Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate Services. SetupCA.vbs was designed to have the functionality present in the setup UI but in an easy command line that can be used in automation. Most of the functionality of the script is fairly straight forward in just setting properties on the setup object. A couple of features, like the key/cert re-use, take a bit of code to get the setting right.
All of the ICertSrvSetup COM object properties and methods are documented in the MSDN at http://msdn.microsoft.com/en-us/library/bb736371%28VS.85%29.aspx.
The setup script is attached to this post, simply click the link for setupca.vbs and save the file to your local system.
Some example usages of the script:
Install Enterprise Root CACscript setupca.vbs /ie /sn MyRootCA /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
Install Standalone Sub CACscript setupca.vbs /it /sn MySubCA /sr MyParentCAMachine\MyRootCA /sk 384 /sp "ECDSA_P384#Microsoft Software Key Storage Provider" /sa SHA1
Uninstall CA:Cscript setupca.vbs /uc
Install Web Pages:Cscript setupca.vbs /iw /sr MyParentCAMachine\MyRootCA
There is also a usage that lists all the parameters if you run the script without any arguments.
UPDATE: Script has been updated to include option for offline requests using new /OR switch. Example:
Install Enterprise Sub CA saving request to a file:
Cscript setupca.vbs /if /sn "My Sub CA" /sp "RSA#Microsoft Software Key Storage Provider" /sk 4096 /or "c:\temp\ca.req"
Great install script. Is there a way to specify the CA validity period and units? (Not the renewal) It appears the default is set to 5 years but just wondering if there is a simple argument to include in the install script that would allow for a validity period of 25 years instead of the default 5. Thanks again!
I took the liberty of lifting the script from here to add that functionality this morning, here are the details of how I shoe-horned it in:
I deliberately avoided attaching a modified version of the script in case this master copy gets amended in the future, so the blog entry details the bits I inserted so you can follow my steps (and do it better no doubt ;))
I have to reinstall Enterprise Root CA from existing backups of CA databases and private key, how can I do it?
When i use your script it creates new certificate, I can't specify existing юЗ12 file.
I searched the better part of 2 days trying to find a way to configure cert services on R2 core.
Thanks for providing this script. It works very nicely.
See http://blogs.technet.com/mrsnrub/archive/2010/03/02/q-when-is-a-validity-period-not-a-validity-period.aspx for instructions on how to modify script in order to include this functionality.
Cool script, thank you for that.
I wonder if the same could not be achive using PowerShell.
for instance POSH is used to manage Exchange, AD and other servcies.
Is there a particular reason to use "old" vbScript rather than "new" POSH scripts?
Thank you for your feedback
I agree with Patrick! Why aren't there CMDlets for this yet?
Where are the cmdlets for this? Or more setup functionality in servermanagercmd?
With the VBS, is there a way to specify the length of certificate validity?
How would one go about adding and configuring the Network Device Enrollment Service?
Unfortunately I am not aware of an automated SCEP installation script.
Which script do I use, this one or the one here: technet.microsoft.com/.../ee918754(WS.10).aspx
Refer to technet.microsoft.com/.../ee918754(WS.10).aspx. This contains an updated version of the script as of June 19th, 2012
The script works great if you are logged in. What I would like to do is install and setup the CA as part of an unattended install, as an Enterprise Root CA (setupca.vbs /IE). I cannot get this to work on 2008 R2. No matter in which pass I put it "specialize" (RunSynchronous) "oobeSystem" (FirstLogonCommands) or even in SetupComplete.cmd, I always get this error:
InstallAndVerifyCA: Error! Must be a domain administrator to create Enterprise CA
I know it needs AD to be up and running - I can setup AD unattended with dcpromo /unattend:file.ini - then a reboot is required - is there some way I can do the following during an unattended setup: