Certification Authority Service installation on Windows 2008 R2 Core

Today I’ll write about something completely new. Certification Authority Services, called AD CS (Certification Services) was added to the Windows Core distribution only in the R2 release. Windows Core themself was introduced as an installation option in the Windows 2008 release.
There is a lot of materials covering the Core installation, so I won’t describe it wider. For example, I suggest to read this Nataniel Zieliński’s article. For the moment, it is enough to know, that there is almost no graphical user interface. The system is managed from command promt. There is also very good Getting Started Guide what can help start up with Core installation, but most of new features introduced in R2 relase are still poorly documented.
The CA server installation requires using Add Role Creator on regular Windows 2008 R2, which is unavailable under Core version. So the first step is installation of service’s binaries. It can be done with following command:

1
start /w ocsetup.exe CertificateServices /norestart /quiet

Next really usefull step is to check corectness of installation. We can do that typing the following in the command prompt:

1
oclist find /i "CertificateServices"

After getting sure, that we have whole service’s package, we need to configure it. It can be done with VBScript program, which performs the automatic installation. It is available under following link. This script can help us avoid our headaches through simple and quick installation of our CA Service. But we still need to provide set of parameters which regulates its work. Full set of possible switches is provided on the script’s web page. Here, we need to pay attention that parameters:

1
/interactive

and

1
/iw

are not supported under Core installation.
Moreover, before performing CA Service installation process in Core as well as Regular distribution we need to prepare the CApolicy.inf file, what must be placed under %SYSTEMROOT% directory. There is example code of such file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[Version]
Signature="$Windows NT$

[PolicyStatementExtension]
Policies=LegalPolicy

[LegalPolicy]
OID=1.1.1.1.1.1.1.121

NOTICE=Certificate issued under Test CA Policy
URL="http://pki.test.domain.lab/repozitory/cps.html"

[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=5
RenewalValidityPeriod=years
CRLPeriod=days
CRLPeriodUnits=14
CRLOverlapPeriod=days
CRlOverlapUnits=7
CRLDeltaPeriod=hours
CRLDeltaPeriodUnits=0

After the installation it is worthy to set up CDP (CRL Distribution Point) parameters with following commands:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
certutil -setreg CA\DSConfigDN CN=Configuration,DC=DOMAIN,DC=LAB
certutil -setreg CA\CRLPeriodUnits 14
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLOverlapPeriod "Days"
certutil -setreg CA\CRLOverlapUnits 7
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Hours"
certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n79:http://pki.test.domain.lab/repozitory/%%3%%8%%9.crl\n65:file://\\%%1\CertEnroll/%%3%%8%%9.crl"
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:http://pki.test.domain.lab/repozitory/%%1_%%3%%4.crt\n1:file://\\%%1\CertEnroll/%%1_%%3%%4.crt"
certutil -setreg CA\AuditFilter 127
certutil -setreg CA\ValidityPeriodUnits 2
certutil -setreg CA\ValidityPeriod "Years"
net stop certsvc & net start certsvc
certutil -crl

Creation of such, or simillar script will help us ommit of “clicking off” Certificate’s parameters under remotely connected Management Console. At the end I would add, that the first article what helped me with start working with CA Services on Windows Core was this Eyalestrin’s article.