-
Notifications
You must be signed in to change notification settings - Fork 0
/
install-subca.ps1
192 lines (180 loc) · 5.96 KB
/
install-subca.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
<#
.SYNOPSIS
This function will install PKI SubCA.
.DESCRIPTION
This function will :
- Install ADCS Role
- Install Enterprise SubCA
- Configure CRL
- Configure AIA
- Configure SubCA settings
.PARAMETER CACommonName
The CA Certificate Common Name (Ex: "My Enterprise CA")
.PARAMETER CRLFilePath
The CRL File path where CRL are published (Default is C:\Windows\System32\CertSrv\CertEnroll)
.PARAMETER CRLURLPath
The CRL URL Path registered as CRL/AIA extensions in client certificates generated Ex: "pki.domain.local")
.NOTES
Author : Ivica Agatunovic
WebSite: https://github.com/ivicaagatunovic
Linkedin: www.linkedin.com/in/ivica-agatunovic-96090024
#>
Function Install-SubCA {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$CACommonName,
[Parameter(Mandatory=$false)]
[string]$CRLFilePath="C:\Windows\System32\CertSrv\CertEnroll",
[Parameter(Mandatory=$true)]
[string]$CRLURLPath
)
try
{
# Install the ADCS Role
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
}
catch
{
Write-Output "Error - Unable to install ADCS Role"
Write-Output $ErrorMessage
exit 1
}
try
{
#Install Enterprise SubCA
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName $CACommonName -KeyLength 2048 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") -OverwriteExistingKey -OverwriteExistingDatabase -Force
}
catch
{
Write-Output "Error - Unable to install Enterprise SubCA"
Write-Output $ErrorMessage
exit 1
}
try
{
#Configure CRL
#Remove CRL's
$crllist = Get-CACrlDistributionPoint
foreach ($crl in $crllist) {
Remove-CACrlDistributionPoint $crl.uri -Force
}
#Add New CRL's
Add-CACrlDistributionPoint -Uri $CRLFilePath"\"$CACommonName".crl" -PublishToServer -Force
Add-CACrlDistributionPoint -Uri "http://"$CRLURLPath"/"$CACommonName".crl" -AddToCertificateCdp -Force
}
catch
{
Write-Output "Error - Unable to configure CRL"
Write-Output $ErrorMessage
exit 1
}
try
{
#Configure AIA
#Remove unneccesary AIA's
Get-CAAuthorityInformationAccess | where {$_.uri -like '*ldap*'-or $_.Uri -like '*http*' -or $_.Uri -like '*file*'} | Remove-CAAuthorityInformationAccess -Force
#Add new AIA
Add-CAAuthorityInformationAccess -AddToCertificateAia "http://"+$CRLURLPath"/"$CACommonName".crt" -Force
}
catch
{
Write-Output "Error - Unable to configure AIA"
Write-Output $ErrorMessage
exit 1
}
try
{
#Configure SubCA settings
#Push some settings
certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLOverlapPeriod "Hours"
certutil -setreg CA\CRLOverlapUnits 12
#Disabling Delta CRL publishing
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil.exe -setreg CA\ValidityPeriodUnits 10
certutil.exe -setreg CA\ValidityPeriod "Years"
certutil.exe -setreg CA\AuditFilter 127
# We have to remove the "digital signature" from the Future certificate we will generate.
certutil.exe -setreg policy\editflags -EDITF_ADDOLDKEYUSAGE
}
catch
{
Write-Output "Error - Unable to configure SubCA settings"
Write-Output $ErrorMessage
exit 1
}
}
Function Install-CRLWebSite {
<#
.SYNOPSIS
This function will install IIS WebSite for CRL checks.
.DESCRIPTION
This function will :
- Install IIS Role
- Remove Default Web Site
- Create new WebSite for CRL checks
- Configure CRL checks WebSite
.PARAMETER CRLWebSiteName
The CRL Web Site Name (Default is: "PKI")
.PARAMETER CRLFilePath
The CRL File path where CRL are published (Default is C:\Windows\System32\CertSrv\CertEnroll)
.PARAMETER CRLURLPath
The CRL URL Path (Ex: "pki.domain.local")
#>
[CmdletBinding()]
param (
[Parameter(Mandatory=$false)]
[string]$CRLWebSiteName="PKI",
[Parameter(Mandatory=$false)]
[string]$CRLFilePath="C:\Windows\System32\CertSrv\CertEnroll",
[Parameter(Mandatory=$true)]
[string]$CRLURLPath
)
try
{
# Install the IIS Role
Add-WindowsFeature Web-Server -IncludeManagementTools
}
catch
{
Write-Output "Error - Unable to install IIS Role"
Write-Output $ErrorMessage
exit 1
}
try
{
#Remove Default Web Site
Remove-WebSite -Name "Default Web Site"
}
catch
{
Write-Output "Error - Unable to remove Default Web Site"
Write-Output $ErrorMessage
exit 1
}
try
{
#Create CRL Web Site
New-WebSite -Name $CRLWebSiteName -Port 80 -PhysicalPath $CRLFilePath
}
catch
{
Write-Output "Error - Unable to Create new WebSite for CRL checks"
Write-Output $ErrorMessage
exit 1
}
try
{
#Configure CRL Web Site
Get-WebBinding -Name $CRLWebSiteName | Remove-WebBinding
New-WebBinding -Name $CRLWebSiteName -IPAddress "*" -HostHeader $CRLURLPath -Port 80
}
catch
{
Write-Output "Error - Unable to configure CRL Web Site"
Write-Output $ErrorMessage
exit 1
}
}