeyLength <Int32>]
[-LogDirectory <String>]
[-OutputCertRequestFile <String>]
[-OverwriteExistingCAinDS]
[-OverwriteExistingKey]
[-ParentCA <String>]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-CertFilePassword <SecureString>]
[-CertFile <String>]
[-CAType <CAType>]
[-CertificateID <String>]
[-DatabaseDirectory <String>]
[-LogDirectory <String>]
[-OverwriteExistingKey]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]Install-AdcsCertificationAuthority
[-AllowAdministratorInteraction]
[-ValidityPeriod <ValidityPeriod>]
[-ValidityPeriodUnits <Int32>]
[-CADistinguishedNameSuffix <String>]
[-CAType <CAType>]
[-CryptoProviderName <String>]
[-DatabaseDirectory <String>]
[-HashAlgorithmName <String>]
[-IgnoreUnicode]
[-KeyContainerName <String>]
[-LogDirectory <String>]
[-OutputCertRequestFile <String>]
[-OverwriteExistingCAinDS]
[-ParentCA <String>]
[-OverwriteExistingDatabase]
[-Credential <PSCredential>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]Description
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the Active Directory Certificate Services (AD CS) Certification Authority (CA) role service. To remove the certification authority role service use the Uninstall-AdcsCertificationAuthority cmdlet.
You can import the cmdlet by running the following commands from Windows PowerShell:
-
Import-Module ServerManager -
Add-WindowsFeature Adcs-Cert-Authority
To include the Certification Authority and Certificate Templates consoles in a CA installation, you must use the
IncludeManagementTools
parameter at the end of the
AddWindowsFeature Adcs-Cert-Authority
command.
Int is equivalent to Int32 in the .NET Framework .
Examples
Example 1: Install a new Standalone Root CA with default settings
PS C:\> Install-AdcsCertificationAuthority -CAType StandaloneRootCaThis command installs a new Standalone Root CA with default settings.
Example 2: Install a new Enterprise Root CA using a specific provider and key length
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "ECDSA_P256#Microsoft Software Key Storage Provider" -KeyLength 256 -HashAlgorithmName SHA256This command installs a new Enterprise Root CA using the provider named ECDSA_P256 Microsoft Software Key Storage Provider, key length of 256, and the hash algorithm named SHA 256.
Example 3: Install a new Enterprise Root CA using a specific provider and a validity period
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 3This command installs a new Enterprise Root CA using a RSA algorithm using the provider named Microsoft Software Key Storage Provider, a key length of 2048, a hash algorithm named SHA 256, and validity period of three years.
Example 4: Install a new Enterprise Subordinate CA using a parent CA
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -ParentCA SERVER75.corp.contoso.com\SERVER75-CAThis command installs a new Enterprise subordinate CA, the parent CA is SERVER75 in the CORP domain of Contoso.com
Example 5: Install a new Enterprise Subordinate CA using an existing certificate
PS C:\> Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -CertFile C:\Cert\SERVER80-CA.p12 -CertFilePassword (read-host "Set user password" -assecurestring)This command installs an Enterprise Subordinate CA using an existing certificate from a PFX/P12 file that is located on the local C:\Cert folder named SERVER80-CA.p12.
Optional Parameters
Indicates that the cmdlet enables prompting when the private key is accessed. This is not required for any of the Microsoft default providers. For enhanced security components, such as a hardware security module (HSM), review the enhanced security component vendor documentation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the certification authority common name.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the certification authority distinguished name suffix.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the type of certification authority that this cmdlet installs. The acceptable values for this parameter are:
- EnterpriseRootCA
- EnterpriseSubordinateCA
- StandaloneRootCA
- StandaloneSubordinateCA
| Type: | CAType |
| Parameter Sets: | EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the file name of certification authority PKCS #12 formatted certificate file.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the password for certification authority certificate file.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the thumbprint or serial number of certification authority certificate.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Specifies a
PSCredential
object for the connection to AD DS.
To obtain a credential object, use the
Get-Credential
cmdlet.
For more information, type
Get-Help Get-Credential
.
To install an enterprise certification authority, the computer must be joined to an AD DS domain and a user account that is a member of the Enterprise Admin group is required.
To install a standalone certification authority, the computer can be in a workgroup or AD DS domain.
If the computer is in a workgroup, a user account that is a member of Administrators is required.
If the computer is in an AD DS domain, a user account that is a member of Domain Admins is required.
| Type: | PSCredential |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the name of the cryptographic service provider (CSP) or key storage provider (KSP) that is used to generate or store the private key for the CA.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the folder location of the certification authority database.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Forces the command to run without asking for user confirmation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Specifies the signature hash algorithm used by the certification authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Indicates that the cmdlet allows Unicode characters in the certification authority name string.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the name of an existing private key container.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the bit length for new certification authority key.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the folder location of the certification authority database log.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the folder location for certificate request file.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Indicates that the cmdlet overwrites the computer object in the Active Directory Domain Service domain with the same computer name.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Indicates that the cmdlet overwrites the existing certification authority database.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Indicates that the cmdlet overwrites the existing key container with the same name.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the configuration string of the parent certification authority that will certify this CA.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the validity period of the certification authority (CA) certificate in hours, days, weeks, months or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.
| Type: | ValidityPeriod |
| Parameter Sets: | Hours, Days, Weeks, Months, Years |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Specifies the validity period of the CA certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Accept pipeline input: | True (ByPropertyName) |
| Accept wildcard characters: | False |
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
bool, string, string, enum, string, SecureString, string, string, string, string, bool, string, long, string, string, bool, bool, bool, string, enum, long
Outputs
Microsoft.CertificateServices.Deployment.Commands.CA.CertificationAuthoritySetupResult
Notes
-
Ensure you run Windows PowerShell as an administrator. You can use the
force
parameter to bypass the prompt for confirmation.
To see parameters, run the following command:
Install-AdcsCertificationAuthority -?If you have installation issues, try using the verbose parameter to get verbose output and review the information in the %windir%\cerocm.log file.