AD CS 部署的 cmdlet:尝试安装脱机策略 CA 时 Install-ADcsCertificationAuthority cmdlet 失败

tag-icon tag-icon powershell ad-certificate-services windows-server-core
AD CS 部署的 cmdlet:尝试安装脱机策略 CA 时 Install-ADcsCertificationAuthority cmdlet 失败

我使用以下命令安装了离线根 CA,没有任何问题:

Install-ADcsCertificationAuthority `
-OverwriteExistingKey `
<#In the case of a re-installation#> `
-AllowAdministratorInteraction `
-CACommonName `
"LAB Corporate Root CA" `
-CADistinguishedNameSuffix `
'O=LAB Inc.,C=US' `
-CAType `
StandaloneRootCA `
-CryptoProviderName `
"RSA#Microsoft Software Key Storage Provider" `
-HashAlgorithmName `
SHA256 `
-KeyLength `
2048 `
-ValidityPeriod `
Years `
-ValidityPeriodUnits `
20 `
-DatabaseDirectory `
'E:\CAData\CertDB' `
-LogDirectory `
'E:\CAData\CertLog' `
-Verbose

我在策略 CA 上安装了根 CA 的证书和 CRl,安装了 AD CS 二进制文件,并尝试运行此命令来安装策略 CA 并导出 req 文件:

Install-ADcsCertificationAuthority `
-OverwriteExistingKey `
<#In the case of a re-installation#> `
-AllowAdministratorInteraction `
-CACommonName `
"LAB Corporate Policy Internal CA" `
-CADistinguishedNameSuffix `
'O=LAB Inc.,C=US' `
-CAType `
StandaloneSubordinateCA `
-ParentCA `
rootca `
-OutputCertRequestFile `
'e:\polca-int.req' `
-CryptoProviderName `
"RSA#Microsoft Software Key Storage Provider" `
-HashAlgorithmName `
SHA256 `
-KeyLength `
2048 `
-ValidityPeriod `
Years `
-ValidityPeriodUnits `
10 `
-DatabaseDirectory `
'E:\CAData\CertDB' `
-LogDirectory `
'E:\CAData\CertLog' `
-Verbose

执行此操作时我收到以下错误:

VERBOSE: Calling InitializeDefaults method on the setup object.
Install-ADcsCertificationAuthority :
At line:1 char:1
+ Install-ADcsCertificationAuthority `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Install-AdcsCertificationA
   uthority], CertificationAuthoritySetupException
    + FullyQualifiedErrorId : ValidateParameters,Microsoft.CertificateServices
   .Deployment.Commands.CA.InstallADCSCertificationAuthority

我输入的参数是否有误?

我想补充一点,微软文档关于这一点的说法似乎也是不正确的。本文向您展示如何在 GUI 中安装下属 CA 并保存脱机请求。然后它显示了执行相同操作的 PS 命令,但 PS 命令不包含 OutputCertRequestFile 参数,并且它没有说明在使用该命令时是否保存了 req 文件以及保存在何处。

“本节中所示的用于执行企业从属 CA 安装的 Windows PowerShell 命令如下”:

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "IssuingCA-APP1" -KeyLength 2048 -HashAlgorithm SHA1 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

答案1

我忘了这个问题还在这里。我有一段时间没有安装 CA 了,并且忘记了许多下属 CA 设置是在向其提供请求的父 CA 中定义的。

我使用了以下命令:

Install-ADcsCertificationAuthority `
-OverwriteExistingKey `
<#In the case of a re-installation#> `
-AllowAdministratorInteraction `
-CACommonName `
"LAB Corporate Policy Internal CA" `
-CADistinguishedNameSuffix `
<#in order to include common#> `
"O=`"LAB, Inc.`",C=US" `
-CAType `
StandaloneSubordinateCA `
-OutputCertRequestFile `
<#bug?: still created in root of c:\ with default name#> `
'e:\polca-int.req' `
-CryptoProviderName `
"RSA#Microsoft Software Key Storage Provider" `
-HashAlgorithmName `
SHA256 `
-DatabaseDirectory `
'E:\CAData\CertDB' `
-LogDirectory `
'E:\CAData\CertLog' `
-Verbose

相关内容