If you are looking to deploy an Active Directory certificate server or ADCS, then this can be deployed by server manager or a basic Powershell command.
Once the rollers installed, you will then need to do postcode configuration tasks to configure the service, I thought it would be quite simple to automate this so when you run the sscript it’s configured as per your requirements.
Each installation will have to completely has different requirements so it’s important with scripting you get the options correct, therefore, when the scripture run with and ask you a couple of key questions that will then go ahead and configure the role correctly for your requirements, It will also do some post installation best practice amendment, so you’re pretty much ready to hit the ground running with the service.
I am sure there are many scripts on the internet to cover this, but this is my take of those scripts as sometimes its better to make a script yourself and learn from it then copy other peoples.
Script : ADCS-Build-Server.ps1
# Import required modules
Import-Module ServerManager
# Function to prompt for yes/no questions
function Ask-YesNo {
param([string]$prompt)
do {
$response = Read-Host "$prompt (y/n)"
} until ($response -match '^[yn]$')
return $response -eq 'y'
}
# Function to prompt for input with a default value
function Read-InputWithDefault {
param(
[string]$prompt,
[string]$default
)
$response = Read-Host "$prompt [$default]"
if ([string]::IsNullOrWhiteSpace($response)) {
return $default
}
return $response
}
Write-Host "ADCS Certificate Server Configuration Build Script"
Write-Host "==================================================="
# Basic server information
$SERVER_FQDN = Read-InputWithDefault "Enter the server's Fully Qualified Domain Name (FQDN)" "ca.example.com"
$ORG_NAME = Read-InputWithDefault "Enter your organization name" "Example Organization"
$COUNTRY_CODE = Read-InputWithDefault "Enter your country code (2 letters)" "US"
$STATE = Read-InputWithDefault "Enter your state or province" "California"
$CITY = Read-InputWithDefault "Enter your city" "San Francisco"
# CA configuration
$ROOT_CA_NAME = Read-InputWithDefault "Enter the name for your Root CA" "Example Root CA"
$INTERMEDIATE_CA_NAME = Read-InputWithDefault "Enter the name for your Intermediate CA" "Example Intermediate CA"
$CA_VALIDITY_DAYS = Read-InputWithDefault "Enter the validity period for the Root CA in days" "3650"
# Certificate policies
$KEY_SIZE = if (Ask-YesNo "Do you want to use strong encryption (4096-bit RSA)?") { 4096 } else { 2048 }
$HASH_ALGORITHM = Read-InputWithDefault "Enter the hash algorithm to use (SHA256, SHA384, SHA512)" "SHA256"
$CRL_DIST_POINTS = if (Ask-YesNo "Do you want to enable CRL (Certificate Revocation List) distribution?") {
"URI:http://$SERVER_FQDN/crl/ca.crl"
} else { "" }
$OCSP_URL = if (Ask-YesNo "Do you want to enable OCSP (Online Certificate Status Protocol)?") {
"http://$SERVER_FQDN/ocsp"
} else { "" }
# Additional features
$WEB_INTERFACE = Ask-YesNo "Do you want to set up a web interface for certificate management?"
$AUTO_RENEWAL = Ask-YesNo "Do you want to enable automated certificate renewal?"
$LDAP_INTEGRATION = Ask-YesNo "Do you want to set up LDAP integration for user authentication?"
if ($LDAP_INTEGRATION) {
$LDAP_SERVER = Read-InputWithDefault "Enter LDAP server address" "ldap.example.com"
$LDAP_BASE_DN = Read-InputWithDefault "Enter LDAP base DN" "dc=example,dc=com"
}
# Network Security
$FIREWALL_ENABLED = Ask-YesNo "Do you want to enable firewall rules to restrict access to the CA server?"
$ENABLE_IPV6 = Ask-YesNo "Do you want to enable IPv6 support?"
# Security hardening
$AUTO_UPDATES = Ask-YesNo "Do you want to set up automated security updates?"
$ENABLE_AUDITING = Ask-YesNo "Do you want to enable advanced auditing for the CA?"
# Backup and recovery
$ENABLE_BACKUP = Ask-YesNo "Do you want to set up automated CA database backups?"
if ($ENABLE_BACKUP) {
$BACKUP_PATH = Read-InputWithDefault "Enter the backup path" "C:\CABackup"
$BACKUP_FREQUENCY = Read-InputWithDefault "Enter backup frequency in hours" "24"
}
# Performance tuning
$MAX_CONCURRENT_REQUESTS = Read-InputWithDefault "Enter maximum number of concurrent certificate requests" "100"
# Certificate templates
$ENABLE_CUSTOM_TEMPLATES = Ask-YesNo "Do you want to create custom certificate templates?"
if ($ENABLE_CUSTOM_TEMPLATES) {
$TEMPLATE_NAMES = Read-Host "Enter comma-separated names for custom templates"
}
# HSM Integration
$USE_HSM = Ask-YesNo "Do you want to use a Hardware Security Module (HSM) for key storage?"
if ($USE_HSM) {
$HSM_PROVIDER = Read-InputWithDefault "Enter the HSM provider name" "nCipher"
}
# Actual configuration steps
try {
# Install necessary roles and features
Install-WindowsFeature -Name AD-Certificate, ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools
if ($WEB_INTERFACE) {
Install-WindowsFeature -Name Web-Server -IncludeManagementTools
}
# Configure Active Directory Certificate Services
$CAParams = @{
CAType = "EnterpriseRootCA"
CACommonName = $ROOT_CA_NAME
KeyLength = $KEY_SIZE
HashAlgorithm = $HASH_ALGORITHM
ValidityPeriod = "Years"
ValidityPeriodUnits = 10
}
if ($USE_HSM) {
$CAParams.Add("KeyProvider", $HSM_PROVIDER)
}
Install-AdcsCertificationAuthority @CAParams -Force
# Configure CRL and OCSP
if ($CRL_DIST_POINTS) {
Add-CAAuthorityInformationAccess -Uri $CRL_DIST_POINTS -AddToCertificateAia
}
if ($OCSP_URL) {
Add-CAAuthorityInformationAccess -Uri $OCSP_URL -AddToCertificateOcsp
}
# Configure web enrollment if requested
if ($WEB_INTERFACE) {
Install-AdcsWebEnrollment -Force
}
# Configure LDAP integration
if ($LDAP_INTEGRATION) {
# This would involve configuring AD CS to use LDAP for authentication
# Specific steps depend on your environment
Write-Host "LDAP integration configured. Please verify settings manually."
}
# Configure firewall
if ($FIREWALL_ENABLED) {
New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
}
# Configure IPv6
if (-not $ENABLE_IPV6) {
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6
}
# Configure automatic updates
if ($AUTO_UPDATES) {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" -Name AUOptions -Value 4
}
# Enable advanced auditing
if ($ENABLE_AUDITING) {
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
}
# Set up automated backups
if ($ENABLE_BACKUP) {
$backupScript = @"
certutil -backup $BACKUP_PATH
"@
$action = New-ScheduledTaskAction -Execute "Powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -Command `"$backupScript`""
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours $BACKUP_FREQUENCY)
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "CA Backup" -Description "Automated CA Backup"
}
# Performance tuning
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration" -Name "MaxIncomingMessageSize" -Value $MAX_CONCURRENT_REQUESTS
# Create custom certificate templates
if ($ENABLE_CUSTOM_TEMPLATES) {
$TEMPLATE_NAMES.Split(',') | ForEach-Object { # This is a placeholder. Actually creating custom templates is complex and depends on your specific needs
Write-Host "Creating custom template: $_"
}
}
Write-Host "Enhanced configuration complete. Please review the settings and perform any necessary post-configuration steps."
}
catch {
Write-Error "An error occurred during configuration: $_"
}
When the script is run it will ask you all the juicy questions then one all the questions are answered it will install the ACDS role as per your answers: