Windows PKI blog : Certification authority

Using VBScript to install CA on WS2008R2 server core

shawncor — Fri, 18 Sep 2009 19:24:00 GMT

In my previous post I provided a script used for setup and installation of a CA using VBScript. The same script is capable of installing a CA on server core, where there is no UI available for installing. With the script and a few possible additional steps it's pretty easy to install a CA on server core with just a couple of commands in the CMD.

Steps:

If you need the functionality of WoW64, for example using a network HSM that needs to use 32bit binaries on the 64bit system you will need to install the WoW64 support.
- Run "Start /w ocsetup ServerCore-WOW64" to install the WoW64 support, reboot the machine after installing this package.
If using an HSM or network HSM install and configure the HSM software by following the instructions provided by the HSM vendor.
Use the setupca.vbs script to install the CA

The setupca.vbs script takes care of installing all the needed packages and files using OCSetup, since servermanagercmd is not available on the core builds.

Automated CA installs using VB script on Windows Server 2008 and 2008R2 [UPDATED]

shawncor — Fri, 18 Sep 2009 16:23:00 GMT

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate Services. SetupCA.vbs was designed to have the functionality present in the setup UI but in an easy command line that can be used in automation. Most of the functionality of the script is fairly straight forward in just setting properties on the setup object. A couple of features, like the key/cert re-use, take a bit of code to get the setting right.

All of the ICertSrvSetup COM object properties and methods are documented in the MSDN at http://msdn.microsoft.com/en-us/library/bb736371%28VS.85%29.aspx.

The setup script is attached to this post, simply click the link for setupca.vbs and save the file to your local system.

Some example usages of the script:

Install Enterprise Root CA
Cscript setupca.vbs /ie /sn MyRootCA /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256

Install Standalone Sub CA
Cscript setupca.vbs /it /sn MySubCA /sr MyParentCAMachine\MyRootCA /sk 384 /sp "ECDSA_P384#Microsoft Software Key Storage Provider" /sa SHA1

Uninstall CA:
Cscript setupca.vbs /uc

Install Web Pages:
Cscript setupca.vbs /iw /sr MyParentCAMachine\MyRootCA

There is also a usage that lists all the parameters if you run the script without any arguments.

UPDATE: Script has been updated to include option for offline requests using new /OR switch. Example:

Install Enterprise Sub CA saving request to a file:

Cscript setupca.vbs /if /sn "My Sub CA" /sp "RSA#Microsoft Software Key Storage Provider" /sk 4096 /or "c:\temp\ca.req"

How to get request statistics by template in PowerShell

alrad — Thu, 10 Sep 2009 02:03:00 GMT

I’ve been working with our support folks helping one of our customers. One of the things we wanted to learn about the environment is how many requests have been made for each certificate template that they issue. We have come up with this PowerShell script that you can run against a CA to find out.

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind.

Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose.

The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

certutil -view -out CertificateTemplate -restrict "NotBefore > 08/20/2009" csv > out.txt
$FileContents = gc out.txt
write-host "Total rows:" $FileContents.length
$GroupedCounts = $FileContents | group | sort count –Descending
$GroupedCounts | format-table Count,Name -auto

The output will look something like this:

Total rows: 10
Count Name
----- ----
4 "1.3.6.1.4.1.311...X
3 "1.3.6.1.4.1.311...Y
1 "8/20/2009 12:00 AM""Certificate Template"
1 "DomainController"
1 "EMPTY"

Let’s take a look at the script closely and also talk about what can be tweaked.

First, we run a certutil.exe to dump the template’s name or OID. The V1 templates are recorded by their name and V2/V3 templates are recorded by their OID. You can see template OIDs with the certutil.exe -template command. You can’t see it in the template snapin UI.

Note that we restrict the output by date. Some other filters that could be useful are CertificateTemplate and Request.StatusCode if you want to get counts for only template or if you’re only interested in failed requests for example. We pipe the output into a text file. We also use the -csv option so that our output is easier to consume for automation.

We then group the output by the template name/OID and sort it based on the count in the descending order. Finally we output it as a table.

Now let’s take a look at the output. Note that the last and third line from the bottom contains garbage. If you’re going to use the output of this script in some automation, you would need to get rid of those entries. They are simply an artifact of the certutil.exe output.

CA performance

MS2065 — Thu, 14 May 2009 17:26:04 GMT

Back in the year 2003 we have published information about the CA performance and how it is impacted by various factors. The TechNet article is called Evaluating CA Capacity, Performance, and Scalability and is more or less still valid. You may transform the enrollment numbers to current hardware capabilities.

One thing that I would like to point out here is the article’s statement about key-length. Key generation cost increases with key size, but that burden is borne by the client (remember the certificate enrollment flow as documented in How Certificates Work under heading How Certificates Are Created). Therefore, the performance of the CA my only change with different key length if key archival is used. Then the CA will verify the public-private key pair match by performing a round trip encryption/decryption. If key archival is not used, the key length is neutral to the CA performance.