Étiquette : ADCS

Installer Active Directory Certificate Services en Powershell

brucejdc ADCS Leave a comment

La première étape est l’installation du rôle Active Directory Certificate Services (AD CS) :

PS C:\Users\brucejdc> Import-Module servermanager
PS C:\Users\brucejdc> Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools

Comme pour ADDS, nous disposons de deux modules :
– le module de deploiement : ADCSDeployment
– le mode d’administration : DCSAdministration

Nous commencerons par le module de déploiement, le listing des cmdlets nous retournes :

PS C:\Users\brucejdc> Get-Command -Module  ADCSDeployment

CommandType     Name
-----------     ----
Cmdlet          Install-AdcsCertificationAuthority
Cmdlet          Install-AdcsEnrollmentPolicyWebService
Cmdlet          Install-AdcsEnrollmentWebService
Cmdlet          Install-AdcsNetworkDeviceEnrollmentService
Cmdlet          Install-AdcsOnlineResponder
Cmdlet          Install-AdcsWebEnrollment
Cmdlet          Uninstall-AdcsCertificationAuthority
Cmdlet          Uninstall-AdcsEnrollmentPolicyWebService
Cmdlet          Uninstall-AdcsEnrollmentWebService
Cmdlet          Uninstall-AdcsNetworkDeviceEnrollmentService
Cmdlet          Uninstall-AdcsOnlineResponder
Cmdlet          Uninstall-AdcsWebEnrollment

La compréhension des cmdlets est plutôt simple : une cmdlet d’installation, une cmdlet de désinstallation.
Pour le déploiement de l’autorité de certification, la cmdlet correspondante est Install-AdcsCertificationAuthority.

NAME
    Install-AdcsCertificationAuthority

SYNTAX
    Install-AdcsCertificationAuthority [-AllowAdministratorInteraction]
    [-ValidityPeriod <ValidityPeriod> {Hours | Days | Weeks | Months | Years}]
    [-ValidityPeriodUnits <int>] [-CACommonName <string>]
    [-CADistinguishedNameSuffix <string>] [-CAType <CAType> {EnterpriseRootCA
    | EnterpriseSubordinateCA | StandaloneRootCA | StandaloneSubordinateCA}]
    [-CryptoProviderName <string>] [-DatabaseDirectory <string>]
    [-HashAlgorithmName <string>] [-IgnoreUnicode] [-KeyLength <int>]
    [-LogDirectory <string>] [-OutputCertRequestFile <string>]
    [-OverwriteExistingCAinDS] [-OverwriteExistingKey] [-ParentCA <string>]
    [-OverwriteExistingDatabase] [-Credential <pscredential>] [-Force]
    [-WhatIf] [-Confirm]  [<CommonParameters>]

    Install-AdcsCertificationAuthority [-AllowAdministratorInteraction]
    [-CertFilePassword <securestring>] [-CertFile <string>] [-CAType <CAType>
    {EnterpriseRootCA | EnterpriseSubordinateCA | StandaloneRootCA |
    StandaloneSubordinateCA}] [-CertificateID <string>] [-DatabaseDirectory
    <string>] [-LogDirectory <string>] [-OverwriteExistingKey]
    [-OverwriteExistingDatabase] [-Credential <pscredential>] [-Force]
    [-WhatIf] [-Confirm]  [<CommonParameters>]

    Install-AdcsCertificationAuthority [-AllowAdministratorInteraction]
    [-ValidityPeriod <ValidityPeriod> {Hours | Days | Weeks | Months | Years}]
    [-ValidityPeriodUnits <int>] [-CADistinguishedNameSuffix <string>]
    [-CAType <CAType> {EnterpriseRootCA | EnterpriseSubordinateCA |
    StandaloneRootCA | StandaloneSubordinateCA}] [-CryptoProviderName
    <string>] [-DatabaseDirectory <string>] [-HashAlgorithmName <string>]
    [-IgnoreUnicode] [-KeyContainerName <string>] [-LogDirectory <string>]
    [-OutputCertRequestFile <string>] [-OverwriteExistingCAinDS] [-ParentCA
    <string>] [-OverwriteExistingDatabase] [-Credential <pscredential>]
    [-Force] [-WhatIf] [-Confirm]  [<CommonParameters>]

Une installation simple sera de cette forme, le paramètre -WhatIf permettra de vérifier les paramètres positionnés avant de lancer l’installation proprement dite :

PS C:\Users\brucejdc> Install-AdcsCertificationAuthority -CACommonName "BJDC-CA"  -CAType EnterpriseRootCA  -whatif
What if: Performing the operation "Install-AdcsCertificationAuthority" on target
 "BJDC-DC0".
Certification authority will be installed with the following properties:
                    CAType:                             EnterpriseRootCA
                    CACommonName                        BJDC-CA
                    CADistinguishedNameSuffix           DC=brucejdc,DC=local
                    CADistinguishedName:                CN=BJDC-CA,DC=brucejdc,DC=local
                    IgnoreUnicode:                      False
                    OverwriteExistingKey:               False
                    OverwriteExistingCAinDS:            False
                    ValidityPeriod:                     Years
                    ValidityPeriodUnits:                5
                    CryptoProviderName:                 RSA#Microsoft SoftwareKey Storage Provider
                    HashAlgorithmName:                  SHA1
                    KeyLength:                          2048
                    KeyContainerName:
                    AllowAdministratorInteraction:      False
                    CertFile:
                    CertificateID:
                    OutputCertRequestFile:
                    DatabaseDirectory:                  C:\Windows\system32\CertLog
                    LogDirectory:                       C:\Windows\system32\CertLog
                    OverwriteExistingDatabase:          False
                    ParentCA:

Il suffit de lancer la cmdlet sans -WhatIf pour installer l’autorité de certification.

PS C:\Users\brucejdc> Install-AdcsCertificationAuthority -CACommonName "BJDC-CA"  -CAType EnterpriseRootCA

Confirm
Are you sure you want to perform this action?
Performing the operation "Install-AdcsCertificationAuthority" on target "BJDC-DC0".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

                                ErrorId ErrorString
                                ------- -----------
                                      0

Il ne vous reste plus qu’à configurer votre nouvelle autorité de certification!