Automated CA installs using VB script on Windows Server 2008 and 2008R2 [UPDATED]

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate Services. SetupCA.vbs was designed to have the functionality present in the setup UI but in an easy command line that can be used in automation. Most of the functionality of the script is fairly straight forward in just setting properties on the setup object. A couple of features, like the key/cert re-use, take a bit of code to get the setting right.

All of the ICertSrvSetup COM object properties and methods are documented in the MSDN at https://msdn.microsoft.com/en-us/library/bb736371%28VS.85%29.aspx.

The setup script is attached to this post, simply click the link for setupca.vbs and save the file to your local system.

 

Some example usages of the script:

Install Enterprise Root CA
Cscript setupca.vbs /ie /sn MyRootCA /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256

Install Standalone Sub CA
Cscript setupca.vbs /it /sn MySubCA /sr MyParentCAMachine\MyRootCA /sk 384 /sp "ECDSA_P384#Microsoft Software Key Storage Provider" /sa SHA1

Uninstall CA:
Cscript setupca.vbs /uc

Install Web Pages:
Cscript setupca.vbs /iw /sr MyParentCAMachine\MyRootCA

There is also a usage that lists all the parameters if you run the script without any arguments.

 

UPDATE: Script has been updated to include option for offline requests using new /OR switch. Example:

Install Enterprise Sub CA saving request to a file:

Cscript setupca.vbs /if /sn "My Sub CA" /sp "RSA#Microsoft Software Key Storage Provider" /sk 4096 /or "c:\temp\ca.req"

setupca.vbs

Comments

  • Anonymous
    January 01, 2003
    I have to reinstall Enterprise Root CA from existing backups of CA databases and private key, how can I do it? When i use your script it creates new certificate, I can't specify existing юЗ12 file.

  • Anonymous
    January 01, 2003
    Great install script. Is there a way to specify the CA validity period and units? (Not the renewal) It appears the default is set to 5 years but just wondering if there is a simple argument to include in the install script that would allow for a validity period of 25 years instead of the default 5. Thanks again!

  • Anonymous
    January 01, 2003
    See http://blogs.technet.com/mrsnrub/archive/2010/03/02/q-when-is-a-validity-period-not-a-validity-period.aspx for instructions on how to modify script in order to include this functionality.

  • Anonymous
    January 01, 2003
    How would one go about adding and configuring the Network Device Enrollment Service?

  • Anonymous
    January 01, 2003
    I searched the better part of 2 days trying to find a way to configure cert services on R2 core. Thanks for providing this script.  It works very nicely.

  • Anonymous
    January 01, 2003
    @lsickscoobyl: I took the liberty of lifting the script from here to add that functionality this morning, here are the details of how I shoe-horned it in: http://blogs.technet.com/mrsnrub/archive/2010/03/02/q-when-is-a-validity-period-not-a-validity-period.aspx I deliberately avoided attaching a modified version of the script in case this master copy gets amended in the future, so the blog entry details the bits I inserted so you can follow my steps (and do it better no doubt ;))

  • Anonymous
    January 01, 2003
    Unfortunately I am not aware of an automated SCEP installation script.

  • Anonymous
    July 09, 2010
    Cool script, thank you for that. I wonder if the same could not be achive using PowerShell. for instance POSH is used to manage Exchange, AD and other servcies. Is there a particular reason to use "old" vbScript rather than "new" POSH scripts? Thank you for your feedback

  • Anonymous
    February 10, 2011
    I agree with Patrick!  Why aren't there CMDlets for this yet?

  • Anonymous
    March 07, 2011
    Where are the cmdlets for this? Or more setup functionality in servermanagercmd? With the VBS, is there a way to specify the length of certificate validity?

  • Anonymous
    May 31, 2012
    Which script do I use, this one or the one here: technet.microsoft.com/.../ee918754(WS.10).aspx

  • Anonymous
    July 12, 2012
    Refer to technet.microsoft.com/.../ee918754(WS.10).aspx.  This contains an updated version of the script as of June 19th, 2012

  • Anonymous
    July 18, 2012
    The script works great if you are logged in.  What I would like to do is install and setup the CA as part of an unattended install, as an Enterprise Root CA (setupca.vbs /IE).   I cannot get this to work on 2008 R2.  No matter in which pass I put it "specialize" (RunSynchronous) "oobeSystem" (FirstLogonCommands) or even in SetupComplete.cmd, I always get this error: InstallAndVerifyCA: Error! Must be a domain administrator to create Enterprise CA I know it needs AD to be up and running - I can setup AD unattended with dcpromo /unattend:file.ini - then a reboot is required - is there some way I can do the following during an unattended setup: dcpromo /unattend:file.init reboot setupca.vbs /IE ????