• Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
  • Home
  • About
  • Imprint
Toggle navigation
Admin Enclave
  • Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
Home
/
Articles
/
Windows
/
Deploying a Certificate Authority on Windows Server 2012 R2 using powershell

Deploying a Certificate Authority on Windows Server 2012 R2 using powershell

Bastian W.Jan 03, 2016Articles \ Windows

Abstract: This howto explains how you can deploying the Active Directory Certificate Services (AD CS) and the Web Enrollment on Windows Server 2012 R2 using powershell.

Steps:

1.) Prepare a new Windows 2012 R2 Server (with or without GUI)

2.) Login into your Server with an domain admin account

3.) Start a new powershell via:

powershell

4.) Install the needed features via:

Install-WindowsFeature AD-Certificate

The AD-CertificateFeature will install the Active Directory Certificate Services and the Certificate Authority Feature.

5.) Create your CA now (in this example we will install one from the Type "EnterpriseRootCA"). With "-whatif" you can check which commands will be used, so run the following:

Install-AdcsCertificationAuthority -CACommonName "Contoso Test Root CA" -CAType EnterpriseRootCa -HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 100 -whatif

Install enterprise CA on Windows 2012 R2

 

and check if everything fits your needs. If thats the case, install the AD without "-whatif":

Install-AdcsCertificationAuthority -CACommonName "Contoso Test Root CA" -CAType EnterpriseRootCa -HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 100

If you do not wish to setup a test environment then limit the ValidityPeriodUnits to value which fits your needs.

If you wish to use SHA512, then please read KB 2973337 here, you can also use the hash algorithm SHA384 instead SHA256 above

SHA-1 shouldn´t any longer be used. See here for more details.

6.)  Install now the Active Directory Certificate Services (AD CS) Web enrollment via:

Install-WindowsFeature ADCS-Web-Enrollment

and

Install-AdcsWebEnrollment

This will build the virtual applications under the "Default Web Site" (which can be done also via 'certutil -vroot', but not needed here) and will also build the C:\Windows\System32\certsrv\certdat.inc file.

8.) If you setup the CA on a Windows 2012 R2 core you need to connect now to your administration workstation to perform the following steps. If you setup the CA on a Windows 2012 R2 Server with a GUI you can perform the following steps directly on this server.

9.) As the normal two year template might be to short for most companies we will create a new one now. This step is optional, if you wish to renew SSL certificated every two years, you can skip that step.

If you are installing the CA on Windows 2012 R2 with a GUI start the CA Management Console (certsrv.msc) on the server, otherwise start it on your management computer and connect it to the Windows 2012 R2 core server which runs the CA.

10.) Select "Certificate Templates" (A) -> and click on Manage (B).

11.) Select the "Web Server" template (A) and choose "Duplicate Template" (B).

12.) In the "General" tab enter a template name (A), choose the Validity period (B) and click on apply.

13.) In the "Request Handling" tab select the option "Allow private key to be exported" (A). Press Apply (B) and then OK.

Might be useful if you need to move some certificates in the future. But it might also limit the security!

14.) In the CA Management Console (certsrv.msc) click on "Certificate Template" (A) -> New (B) -> Certificate Template to Issue (C).

15.) Select our template (A) we created some steps before and click on OK (B).

Close the CA Management Console (certsrv.msc) now.

16.) Now create a new certificate for this server and add a https port to the default web site (as explained for example here).

 

Comments (0)

There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Attachments (0 / 3)
Share Your Location
Follow me on Twitter

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Tags

Exchange 20162016 - MS ExchangeServer 2015Hardening2016 - MS Skype for Business Server 2017 - MS WindowsWindows Server 2012Windows2017 - MS ExchangeExchange 20132016 - MS Windows2013Exchange2017 - MS Skype for Business Server 2016 - MS SharepointRaspberry PiMicrosoftOpenHABHomeMatic2017 - MS Sharepoint

Archive

      • How to connect a Osram On/Off Plug with Phoscon/deCONZ
      • Update TPM Firmware on Windows 10 1909
      • Upgrade the BIOS from an ReadyNAS device
      • Switch your PC from BIOS to UEFI
      • WLAN 6 (AX) released
      • [ReSolved] Get-MailboxRestoreRequest matches multiple entries and couldn´t be performed
      • Use deCONZ to perform an OTA firmware update of OSRAM devices
      • Remove the Transparent Data Encryption (TDE) from a SQL DB
      • Install OpenHAB 2.4.x on Raspberry Pi (on Debian 9 - Stretch)
      • Windows 10 Driver for HP EliteBook 2570p Notebook-PC
      • Windows 10 Driver for HP EliteBook 850 G1 Notebook
      • Windows 10 Driver for HP EliteBook 8570p Notebook
      • Windows 10 Driver for IBM Thinkpad T560 Notebook
      • Windows 10 Driver for HP EliteBook 850 G5 Notebook
      • Windows 10 Driver for Lenovo T560 Notebook
      • Add an additional Sharepoint Admin to every Site Collection via Powershell
      • Do not install .NET Framework 4.7.2 on Exchange Servers yet
      • [Resolved] Unable to Migrate User to O365 due to "Target user 'XYZ' already has a primary mailbox"
      • Migrate SharePoint Elements to SharePoint Online
      • Microsoft Exchange OU picker is empty when creating new user or group
      • Exchange Online Powershell failed to connect when using MFA
      • Move-DatabasePath caused a "WMI exception occurred on server XY: Quota violation"
      • Privacy Policy
      • D:\AdvancedDataGovernanceLogs created on Exchange 2016
      • After May 2018 security update "An authentication error occurred" using RDP
      • Find out which .NET Framework version is installed
      • Install OpenHAB 2.0.x on Raspberry Pi (on Debian 9 - Stretch)
      • Convert a *.pfx certificate into *.pem
      • Changing last modified and creation date or time via PowerShell
      • Multidimensional arrays in Powershell
      • HowTo create an Enterprise Wiki on SharePoint Online
      • Attention: Microsoft Office 365 will disable support for TLS 1.0 and 1.1
      • [RESOLVED] Graphics Card issue when installing BlueStacks inside VMWare
      • How to create a pkcs12 file with a ordered certificate chain?
      • Publish an S/Mime certificate to AD via Powershell
      • [RESOLVED] iOS accounts needs permission to access resources in your organization that only an admin can grant
      • [RESOLVED] Exchange 2016 CU X failed to install error 1619
      • Headless Raspberry Pi WLAN Configuration
      • How to remove all partitions on an USB stick / SD card
      • How to generate a notifications once Handbreak finished its current work?
      • Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP
      • Security Hardening: Upgrade Diffie-Hellman Prime to 2048 bit on Windows Server
      • Change a SSL Certificate on Windows Server 2012 R2 Web Application Proxy
      • Add Windows Updates to a Windows 7 SP1 image
      • When using Import-Module you got an unblock file error
      • [Resolved] Exchange admin got the error "User profile cannot be loaded" when using RDP
      • Google Chrome browser to deprecate trust in existing Symantec-issued certificates
      • [RESOLVED] Error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY when using Google Chome and OWA
      • Cumulative Update 6 for Exchange Server 2016 released
      • Windows Phone 8.1 will reach EOL on the 2017-07-11
      • .NET Framework 4.7.* and Microsoft Exchange Server
      • Disable weak cipher (e.g. 3DES, SSLv3, MD5, ...) suites in Java
      • [RESOLVED] "Could not find stored procedure" after installing SfB Server Updates
      • [RESOLVED] None of the network adapters are bound to the netmon driver.
      • [Resolved] No connectivity with any of Web Conferencing Edge Servers - Event 41026
      • Raspberry Pi - Connect to multiple wireless networks (WLAN) automatically
      • From 0 to Raspberry Pi (start with Raspberry Pi)
      • [RESOLVED] Exchange 2016 IIS not usable after installation from CU5
      • Microsoft Exchange 2007 reached end of life today
      • .NET Framework 4.7 released but not yet supported on Exchange 2016
      • .NET Framework 4.7 released but not yet supported on Skype for Business
      • Using Quest ActiveRoles Management Shell to add/update all users from a OU inside an AD group
      • [RESOLVED] Can´t install Office Web Apps Server because it requires .NET 4.5
      • Cumulative Update 5 for Exchange Server 2016 released
      • Using the Skype for Business device update service
      • Enable XA transactions on Microsoft SQL 2012
      • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code
      • WES7 is crashing on VMWare Workstation
      • WES7 / WES8 OS deployment issue on VMWare Workstation
      • [RESOLVED] Growing amount of missing disk space on Microsoft Exchange
      • Disabling TLS 1.0 on Microsoft Sharepoint
      • Reset the content index on an MS Exchange DAG environment
      • Deploy the Statistics Manager for Skype for Business Server
      • HowTo add own formats to the TinyMCE Editor in Joomla?
      • Create a Kerberos authentication account in Skype for Business
      • Hardening Microsoft Exchange 2016 Server
      • Hardening Microsoft SharePoint 2016 Server
      • Hardening Microsoft Skype for Business Server
      • [Workaround] "Screen presenting isn't supported with this contact" with SfB MAC
      • [RESOLVED] Black or frozen screen during screensharing in Skype for Business 2016
      • Exchange Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SfB Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SharePoint Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Hardening Skype for Business Server
      • [RESOLVED] You do not have the permission to send the message on behalf of the specified user
      • Copy Windows Installation DVD to ISO
      • [RESOLVED] The remote certificate is invalid according to the validation procedure.
      • Prevent that the Skype for Business client will open when the user click on an meeting URL
      • Test GroupPolicy (*.admx templates) locally without AD
      • Implementing the Skype for Business Call Quality Dashboard
      • Configure / Finetune the Microsoft Exchange search / indexing feature
      • Disable content indexing on all DBs on an Exchange DAG
      • HowTo: create Search Sharepoint 2013 Foundation Application via Powershell
      • Migrate from Exchange 2010 to Exchange 2016
      • Enable TLS 1.2 on Windows 2012 R2
      • Download Skype for Business for MAC
      • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size
      • How to get only a subset from a 2 GB big logfile?
      • Add the Internet Explorer 11 and Updates to a Windows 7 SP1 image
      • [RESOLVED] MSExchange Mailbox Replication error 1006 (database doesn't exist)
      • Nagios Core 3.x installation guide on Debian 8.x (Jessie)
      • Move Exchange 2010/2013 user to Exchange 2016
      • [RESOLVED]: "Whole calendar" greyed out when publishing a calendar via Outlook on a webdav server
      • SfB Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Exchange Windows OS Hardening: Disable the "X-AspNet-Version" header
      • SharePoint Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Powershell: Clean (Remove) all completed Exchange Mailbox move requests
      • HP Data Protector isn´t able to browse an Exchange 2016 DAG
      • Powershell: Get a list from all Exchange users, where the latest logon time is older then 270 days
      • Usefull links
      • Hardening Microsoft Exchange 2013 Server
      • [Solution] Skype for Business Error: This message wan´t send to Firstname LastName
      • Step-By-Step: Configuring Office Online Server with Skype for Business
      • Troubleshooting connection issues from users migrated from Exchange 2010 to Exchange 2013/2016
      • Skype for Business Server DB update needed after patch management
      • How to check the progress of the ‘Shrink Database’ task in SQL Server 2012
      • Build an MS Exchange Throttling Policy to remove inactive mobile device partnerships
      • Exchange Windows OS Hardening: Disable NTFS 8 Dot 3
      • SfB Windows OS Hardening: Disable NTFS 8 Dot 3
      • SharePoint Windows OS Hardening: Disable NTFS 8 Dot 3
      • Windows OS Hardening: Disable NTFS 8 Dot 3
      • [RESOLVED] Centralized Logging Service Agent Error while moving cache files to network share.
      • [RESOLVED] MS Web Application Proxy used with SfB caused a Error 502
      • Manage the SSL certificate on Exchange 2016 via Powershell
      • [RESOLVED] How to fix damaged or corrupt Health Mailbox on Exchange 2016
      • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"
      • Homematic IP Schalt und Steckdose mit CCU 2 verbinden / anlernen
      • Exchange 2010 to Exchange 2016 Co-Existence migration OWA redirect not working
      • Factory reset HomeMatic IP devices
      • Factory reset / Werksreset von HomeMatic IP Geräten
      • Pairing / Using Homematic IP Pluggable Switch and Meter with an CCU2
      • [Resolved] A Skype for business user isn´t able to join meeting via invitation link
      • Installation von BluePy auf dem Raspberry Pi
      • Install BluePy on Raspberry Pi
      • Released: Microsoft Exchange 2016 CU 2
      • Install OpenHAB 1.x on Raspberry Pi
      • Installieren von OpenHAB 1.x auf dem Raspberry Pi
      • Rebalance Mailbox Databases in an Exchange Server DAG via TaskManager
      • Fix a failed and suspended content index state on MS Exchange
      • Howto send an email using telnet
      • Hardening Windows Server (Basic Steps)
      • [RESOLVED] No DNS servers could be retrieved from network adapter 00000000-0000-0000-0000-000000000000
      • [RESOLVED] Setup can't use the domain controller because it belongs to Active Directory site
      • Use MS Web Application Proxy as reverse proxy (and ADFS) with Skype for business
      • [RESOLVED] Error message 0x80094004 when completing a certification request on IIS
      • [RESOLVED] Unable to collect NUMA physical memory utilization data. The first four bytes (DWORD) of the Data section contains the status code.
      • Get all Exchange user inclusive details from a list of AD groups
Admin Enclave

The Admin enclave delivers the latest news, quick tips, useful tricks, and in-depth tutorials for IT pros working with IT solutions (e.g. Microsoft Sharepoint, Microsoft Exchange, Microsoft Skype for Business, Joomla, ...).

Follow Us

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Popular Posts

  • How to fix “The program can’t start because MSVCR110.dll is missing from your computer.” error on Windows

    Sunday, 07 April 2013
  • [RESOLVED] You do not have the permission to send the message on behalf of the specified user

    Wednesday, 16 November 2016
  • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size

    Thursday, 13 October 2016
  • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code

    Wednesday, 08 March 2017
  • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"

    Wednesday, 13 July 2016
© 2012 - 2021 admin-enclave.com | Disclaimer | Privacy Policy | Imprint | Articles by year