La première étape est l’installation du rôle Active Directory Certificate Services (AD CS) :
PS C:\Users\brucejdc> Import-Module servermanager PS C:\Users\brucejdc> Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools
Comme pour ADDS, nous disposons de deux modules :
– le module de deploiement : ADCSDeployment
– le mode d’administration : DCSAdministration
Nous commencerons par le module de déploiement, le listing des cmdlets nous retournes :
PS C:\Users\brucejdc> Get-Command -Module ADCSDeployment CommandType Name ----------- ---- Cmdlet Install-AdcsCertificationAuthority Cmdlet Install-AdcsEnrollmentPolicyWebService Cmdlet Install-AdcsEnrollmentWebService Cmdlet Install-AdcsNetworkDeviceEnrollmentService Cmdlet Install-AdcsOnlineResponder Cmdlet Install-AdcsWebEnrollment Cmdlet Uninstall-AdcsCertificationAuthority Cmdlet Uninstall-AdcsEnrollmentPolicyWebService Cmdlet Uninstall-AdcsEnrollmentWebService Cmdlet Uninstall-AdcsNetworkDeviceEnrollmentService Cmdlet Uninstall-AdcsOnlineResponder Cmdlet Uninstall-AdcsWebEnrollment
La compréhension des cmdlets est plutôt simple : une cmdlet d’installation, une cmdlet de désinstallation.
Pour le déploiement de l’autorité de certification, la cmdlet correspondante est Install-AdcsCertificationAuthority.
NAME Install-AdcsCertificationAuthority SYNTAX Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-ValidityPeriod <ValidityPeriod> {Hours | Days | Weeks | Months | Years}] [-ValidityPeriodUnits <int>] [-CACommonName <string>] [-CADistinguishedNameSuffix <string>] [-CAType <CAType> {EnterpriseRootCA | EnterpriseSubordinateCA | StandaloneRootCA | StandaloneSubordinateCA}] [-CryptoProviderName <string>] [-DatabaseDirectory <string>] [-HashAlgorithmName <string>] [-IgnoreUnicode] [-KeyLength <int>] [-LogDirectory <string>] [-OutputCertRequestFile <string>] [-OverwriteExistingCAinDS] [-OverwriteExistingKey] [-ParentCA <string>] [-OverwriteExistingDatabase] [-Credential <pscredential>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>] Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-CertFilePassword <securestring>] [-CertFile <string>] [-CAType <CAType> {EnterpriseRootCA | EnterpriseSubordinateCA | StandaloneRootCA | StandaloneSubordinateCA}] [-CertificateID <string>] [-DatabaseDirectory <string>] [-LogDirectory <string>] [-OverwriteExistingKey] [-OverwriteExistingDatabase] [-Credential <pscredential>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>] Install-AdcsCertificationAuthority [-AllowAdministratorInteraction] [-ValidityPeriod <ValidityPeriod> {Hours | Days | Weeks | Months | Years}] [-ValidityPeriodUnits <int>] [-CADistinguishedNameSuffix <string>] [-CAType <CAType> {EnterpriseRootCA | EnterpriseSubordinateCA | StandaloneRootCA | StandaloneSubordinateCA}] [-CryptoProviderName <string>] [-DatabaseDirectory <string>] [-HashAlgorithmName <string>] [-IgnoreUnicode] [-KeyContainerName <string>] [-LogDirectory <string>] [-OutputCertRequestFile <string>] [-OverwriteExistingCAinDS] [-ParentCA <string>] [-OverwriteExistingDatabase] [-Credential <pscredential>] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]
Une installation simple sera de cette forme, le paramètre -WhatIf permettra de vérifier les paramètres positionnés avant de lancer l’installation proprement dite :
PS C:\Users\brucejdc> Install-AdcsCertificationAuthority -CACommonName "BJDC-CA" -CAType EnterpriseRootCA -whatif What if: Performing the operation "Install-AdcsCertificationAuthority" on target "BJDC-DC0". Certification authority will be installed with the following properties: CAType: EnterpriseRootCA CACommonName BJDC-CA CADistinguishedNameSuffix DC=brucejdc,DC=local CADistinguishedName: CN=BJDC-CA,DC=brucejdc,DC=local IgnoreUnicode: False OverwriteExistingKey: False OverwriteExistingCAinDS: False ValidityPeriod: Years ValidityPeriodUnits: 5 CryptoProviderName: RSA#Microsoft SoftwareKey Storage Provider HashAlgorithmName: SHA1 KeyLength: 2048 KeyContainerName: AllowAdministratorInteraction: False CertFile: CertificateID: OutputCertRequestFile: DatabaseDirectory: C:\Windows\system32\CertLog LogDirectory: C:\Windows\system32\CertLog OverwriteExistingDatabase: False ParentCA:
Il suffit de lancer la cmdlet sans -WhatIf pour installer l’autorité de certification.
PS C:\Users\brucejdc> Install-AdcsCertificationAuthority -CACommonName "BJDC-CA" -CAType EnterpriseRootCA Confirm Are you sure you want to perform this action? Performing the operation "Install-AdcsCertificationAuthority" on target "BJDC-DC0". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):y ErrorId ErrorString ------- ----------- 0
Il ne vous reste plus qu’à configurer votre nouvelle autorité de certification!