Windows PKI blog : setup

Using VBScript to install CA on WS2008R2 server core

shawncor — Fri, 18 Sep 2009 19:24:00 GMT

In my previous post I provided a script used for setup and installation of a CA using VBScript. The same script is capable of installing a CA on server core, where there is no UI available for installing. With the script and a few possible additional steps it's pretty easy to install a CA on server core with just a couple of commands in the CMD.

Steps:

If you need the functionality of WoW64, for example using a network HSM that needs to use 32bit binaries on the 64bit system you will need to install the WoW64 support.
- Run "Start /w ocsetup ServerCore-WOW64" to install the WoW64 support, reboot the machine after installing this package.
If using an HSM or network HSM install and configure the HSM software by following the instructions provided by the HSM vendor.
Use the setupca.vbs script to install the CA

The setupca.vbs script takes care of installing all the needed packages and files using OCSetup, since servermanagercmd is not available on the core builds.

Automated CA installs using VB script on Windows Server 2008 and 2008R2 [UPDATED]

shawncor — Fri, 18 Sep 2009 16:23:00 GMT

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate Services. SetupCA.vbs was designed to have the functionality present in the setup UI but in an easy command line that can be used in automation. Most of the functionality of the script is fairly straight forward in just setting properties on the setup object. A couple of features, like the key/cert re-use, take a bit of code to get the setting right.

All of the ICertSrvSetup COM object properties and methods are documented in the MSDN at http://msdn.microsoft.com/en-us/library/bb736371%28VS.85%29.aspx.

The setup script is attached to this post, simply click the link for setupca.vbs and save the file to your local system.

Some example usages of the script:

Install Enterprise Root CA
Cscript setupca.vbs /ie /sn MyRootCA /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256

Install Standalone Sub CA
Cscript setupca.vbs /it /sn MySubCA /sr MyParentCAMachine\MyRootCA /sk 384 /sp "ECDSA_P384#Microsoft Software Key Storage Provider" /sa SHA1

Uninstall CA:
Cscript setupca.vbs /uc

Install Web Pages:
Cscript setupca.vbs /iw /sr MyParentCAMachine\MyRootCA

There is also a usage that lists all the parameters if you run the script without any arguments.

UPDATE: Script has been updated to include option for offline requests using new /OR switch. Example:

Install Enterprise Sub CA saving request to a file:

Cscript setupca.vbs /if /sn "My Sub CA" /sp "RSA#Microsoft Software Key Storage Provider" /sk 4096 /or "c:\temp\ca.req"

How to set up a CA with a CNG (ECC) certificate

MS2065 — Wed, 23 Jan 2008 13:39:00 GMT

One of the improvements of the Windows Server 2008 Certification authority is the support for Cryptography Next Generation (CNG) with Elliptic Curve Cryptography (ECC).

I have described the CNG capabilities in my Certificate Server Enhancements in Windows Server codename "Longhorn" whitepaper but after reviewing the paper recently I noticed that it does not exactly explain how to set up a new Windows Server 2008 CA with a CNG certificate.

Also, the reference provided in paragraph "Configuring setup using a CAPolicy.inf file" is outdated and refers to an invalid page. The PKCS #1: RSA Cryptography Standard is now documented at http://www.rsa.com/rsalabs/node.asp?id=2125.

To set up a CA with a CNG certificate, perform the normal "Active Directory Certificate Services" setup procedure until you reach the Configure Cryptography for CA wizard page. Now you have to decide which Cryptography or Key Provider is used by the CA. All providers that have a #-sign as prefix in their name represent key storage provider and can support CNG algorithms.

Even if you don't have a requirement for a CNG certificate today, you should select a key storage provider that is supporting CNG. Luckily, the RSA#Microsoft Software Key Storage Provider is the default setting so that you have greater flexibility regarding hash algorithm configuration compared to cryptographic service providers. How to change the hash algorithm for a key storage provider is described in the chapter "Configuring the Cryptographic Algorithms used by the CA" in the Certificate Server Enhancements in Windows Server codename "Longhorn" whitepaper.