If you're looking for Enrollment Web Pages (hereinafter EWP) installation (or removal) without GUI — you're in correct place. At first I need to answer, why it necessary to script EWP installation. This may be very useful for CA administrator assistants, for example. In general, CA administrator will have to write a long step-by-step guide to install certain role. But using scripts, CA administrator may tell: "Take the script, run it with the XYZ parameters and get PROFIT" or something like this. It is common to script all (as possible) routine operations in the case of disaster recovery and so on, because it takes less time and easy to document. Feel free to think if CA role can be installed from the script — this is possible. In next post I'll show PowerShell code that will do that. But now we'll talk about web enrollment.
As a start stage we need to find appropriate API and here it is: ICertSrvSetup. This CryptoAPI COM interface is the base interface for CA and/or EWP role installation. The following code will instantiate COM object:
$EWPSetup = New-Object -ComObject CertOCM.CertSrvSetup.1
You must initialize the object to set required properties and install selected roles by invoking InitializeDefaults mthod. The method accepts two arguments:
There are several rules for this method that are not covered in MSDN.
$EWPSetup.InitializeDefaults($false,$true)
We have initialized object to required state and we are ready to set required info — remote CA configuration string. As you should know, CA configuration string used in the following format: CAComputerName\CAName. To set remote CA config string we need to use SetWebCAInformation method as shown:
$EWPSetup.SetWebCAInformation("CA1\Company Issuing CA")
And now we can install the role:
$EWPSetup.Install()
In certain cases you may encounter an issue that you cannot instantiate COM object. This is because required binaries are not installed. In order to install them you should use ServerManager PowerShell module as shown:
PS C:\> Import-Module ServerManager PS C:\> Get-WindowsFeature "ADCS*" Display Name Name ------------ ---- [X] Certification Authority ADCS-Cert-Authority [ ] Certification Authority Web Enrollment ADCS-Web-Enrollment [X] Online Responder ADCS-Online-Cert [ ] Network Device Enrollment Service ADCS-Device-Enrollment [X] Certificate Enrollment Web Service ADCS-Enroll-Web-Svc [X] Certificate Enrollment Policy Web Service ADCS-Enroll-Web-Pol PS C:\> Add-WindowsFeature "ADCS-Web-Enrollment" Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Certification Authority Web Enrollment} PS C:\>
you will need to add the check if binaries are installed at a start of script. Here is example script that will install EWP on local computer:
function Install-WebEnrollment { [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string]$CAConfig ) # check if script running on Windows Server 2008 or Windows Server 2008 R2 $OS = Get-WmiObject Win32_OperatingSystem | select Version, ProductType if ([int]$OS.Version[0] -ne 54 -and $OS.ProductType -ne 1) { Write-Warning "Windows XP, Windows Server 2003 and Windows Server 2003 R2 are not supported!" return } # check if web enrollment binaries are installed Import-Module ServerManager $status = (Get-WindowsFeature -Name ADCS-Web-Enrollment).Installed # if still no, install binaries, otherwise do nothing if (!$status) {$retn = Add-WindowsFeature -Name ADCS-Web-Enrollment if (!$retn.Success) { Write-Warning "Unable to install ADCS installation packages due of the following error:" Write-Warning $retn.ExitCode return } } # instantiate COM object try { $EWPSetup = New-Object -ComObject CertOCM.CertSrvSetup.1 } catch { Write-Warning "Unable to load necessary interfaces. Your Windows Server operating system is not supported!" return } # initialize the object to install only web enrollment $EWPSetup.InitializeDefaults($false,$true) try { # set required information and install the role $EWPSetup.SetWebCAInformation($CAConfig) $EWPSetup.Install() } catch {$_; return} Write-Host "Successfully installed Enrollment Web Pages on local computer!" -ForegroundColor Green }
And usage example:
Install-WebEnrollment "CA1\Company Issuing CA"
have a nice day with CryptoAPI scripting in PowerShell :)
Post your comment:
Comments: