Introduction

The xAdcsDeployment module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the resources xAdcsCertificationAuthority and xAdcsWebEnrollment. The xAdcsDeployment module can be used to configure Certificate Services after the role is enabled on a Windows Server.

All of the resources in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program or service. The "x" in xAdcsDeployment stands for experimental, which means that these resources will be fix forward and monitored by the module owner(s).

Please leave comments, feature requests, and bug reports in the Q & A tab for this module.

If you would like to modify xAdcsDeployment module, feel free. When modifying, please update the module name, resource friendly name, and MOF class name (instructions below). As specified in the license, you may copy or modify this resource as long as they are used on the Windows Platform.

For more information about Windows PowerShell Desired State Configuration, check out the blog posts on the PowerShell Blog (this is a good starting point). There are also great community resources, such as PowerShell.org , or PowerShell Magazine . For more information on the DSC Resource Kit, check out this blog post.

Installation

To install xAdcsDeployment module

Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder

To confirm installation:

Run Get-DSCResource to see that xAdcsDeployment and xAdcsWebEnrollment are among the DSC Resources listed

Requirements

This module requires the latest version of PowerShell (v4.0, which ships in Windows 8.1 or Windows Server 2012R2). To easily use PowerShell 4.0 on older operating systems, install WMF 4.0. Please read the installation instructions that are present on both the download page and the release notes for WMF 4.0.

Description

The xAdcsDeployment provides two resources, xAdcsCertificationAuthority and xAdcsWebEnrollment. The module has been specifically tested as a method to populate a Certificate Services server role on Windows Server 2012 R2 after the Certificate Services role and the Web Enrollment feature have been enabled. Active Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications.

Scenario

Certificates are widely used to establish trust relationships between computers. This DSC resource can be used to address some of the most common scenarios including the need for a Stand-Alone Certificate Authority or an Active Directory Trusted Root Certificate Authority and the Certificate Services website for users to submit and complete certificate requests.

In a specific example, when building out a web server workload such as an internal website that provides confidential information to be accessed from computers that are members of an Active Directory domain, AD CS can provide a source for the SSL certificats that will automatically be trusted.

Details

xAdcsCertificationAuthority resource has following properties:

CAType - Specifies the type of certification authority to install. The possible values are EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, or StandaloneSubordinateCA.
Credential - To install an enterprise certification authority, the computer must be joined to an Active Directory Domain Services domain and a user account that is a member of the Enterprise Admin group is required. To install a standalone certification authority, the computer can be in a workgroup or AD DS domain. If the computer is in a workgroup, a user account that is a member of Administrators is required. If the computer is in an AD DS domain, a user account that is a member of Domain Admins is required.
Ensure - Specifies whether the Certificate Authority should be installed or uninstalled.
CACommonName - Specifies the certification authority common name.
CADistinguishedNameSuffix - Specifies the certification authority distinguished name suffix.
CertFile - Specifies the file name of certification authority PKCS 12 formatted certificate file.
CertFilePassword - Specifies the password for certification authority certificate file.
CertificateID - Specifies the thumbprint or serial number of certification authority certificate.
CryptoProviderName - The name of the cryptographic service provider or key storage provider that is used to generate or store the private key for the CA.
DatabaseDirectory - Specifies the folder location of the certification authority database.
HashAlgorithmName - Specifies the signature hash algorithm used by the certification authority.
IgnoreUnicode - Specifies that Unicode characters are allowed in certification authority name string.
KeyContainerName Specifies the name of an existing private key container.
KeyLength Specifies the name of an existing private key container.
LogDirectory - Specifies the folder location of the certification authority database log.
OutputCertRequestFile - Specifies the folder location for certificate request file.
OverwriteExistingCAinDS - Specifies that the computer object in the Active Directory Domain Service domain should be overwritten with the same computer name.
OverwriteExistingDatabase - Specifies that the existing certification authority database should be overwritten.
OverwriteExistingKey - Overwrite existing key container with the same name.
ParentCA - Specifies the configuration string of the parent certification authority that will certify this CA.
ValidityPeriodUnits - Specifies the validity period of the certification authority certificate in hours, days, weeks, months or years. If this is a subordinate CA, do not use this parameter, because the validity period is determined by the parent CA.
ValidityPeriodUnits - Validity period of the certification authority certificate. If this is a subordinate CA, do not specify this parameter because the validity period is determined by the parent CA.

xAdcsWebEnrollment resource has following properties:

CAConfig - CAConfig parameter string. Do not specify this if there is a local CA installed.
Credential - If the Web Enrollment service is configured to use Standalone certification authority, then an account that is a member of the local Administrators on the CA is required. If the Web Enrollment service is configured to use an Enterprise CA, then an account that is a member of Domain Admins is required.
Ensure - Specifies whether the Web Enrollment feature should be installed or uninstalled.
Name – A name that provides a unique identifier for the resource instance.

Renaming Requirements

When making changes to these resources, we suggest the following practice:

Update the following names by replacing MSFT with your company/community name and replacing the "x" with "c" (short for "Community") or another prefix of your choice:
- Module name (ex: xAdcsDeployment becomes cAdcsDeployment)
- Resource folder (ex: MSFT_xAdcsDeployment becomes Contoso_cAdcsDeployment)
- Resource Name (ex: MSFT_xAdcsDeployment becomes Contoso_cAdcsDeployment)
- Resource Friendly Name (ex: xAdcsDeployment becomes cAdcsDeployment)
- MOF class name (ex: MSFT_xAdcsDeployment becomes Contoso_cAdcsDeployment)
- Filename for the <resource>.schema.mof (ex: MSFT_xAdcsDeployment.schema.mof becomes Contoso_cAdcsDeployment.schema.mof)
Update module and metadata information in the module manifest
Update any configuration that use these resources

We reserve resource and module names without prefixes ("x" or "c") for future use (e.g. "MSFT_AdcsDeployment"). If the next version of Windows Server ships with a "AdcsDeployment" resource, we don't want to break any configurations that use any community modifications. Please keep a prefix such as "c" on all community modifications.

Versions

0.1.0.0

Initial release with the following resources
- xAdcsCertificationAuthority and xAdcsWebEnrollment.

Example: Add a Certificate Authority and configure it for AD CS and Web Enrollment.

This example will add the Windows Server Roles and Features to support a Certificate Authority and configure it to provide AD CS and Web Enrollment.

PowerShell

Edit|Remove

Configuration CertificateAuthority
{        
    Node ‘NodeName’ 
    {  
    	WindowsFeature ADCS-Cert-Authority
        {
               Ensure = 'Present'
               Name = 'ADCS-Cert-Authority'
        }
        xADCSCertificationAuthority ADCS
        {
            Ensure = 'Present'
            Credential = $Node.Credential
            CAType = 'EnterpriseRootCA'
            DependsOn = '[WindowsFeature]ADCS-Cert-Authority'              
        }
        WindowsFeature ADCS-Web-Enrollment
        {
            Ensure = 'Present'
            Name = 'ADCS-Web-Enrollment'
            DependsOn = '[WindowsFeature]ADCS-Cert-Authority'
        }
        xADCSWebEnrollment CertSrv
        {
            Ensure = 'Present'
            Name = 'CertSrv'
            Credential = $Node.Credential
            DependsOn = '[WindowsFeature]ADCS-Web-Enrollment','[xADCSCertificationAuthority]ADCS'
        } 
    }  
}

Configuration CertificateAuthority 
{         
    Node ‘NodeName’  
    {   
        WindowsFeature ADCS-Cert-Authority 
        { 
               Ensure = 'Present' 
               Name = 'ADCS-Cert-Authority' 
        } 
        xADCSCertificationAuthority ADCS 
        { 
            Ensure = 'Present' 
            Credential = $Node.Credential 
            CAType = 'EnterpriseRootCA' 
            DependsOn = '[WindowsFeature]ADCS-Cert-Authority'               
        } 
        WindowsFeature ADCS-Web-Enrollment 
        { 
            Ensure = 'Present' 
            Name = 'ADCS-Web-Enrollment' 
            DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 
        } 
        xADCSWebEnrollment CertSrv 
        { 
            Ensure = 'Present' 
            Name = 'CertSrv' 
            Credential = $Node.Credential 
            DependsOn = '[WindowsFeature]ADCS-Web-Enrollment','[xADCSCertificationAuthority]ADCS' 
        }  
    }   
}

Example: Remove the AD CS functionality from a server.

PowerShell

Edit|Remove

Configuration RetireCertificateAuthority
{        
    Node ‘NodeName’ 
    {  
        xADCSWebEnrollment CertSrv
        {
            Ensure = 'Absent'
            Name = 'CertSrv'
        }
	WindowsFeature ADCS-Web-Enrollment
        {
            Ensure = 'Absent'
            Name = 'ADCS-Web-Enrollment'
            DependsOn = '[xADCSWebEnrollment]CertSrv'
        }
        xADCSCertificationAuthority ADCS
        {
            Ensure = 'Absent'
            DependsOn = '[WindowsFeature]ADCS-Web-Enrollment'              
        }
	WindowsFeature ADCS-Cert-Authority
        {
            Ensure = 'Absent'
            Name = 'ADCS-Cert-Authority'
            DependsOn = ‘[xADCSCertificationAuthority]ADCS’
        }        
    }  
}

Configuration RetireCertificateAuthority 
{         
    Node ‘NodeName’  
    {   
        xADCSWebEnrollment CertSrv 
        { 
            Ensure = 'Absent' 
            Name = 'CertSrv' 
        } 
    WindowsFeature ADCS-Web-Enrollment 
        { 
            Ensure = 'Absent' 
            Name = 'ADCS-Web-Enrollment' 
            DependsOn = '[xADCSWebEnrollment]CertSrv' 
        } 
        xADCSCertificationAuthority ADCS 
        { 
            Ensure = 'Absent' 
            DependsOn = '[WindowsFeature]ADCS-Web-Enrollment'               
        } 
    WindowsFeature ADCS-Cert-Authority 
        { 
            Ensure = 'Absent' 
            Name = 'ADCS-Cert-Authority' 
            DependsOn = ‘[xADCSCertificationAuthority]ADCS’ 
        }         
    }   
}