vSphereAutoLab/Build/Automate/DC/SetupCA.ps1

526 lines
25 KiB
PowerShell
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

function Install-CertificationAuthority {
<#
.Synopsis
Installs Active Directory Certificate Services role on local computer.
.Description
Installs Active Directory Certificate Services (AD CS) role on local computer. A user can choose different options, such
Certification Authority (CA) type, key pair parameters, CA certificate validity and so on.
The command supports Windows Server 2008 R2 Server Core installations.
.Parameter CAName
Specifies a custom CA certificate name/subject (what you see in the certificate display UI). If not passed, a '<ComputerName>-CA'
form is used for workgroup CAs and '<DomainName>-<ComputerName-CA>' form is used for domain CAs. The parameter supports Unicode names.
.Parameter CADNSuffix
Specifies a DN suffix to specify some additional information. For example, company name, country, city, etc. DN suffix is empty for
workgroup CAs and includes current domain distinguished name (for example, DC=domain,DC=com). The parameter accepts suffixes in a
X500 form, for example: OU=Information Systems, O=Sysadmins LV, C=LV.
.Parameter CAType
Specifies CA type:
Standalone Root,
Standalone Subordinate,
Enterprise Root,
Enterprise Subordinate.
If not passed, for non-domain environments or if you don't have Enterprise Admins rights, Standalone Root is used. If you have
Enterprise Admins rights and your forest already has installed CAs, Enterprise Subordinate is used. If no Enterprise CAs installed
in the forest, Enterprise Root is used.
.Parameter ParentCA
This parameter allows you to specify parent CA location only if you install Enterprise Subordinate CA. For other CA types, the
parameter is ignored. Parent CA information must be passed in the following form: CAComputerName\CASanitizedName. Sanitized name
is a sanitized form of CA name (subject). Mostly sanitized name is the same as CA name (unless you use Unicode and/or special
characters, that are disallowed in X500). If the parameter is not specified, a certificate request will be generated on the root
of system drive. I've decided to not implement this parameter for Standalone Subordinate CAs, because mostly they are installed
in a workgroup environments and direct request submission to other CAs is likely unavailable (due of computer authentication
complexity in the non-domain environments). However, if you need it — contact me.
.Parameter CSP
Specifies custom cryptographic service provider. By default 'RSA#Microsoft Software Key Storage Provider' is used (in most cases
you will use default CSP). You need to explicitly specify custom CSP only when you setup completely CNG authority (CSPs with ECDSA
prefix) or you use HSM. Each HSM uses it's own custom CSP. You must install HSM middleware before CA installation.
The full list of supportable and available "by default" CSPs for Windows Server 2008+ is:
Microsoft Base Cryptographic Provider v1.0
Microsoft Base DSS Cryptographic Provider
Microsoft Base Smart Card Crypto Provider
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Strong Cryptographic Provider
RSA#Microsoft Software Key Storage Provider
DSA#Microsoft Software Key Storage Provider
ECDSA_P256#Microsoft Software Key Storage Provider
ECDSA_P384#Microsoft Software Key Storage Provider
ECDSA_P521#Microsoft Software Key Storage Provider
RSA#Microsoft Smart Card Key Storage Provider
ECDSA_P256#Microsoft Smart Card Key Storage Provider
ECDSA_P384#Microsoft Smart Card Key Storage Provider
ECDSA_P521#Microsoft Smart Card Key Storage Provider
.Parameter KeyLength
This parameter specifies the key length. If not specified, a 2048-bit key will be generated. There is a little trick: if you look to
a CSP list (above), you will see that key length is specified for each ECDSA* provider. I've developed a script logic in that way,
so the script ignores this parameter if one of ECDSA* CSP is explicitly chosen and uses key length that is supported by the CSP.
Therefore you will not receive an error if you select 'ECDSA_P256#Microsoft Smart Card Key Storage Provider' CSP with 2048 key length.
256-bit key will be selected automatically
.Parameter HashAlgorithm
This parameter specifies hash algorithm that will be used for CA certificate/request hashing. Note that this is important for root
CA installations. Subordinate CA certificates are hashed and signed by the parent CA with it's own settings. By default 'SHA1' is
used (though this parameter is applicable for all CA installation types).
.Parameter ValidForYears
Specifies the validity for root CA installations. By default root CA certificates are valid for 5 years. You can increase this value
to 10, 20, 50, whatever you need. For any subordinate CA types this parameter is silently ignored. This is because subordinate CA
validity is determined by the parent CA. This parameter accepts integer values, assuming that the value is specified in years.
.Parameter RequestFileName
If you setup any sort of subordinate (not root) CAs you can specify custom path to a request file. By default request file is
generated on the root of system drive.
.Parameter CACertFile
Specifies the path to a PFX file with CA certificate. Relative paths are allowed. Setup API performs additional checks for the certificate.
Therefore you must ensure if: this is CA certificate (but not EFS encryption ;)), CA certificate is trusted (for non-root certificates)
and chains to trusted CA and CA certificate revocation checking can be performed. Otherwise you will unable to setup CA with that CA certificate.
.Parameter Password
Specifies the password to open PFX file. The parameter supports only securestrings! You can't type a password as a simple text. This is made for
security reasons. There are few ways to pass a password in a securestring form:
$Password = Read-Host a
or
ConvertTo-SecureString <plaintext> a f
You can enclose last command in parentheses and pass directly as a parameter value.
.Parameter Thumbprint
specifies a thumbprint of the certificate to use. The certificate must be installed in Local Machine\Personal store and must be trusted
(for non-root certificates) and must not be revoked (the issuer revocation information must be available).
.Parameter DBDirectory
Specifies the path to a folder to store CA database. If not specified, the default path: %windir%\System32\CertLog folder is used. If you
need to specify custom path (for example, shared storage for CA clusters), you need to specify the next parameter too. The path must be valid.
.Parameter LogDirectory
Specifies the path to a folderto store CA database log files. By default %windir%\System32\CertLog folder is used. If you use custom path for
either database or log folders, you must explicitly specify both paths.
.Parameter OverwriteExisting
Specifies, whether to overwrite any existing database files in the specified directories.
.Parameter AllowCSPInteraction
Specifies, whether the cryptographic service provider (CSP) is allowed to interact with the desktop. This parameter should be used only if you
use custom hardware-based CSP (HSM or smart card CSP). In other cases you don't need to allow CSP interactions.
.Parameter Force
By default, the script explicitly prompts you whether you want to install Certification Authority with selected values. If you want to implement
silent (quiet) installations — specify this parameter to suppress any prompts during role installation
.EXAMPLE
PS > Install-CertificationAuthority -CAName "My Root CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" `
-CAType "Standalone Root" -ValidForYears 10
In this scenario you setup new Standalone Root CA with "CN=My Root CA, OU=Information Systems, O=Sysadmins LV, C=LV" subject, that will be valid
for 10 years. The CA will use default paths to CA database and log files and certificate will use 'RSA#Microsoft Software Key Storage Provider'
CSP with 2048-bit key and SHA1 hashing algorithm.
.EXAMPLE
PS > Install-CertificationAuthority -CAName "My Root CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" `
-CAType "Standalone Root" -ValidForYears 20 -CSP "ECDSA_P256#Microsoft Smart Card Key Storage Provider" `
-HashAlgorithm SHA512
This example is similar to previous, with the exception that this CA will be completely CNG/SHA2 root. CA certificate will use CNG (not RSA)
keys and hashing algorithm will be SHA512.
.EXAMPLE
PS > Install-CertificationAuthority -CAName "Clustered CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" `
-CAType "Enterprise Subordinate" -KeyLength 4096 -DBDirectory "S:\CertDB" -LogDirectory "S:\CertLog" `
-RequestFileName "S:\Clustered CA.req"
This example assumes that you setup CA cluster first node (but not necessary). CA database will be stored on a shared storage (attached with S: drive letter).
CA certificate will use default 'RSA#Microsoft Software Key Storage Provider' with 4096-bit key and default SHA1 hashing algorithm. CA certificate validity
will be determined by the parent CA. In addition, CA certificate request will be stored on the shared storage.
.EXAMPLE
PS > $Password = Read-Host -AsSecureString
PS > Install-CertificationAuthority -CACertFile .\ClusteredCA.pfx -Password $Password `
-DBDirectory "S:\CertDB" -LogDirectory "S:\CertLog" -OverwriteExisting
This is two-line example. Say, you have successfully installed CA cluster first node and have exported CA certificate to a PFX, and moved it to the second
node (to the current directory). At first you will be prompted for a password. Since you type password to a securestring prompt, no characters will be displayed.
After that you will specify relative path to a PFX file and specify shared storage to store CA database and log files. You overwrite database files that was
created during first node installation. Actually this command installs CA cluster second node.
.EXAMPLE
PS > Install-CertificationAuthority -CAName "Company Enterprise CA-2" -CADNSuffix "O=Company, E=companypky@company.com" `
-CAType "Enterprise Subordinate" -ParentCA "ca01.company.com\Company Enterprise CA-1"
From best-practices perspective this is not a very good example, because it assumes at least 2 tiers of Enterprise CAs. However, it is still common. In a given
example, Enterprise Subordinate CA will be installed and certificate request will be sent directly to existing Enterprise CA — 'Company Enterprise CA-1' that is
hosted on 'ca01.company.com'. Note that existing CA must be online and must issue 'Subordinate Certification Authority' template.
.Inputs
None.
.Outputs
None.
.NOTES
Author: Vadims Podans
Blog : http://en-us.sysadmins.lv
#>
[CmdletBinding(
DefaultParameterSetName = 'NewKeySet',
ConfirmImpact = 'High',
SupportsShouldProcess = $true
)]
param(
[Parameter(ParameterSetName = 'NewKeySet')]
[string]$CAName,
[Parameter(ParameterSetName = 'NewKeySet')]
[string]$CADNSuffix,
[Parameter(ParameterSetName = 'NewKeySet')]
[ValidateSet("Standalone Root","Standalone Subordinate","Enterprise Root","Enterprise Subordinate")]
[string]$CAType,
[Parameter(ParameterSetName = 'NewKeySet')]
[string]$ParentCA,
[Parameter(ParameterSetName = 'NewKeySet')]
[string]$CSP,
[Parameter(ParameterSetName = 'NewKeySet')]
[int]$KeyLength,
[Parameter(ParameterSetName = 'NewKeySet')]
[string]$HashAlgorithm,
[Parameter(ParameterSetName = 'NewKeySet')]
[int]$ValidForYears = 5,
[Parameter(ParameterSetName = 'NewKeySet')]
[string]$RequestFileName,
[Parameter(Mandatory = $true, ParameterSetName = 'PFXKeySet')]
[IO.FileInfo]$CACertFile,
[Parameter(Mandatory = $true, ParameterSetName = 'PFXKeySet')]
[Security.SecureString]$Password,
[Parameter(Mandatory = $true, ParameterSetName = 'ExistingKeySet')]
[string]$Thumbprint,
[string]$DBDirectory,
[string]$LogDirectory,
[switch]$OverwriteExisting,
[switch]$AllowCSPInteraction,
[switch]$Force
)
#region OS and existing CA checking
# check if script running on Windows Server 2008 or Windows Server 2008 R2
$OS = Get-WmiObject Win32_OperatingSystem -Property ProductType
if ([Environment]::OSVersion.Version.Major -lt 6) {
Write-Error -Category NotImplemented -ErrorId "NotSupportedException" `
-Message "Windows XP, Windows Server 2003 and Windows Server 2003 R2 are not supported!"
return
}
if ($OS.ProductType -eq 1) {
Write-Error -Category NotImplemented -ErrorId "NotSupportedException" `
-Message "Client operating systems are not supported!"
return
}
$CertConfig = New-Object -ComObject CertificateAuthority.Config
try {$ExistingDetected = $CertConfig.GetConfig(3)}
catch {}
if ($ExistingDetected) {
Write-Error -Category ResourceExists -ErrorId "ResourceExistsException" `
-Message "Certificate Services are already installed on this computer. Only one Certification Authority instance per computer is supported."
return
}
#endregion
#region Binaries checking and installation if necessary
if ([Environment]::OSVersion.Version.Major -eq 6 -and [Environment]::OSVersion.Version.Minor -eq 0) {
cmd /c "servermanagercmd -install AD-Certificate 2> null" | Out-Null
} else {
try {Import-Module ServerManager -ErrorAction Stop}
catch {
ocsetup 'ServerManager-PSH-Cmdlets' /quiet | Out-Null
Start-Sleep 1
Import-Module ServerManager -ErrorAction Stop
}
$status = (Get-WindowsFeature -Name AD-Certificate).Installed
# if still no, install binaries, otherwise do nothing
if (!$status) {$retn = Add-WindowsFeature -Name AD-Certificate -ErrorAction Stop
if (!$retn.Success) {
Write-Error -Category NotInstalled -ErrorId "NotInstalledException" `
-Message "Unable to install ADCS installation packages due of the following error: $($retn.breakCode)"
return
}
}
}
try {$CASetup = New-Object -ComObject CertOCM.CertSrvSetup.1}
catch {
Write-Error -Category NotImplemented -ErrorId "NotImplementedException" `
-Message "Unable to load necessary interfaces. Your Windows Server operating system is not supported!"
return
}
# initialize setup binaries
try {$CASetup.InitializeDefaults($true, $false)}
catch {
Write-Error -Category InvalidArgument -ErrorId ParameterIncorrectException `
-ErrorAction Stop -Message "Cannot initialize setup binaries!"
}
#endregion
#region Property enums
$CATypesByName = @{"Enterprise Root" = 0; "Enterprise Subordinate" = 1; "Standalone Root" = 3; "Standalone Subordinate" = 4}
$CATypesByVal = @{}
$CATypesByName.keys | ForEach-Object {$CATypesByVal.Add($CATypesByName[$_],$_)}
$CAPRopertyByName = @{"CAType"=0;"CAKeyInfo"=1;"Interactive"=2;"ValidityPeriodUnits"=5;
"ValidityPeriod"=6;"ExpirationDate"=7;"PreserveDataBase"=8;"DBDirectory"=9;"Logdirectory"=10;
"ParentCAMachine"=12;"ParentCAName"=13;"RequestFile"=14;"WebCAMachine"=15;"WebCAName"=16
}
$CAPRopertyByVal = @{}
$CAPRopertyByName.keys | ForEach-Object {$CAPRopertyByVal.Add($CAPRopertyByName[$_],$_)}
$ValidityUnitsByName = @{"years" = 6}
$ValidityUnitsByVal = @{6 = "years"}
#endregion
$ofs = ", "
#region Key set processing functions
#region NewKeySet
function NewKeySet ($CAName, $CADNSuffix, $CAType, $ParentCA, $CSP, $KeyLength, $HashAlgorithm, $ValidForYears, $RequestFileName) {
#region CSP, key length and hashing algorithm verification
$CAKey = $CASetup.GetCASetupProperty(1)
if ($CSP -ne "") {
if ($CASetup.GetProviderNameList() -notcontains $CSP) {
# TODO add available CSP list
Write-Error -Category InvalidArgument -ErrorId "InvalidCryptographicServiceProviderException" `
-ErrorAction Stop -Message "Specified CSP '$CSP' is not valid!"
} else {
$CAKey.ProviderName = $CSP
}
} else {
$CAKey.ProviderName = "RSA#Microsoft Software Key Storage Provider"
}
if ($KeyLength -ne 0) {
if ($CASetup.GetKeyLengthList($CSP).Length -eq 1) {
$CAKey.Length = $CASetup.GetKeyLengthList($CSP)[0]
} else {
if ($CASetup.GetKeyLengthList($CSP) -notcontains $KeyLength) {
Write-Error -Category InvalidArgument -ErrorId "InvalidKeyLengthException" `
-ErrorAction Stop -Message @"
The specified key length '$KeyLength' is not supported by the selected CSP '$CSP' The following
key lengths are supported by this CSP: $($CASetup.GetKeyLengthList($CSP))
"@
}
$CAKey.Length = $KeyLength
}
}
if ($HashAlgorithm -ne "") {
if ($CASetup.GetHashAlgorithmList($CSP) -notcontains $HashAlgorithm) {
Write-Error -Category InvalidArgument -ErrorId "InvalidHashAlgorithmException" `
-ErrorAction Stop -Message @"
The specified hash algorithm is not supported by the selected CSP '$CSP' The following
hash algorithms are supported by this CSP: $($CASetup.GetHashAlgorithmList($CSP))
"@
}
$CAKey.HashAlgorithm = $HashAlgorithm
}
$CASetup.SetCASetupProperty(1,$CAKey)
#endregion
#region Setting CA type
if ($CAType) {
$SupportedTypes = $CASetup.GetSupportedCATypes()
$SelectedType = $CATypesByName[$CAType]
if ($SupportedTypes -notcontains $CATypesByName[$CAType]) {
Write-Error -Category InvalidArgument -ErrorId "InvalidCATypeException" `
-ErrorAction Stop -Message @"
Selected CA type: '$CAType' is not supported by current Windows Server installation.
The following CA types are supported by this installation: $([int[]]$CASetup.GetSupportedCATypes() | %{$CATypesByVal[$_]})
"@
} else {$CASetup.SetCASetupProperty($CAPRopertyByName.CAType,$SelectedType)}
}
#endregion
#region setting CA certificate validity
if ($SelectedType -eq 0 -or $SelectedType -eq 3 -and $ValidForYears -ne 0) {
try{$CASetup.SetCASetupProperty(6,$ValidForYears)}
catch {
Write-Error -Category InvalidArgument -ErrorId "InvalidCAValidityException" `
-ErrorAction Stop -Message "The specified CA certificate validity period '$ValidForYears' is invalid."
}
}
#endregion
#region setting CA name
if ($CAName -ne "") {
if ($CADNSuffix -ne "") {$Subject = "CN=$CAName" + ",$CADNSuffix"} else {$Subject = "CN=$CAName"}
$DN = New-Object -ComObject X509Enrollment.CX500DistinguishedName
# validate X500 name format
try {$DN.Encode($Subject,0x0)}
catch {
Write-Error -Category InvalidArgument -ErrorId "InvalidX500NameException" `
-ErrorAction Stop -Message "Specified CA name or CA name suffix is not correct X.500 Distinguished Name."
}
$CASetup.SetCADistinguishedName($Subject, $true, $true, $true)
}
#endregion
#region set parent CA/request file properties
if ($CASetup.GetCASetupProperty(0) -eq 1 -and $ParentCA) {
[void]($ParentCA -match "^(.+)\\(.+)$")
try {$CASetup.SetParentCAInformation($ParentCA)}
catch {
Write-Error -Category ObjectNotFound -ErrorId "ObjectNotFoundException" `
-ErrorAction Stop -Message @"
The specified parent CA information '$ParentCA' is incorrect. Make sure if parent CA
information is correct (you must specify existing CA) and is supplied in a 'CAComputerName\CASanitizedName' form.
"@
}
} elseif ($CASetup.GetCASetupProperty(0) -eq 1 -or $CASetup.GetCASetupProperty(0) -eq 4 -and $RequestFileName -ne "") {
$CASetup.SetCASetupProperty(14,$RequestFileName)
}
#endregion
}
#endregion
#region PFXKeySet
function PFXKeySet ($CACertFile, $Password) {
$FilePath = Resolve-Path $CACertFile -ErrorAction Stop
try {[void]$CASetup.CAImportPFX(
$FilePath.Path,
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)),
$true)
} catch {Write-Error $_ -ErrorAction Stop}
}
#endregion
#region ExistingKeySet
function ExistingKeySet ($Thumbprint) {
$ExKeys = $CASetup.GetExistingCACertificates() | ?{
([Security.Cryptography.X509Certificates.X509Certificate2]$_.ExistingCACertificate).Thumbprint -eq $Thumbprint
}
if (!$ExKeys) {
Write-Error -Category ObjectNotFound -ErrorId "ElementNotFoundException" `
-ErrorAction Stop -Message "The system cannot find a valid CA certificate with thumbprint: $Thumbprint"
} else {$CASetup.SetCASetupProperty(1,@($ExKeys)[0])}
}
#endregion
#endregion
#region set database settings
if ($DBDirectory -ne "" -and $LogDirectory -ne "") {
try {$CASetup.SetDatabaseInformation($DBDirectory,$LogDirectory,$null,$OverwriteExisting)}
catch {
Write-Error -Category InvalidArgument -ErrorId "InvalidPathException" `
-ErrorAction Stop -Message "Specified path to either database directory or log directory is invalid."
}
} elseif ($DBDirectory -ne "" -and $LogDirectory -eq "") {
Write-Error -Category InvalidArgument -ErrorId "InvalidPathException" `
-ErrorAction Stop -Message "CA Log file directory cannot be empty."
} elseif ($DBDirectory -eq "" -and $LogDirectory -ne "") {
Write-Error -Category InvalidArgument -ErrorId "InvalidPathException" `
-ErrorAction Stop -Message "CA database directory cannot be empty."
}
#endregion
# process parametersets.
switch ($PSCmdlet.ParameterSetName) {
"ExistingKeySet" {ExistingKeySet $Thumbprint}
"PFXKeySet" {PFXKeySet $CACertFile $Password}
"NewKeySet" {NewKeySet $CAName $CADNSuffix $CAType $ParentCA $CSP $KeyLength $HashAlgorithm $ValidForYears $RequestFileName}
}
try {
Write-Host "Installing Certification Authority role on $env:computername ..." -ForegroundColor Cyan
if ($Force -or $PSCmdlet.ShouldProcess($env:COMPUTERNAME, "Install Certification Authority")) {
$CASetup.Install()
$PostRequiredMsg = @"
Certification Authority role was successfully installed, but not completed. To complete installation submit
request file '$($CASetup.GetCASetupProperty(14))' to parent Certification Authority
and install issued certificate by running the following command: certutil -installcert 'PathToACertFile'
"@
if ($CASetup.GetCASetupProperty(0) -eq 1 -and $ParentCA -eq "") {
Write-Host $PostRequiredMsg -ForegroundColor Yellow -BackgroundColor Black
} elseif ($CASetup.GetCASetupProperty(0) -eq 1 -and $PSCmdlet.ParameterSetName -eq "NewKeySet" -and $ParentCA -ne "") {
$CASName = (Get-ItemProperty HKLM:\System\CurrentControlSet\Services\CertSvc\Configuration).Active
$SetupStatus = (Get-ItemProperty HKLM:\System\CurrentControlSet\Services\CertSvc\Configuration\$CASName).SetupStatus
$RequestID = (Get-ItemProperty HKLM:\System\CurrentControlSet\Services\CertSvc\Configuration\$CASName).RequestID
if ($SetupStatus -ne 1) {
Write-Host $PostRequiredMsg -ForegroundColor Yellow -BackgroundColor Black
}
} elseif ($CASetup.GetCASetupProperty(0) -eq 4) {
Write-Host $PostRequiredMsg -ForegroundColor Yellow -BackgroundColor Black
} else {Write-Host "Certification Authority role is successfully installed!" -ForegroundColor Green}
}
} catch {Write-Error $_ -ErrorAction Stop}
Remove-Module ServerManager -ErrorAction SilentlyContinue
}
function Uninstall-CertificationAuthority {
<#
.Synopsis
Uninstalls Active Directory Certificate Services role from the local computer.
.Description
Uninstalls Active Directory Certificate Services role from the local computer.
The command supports Windows Server 2008 R2 Server Core installations.
.Parameter AutoRestart
Automatically restarts computer to complete CA role removal. Otherwise you will have to restart the server manually.
.Parameter Force
By default, the commands prompts you whether you want to remove CA role. Use Force switch to suppress all prompts.
.EXAMPLE
PS > Uninstall-CertificationAuthority -AutoRestart -Force
The command will uninstall CA role, suppresses all prompts and automatically restarts the server upon completion.
.Inputs
None.
.Outputs
None.
.NOTES
Author: Vadims Podans
Blog : http://en-us.sysadmins.lv
#>
[CmdletBinding(
ConfirmImpact = 'High',
SupportsShouldProcess = $true
)]
param(
[switch]$AutoRestart,
[switch]$Force
)
#region OS and existing CA checking
# check if script running on Windows Server 2008 or Windows Server 2008 R2
$OS = Get-WmiObject Win32_OperatingSystem -Property ProductType
if ([Environment]::OSVersion.Version.Major -lt 6) {
Write-Error -Category NotImplemented -ErrorId "NotSupportedException" `
-Message "Windows XP, Windows Server 2003 and Windows Server 2003 R2 are not supported!"
return
}
if ($OS.ProductType -eq 1) {
Write-Error -Category NotImplemented -ErrorId "NotSupportedException" `
-Message "Client operating systems are not supported!"
return
}
$CertConfig = New-Object -ComObject CertificateAuthority.Config
try {$ExistingDetected = $CertConfig.GetConfig(3)}
catch {
Write-Error -Category ObjectNotFound -ErrorId "ElementNotFoundException" `
-ErrorAction Stop -Message "Certificate Services are not installed on this computer."
}
#endregion
#region Binaries checking and removal stuff
try {$CASetup = New-Object -ComObject CertOCM.CertSrvSetup.1}
catch {
Write-Error -Category NotImplemented -ErrorId "NotImplementedException" `
-Message "Unable to load necessary interfaces. Your Windows Server operating system is not supported!"
return
}
if ([Environment]::OSVersion.Version.Major -eq 6 -and [Environment]::OSVersion.Version.Minor -eq 0) {
cmd /c "servermanagercmd -remove ADCS-Cert-Authority 2> null" | Out-Null
} else {
try {Import-Module ServerManager -ErrorAction Stop}
catch {
ocsetup 'ServerManager-PSH-Cmdlets' /quiet | Out-Null
Start-Sleep 2
Import-Module ServerManager
}
$status = (Get-WindowsFeature -Name ADCS-Cert-Authority).Installed
if ($status) {
$WarningPreference = "SilentlyContinue"
if ($Force -or $PSCmdlet.ShouldProcess($env:COMPUTERNAME, "Uninstall Certification Authority")) {
$CASetup.PreUninstall($false)
$retn = Remove-WindowsFeature -Name ADCS-Cert-Authority -ErrorAction Stop
}
}
}
if ($AutoRestart) {
#Restart-Computer -Force
} else {
Write-Host "Certification Authority role was removed successfully. You must restart this server to complete role removal." `
-ForegroundColor Yellow -BackgroundColor Black
}
#endregion
}