Windows/Powershell: Automating the configuration of an Offline Root CA

Created: 12/29/19

Updated: 2/16/19

***Work-in-progress***

Peeps,

Writing a script on setting up a Brand-New Server and get all of the basics covered before adding in something like this in Step 2 below:

Install-AdcsCertificationAuthority -CAType StandaloneRootCA `
-CACommonName “G15IT Corporate Root CA II” `
-CADistinguishedNameSuffix “OU=CA,O=G15IT,C=Broken” `
-KeyLength 2048 `
-HashAlgorithmName SHA256 `
-CryptoProviderName “RSA#Microsoft Software Key Storage Provider” `
-DatabaseDirectory “C:\CA Database Files\CertDB” `
-LogDirectory “C:\CA Database Files\CertLog” `
-ValidityPeriod Years `
-ValidityPeriodUnits 50

So here is the snippet of the Intro Powershell code:

Scroll down til you see the light blue, what other Remote Powershell Management tools would you guys add?

#
# ========== Step 1 ==========
#

#
# Define properties, setting adapter settings, setting time, renaming hostname and restarting
#

#
# Define User Input Strings
#

$CAhostname = Read-Host “Enter Hostname of Certificate Authority”
$CAIPAddress = Read-Host “Enter (Static) IP Address of Certificate Authority”
$CAPrefix = Read-Host “Enter Subnet Mask(in CIDR Format) of Certificate Authority”
$CADefaultGateway = Read-Host “Enter Default Gateway of the Certificate Authority”
$CADNS1 = Read-Host “Enter DNS (Primary) of Certificate Authority”
$CADNS2 = Read-Host “Enter DNS (Primary) of Certificate Authority”

# Define the Computer Name
$hostname = $CAhostname

# Define the IPv4 Addressing
$IPAddress = $CAIPAddress
$SubnetMask = $CAPrefix
$GW = $CADefaultGateway
$DNS1 = $CADNS1
$DNS2 = $CADNS2

# Get the Network Adapter’s Prefix
$IPAdapter = (Get-NetAdapter).ifIndex

# Disable IPv6 Random & Temporary IP Assignments
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

# Disable IPv6 Transition
Set-Net6to4Configuration -State Disabled
Set-NetIsatapConfiguration -State Disabled
Set-NetTeredoConfiguration -Type Disabled

# Add IPv4 Address, Gateway, and DNS
New-NetIPAddress -InterfaceIndex $IPAdapter -IPAddress $IPAddress -PrefixLength $SubnetMask -DefaultGateway $GW
Set-DNSClientServerAddress –interfaceIndex $IPAdapter –ServerAddresses $DNS1, $DNS2

# Internet Time Servers
$time = “0.us.pool.ntp.org 1.us.pool.ntp.org”

# Set Time Configuration
w32tm /config /manualpeerlist:$time /syncfromflags:manual /reliable:yes /update

# TESTING
#configure remote management for CA
#Set-ItemProperty -Path “HKLM:\Software\Microsoft\WebManagement\Server” -Name “EnableRemoteManagement” -Value 1
# configure remote managent service ot start automatically
#Set-Service WMSVC -Startuptype Automatic

# Enable Remote Powershell Management

Enable-PSRemoting
Enable-NetFirewallRule -DisplayName “Windows Management Instrumentation (DCOM-In)”
Enable-NetFirewallRule -DisplayGroup “Remote Event Log Management”
Enable-NetFirewallRule -DisplayGroup “Remote Service Management”
Enable-NetFirewallRule -DisplayGroup “Remote Volume Management”
Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management”
Enable-NetFirewallRule -DisplayGroup “Remote Event Log Management”
Enable-NetFirewallRule -DisplayGroup “Remote Scheduled Tasks Management”

# Enable Remote Desktop
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’-name “fDenyTSConnections” -Value 0

# Enable Firewall Rule
# Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
Get-NetFirewallRule -DisplayGroup “Remote Desktop” | Set-NetFirewallRule -Enabled True

# Enable RDP Authentication
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1

# Name the Computer, and a user validated Reboot
Rename-Computer -NewName $hostname -force
[ValidateSet(‘Yes’, ‘No’)]$Reboot = Read-Host “Want to Restart? Enter Yes/No”
If ($Reboot -eq ‘Yes’) { Restart-Computer -Force }

#
# ========== Step 2 ==========
#

Install-AdcsCertificationAuthority -CAType StandaloneRootCA `
-CACommonName “G15IT Corporate Root CA II” `
-CADistinguishedNameSuffix “OU=CA,O=G15IT,C=Broken” `
-KeyLength 2048 `
-HashAlgorithmName SHA256 `
-CryptoProviderName “RSA#Microsoft Software Key Storage Provider” `
-DatabaseDirectory “C:\CA Database Files\CertDB” `
-LogDirectory “C:\CA Database Files\CertLog” `
-ValidityPeriod Years `
-ValidityPeriodUnits 50

https://social.technet.microsoft.com/wiki/contents/articles/2901.public-key-infrastructure-design-guidance.aspx