3

I installed an offline root CA without issue using this command:

Install-ADcsCertificationAuthority `
-OverwriteExistingKey `
<#In the case of a re-installation#> `
-AllowAdministratorInteraction `
-CACommonName `
"LAB Corporate Root CA" `
-CADistinguishedNameSuffix `
'O=LAB Inc.,C=US' `
-CAType `
StandaloneRootCA `
-CryptoProviderName `
"RSA#Microsoft Software Key Storage Provider" `
-HashAlgorithmName `
SHA256 `
-KeyLength `
2048 `
-ValidityPeriod `
Years `
-ValidityPeriodUnits `
20 `
-DatabaseDirectory `
'E:\CAData\CertDB' `
-LogDirectory `
'E:\CAData\CertLog' `
-Verbose

I installed the root CA's cert and CRl on the policy CA, installed the AD CS binaries, and attempted to run this command to install the policy CA and export a req file:

Install-ADcsCertificationAuthority `
-OverwriteExistingKey `
<#In the case of a re-installation#> `
-AllowAdministratorInteraction `
-CACommonName `
"LAB Corporate Policy Internal CA" `
-CADistinguishedNameSuffix `
'O=LAB Inc.,C=US' `
-CAType `
StandaloneSubordinateCA `
-ParentCA `
rootca `
-OutputCertRequestFile `
'e:\polca-int.req' `
-CryptoProviderName `
"RSA#Microsoft Software Key Storage Provider" `
-HashAlgorithmName `
SHA256 `
-KeyLength `
2048 `
-ValidityPeriod `
Years `
-ValidityPeriodUnits `
10 `
-DatabaseDirectory `
'E:\CAData\CertDB' `
-LogDirectory `
'E:\CAData\CertLog' `
-Verbose

When doing this I receive the following error:

VERBOSE: Calling InitializeDefaults method on the setup object.
Install-ADcsCertificationAuthority :
At line:1 char:1
+ Install-ADcsCertificationAuthority `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Install-AdcsCertificationA
   uthority], CertificationAuthoritySetupException
    + FullyQualifiedErrorId : ValidateParameters,Microsoft.CertificateServices
   .Deployment.Commands.CA.InstallADCSCertificationAuthority

Is there a parameter I am entering incorrectly or something?

I want to add that Microsoft documentation appears to be incorrect regarding this as well. This article shows you how to install a subordination CA and save an offline request in the GUI. It then shows the PS commands to do the same thing, but the PS command does not include the OutputCertRequestFile parameter and it does not explain if and where a req file is saved when using the command.

"The Windows PowerShell commands to perform the installation of the Enterprise Subordinate CA as shown in this section are":

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "IssuingCA-APP1" -KeyLength 2048 -HashAlgorithm SHA1 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"
red888
  • 4,183
  • 18
  • 64
  • 111

1 Answers1

0

I forgot this question was still out here. I hadn't installed a CA in a while and forgot that many subordinate CA settings are defined at the parent CA to which the request is being supplied.

I used the following command:

Install-ADcsCertificationAuthority `
-OverwriteExistingKey `
<#In the case of a re-installation#> `
-AllowAdministratorInteraction `
-CACommonName `
"LAB Corporate Policy Internal CA" `
-CADistinguishedNameSuffix `
<#in order to include common#> `
"O=`"LAB, Inc.`",C=US" `
-CAType `
StandaloneSubordinateCA `
-OutputCertRequestFile `
<#bug?: still created in root of c:\ with default name#> `
'e:\polca-int.req' `
-CryptoProviderName `
"RSA#Microsoft Software Key Storage Provider" `
-HashAlgorithmName `
SHA256 `
-DatabaseDirectory `
'E:\CAData\CertDB' `
-LogDirectory `
'E:\CAData\CertLog' `
-Verbose
red888
  • 4,183
  • 18
  • 64
  • 111