DSCResources/DSC_AdcsCertificationAuthoritySettings/en-US/about_AdcsCertificationAuthoritySettings.help.txt
.NAME
AdcsCertificationAuthoritySettings .DESCRIPTION This resource can be used to configure the advanced settings of an Active Directory Certificate Services instance. The Active Directory Certificate Services feature should have been enabled and a Certificate Authority installed. For more detailed information and examples of setting the values for this resource please read https://blogs.technet.microsoft.com/xdot509/2013/03/22/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-wrap-up/. .PARAMETER IsSingleInstance Key - String Allowed values: Yes Specifies the resource is a single instance, the value must be 'Yes'. .PARAMETER CACertPublicationURLs Write - StringArray Specifies an array of Certificate Authority certificate publication URLs, each prepended with an integer representing the type of URL endpoint. .PARAMETER CRLPublicationURLs Write - StringArray Specifies an array of Certificate Revocation List publication URLs, each prepended with an integer representing the type of URL endpoint. .PARAMETER CRLOverlapUnits Write - UInt32 Specifies the number of units for the certificate revocation list overlap period. .PARAMETER CRLOverlapPeriod Write - String Allowed values: Hours, Days, Weeks, Months, Years Specifies the units of measurement for the certificate revocation list overlap period. .PARAMETER CRLPeriodUnits Write - UInt32 Specifies the number of units for the certificate revocation period. .PARAMETER CRLPeriod Write - String Allowed values: Hours, Days, Weeks, Months, Years Specifies the units of measurement for the certificate revocation period. .PARAMETER ValidityPeriodUnits Write - UInt32 Specifies the number of units for the validity period of certificates issued by this certificate authority. .PARAMETER ValidityPeriod Write - String Allowed values: Hours, Days, Weeks, Months, Years Specifies the units of measurement for the validity period of certificates issued by this certificate authority. .PARAMETER DSConfigDN Write - String Specifies the distinguished name of the directory services configuration object that contains this certificate authority in the Active Directory. .PARAMETER DSDomainDN Write - String Specifies the distinguished name of the directory services object that contains this certificate authority in the Active Directory. .PARAMETER AuditFilter Write - StringArray Allowed values: StartAndStopADCS, BackupAndRestoreCADatabase, IssueAndManageCertificateRequests, RevokeCertificatesAndPublishCRLs, ChangeCASecuritySettings, StoreAndRetrieveArchivedKeys, ChangeCAConfiguration Specifies an array of audit categories to enable audit logging for. .EXAMPLE 1 This example will add the Active Directory Certificate Services Certificate Authority feature to a server and configure it as a certificate authority enterprise root CA. It will then set the certificate authority CA certificate publication URLs and certificate revocation list URLs. The certificate revocation list overlap period will be set to 8 hours and the certificate revocation list period to 1 month. The validity period of the certificate authority period will also be set to 10 years. The domain services domain and configuration distinguished names will be set to the values expected for an enterprise CA. The audit filter settings will be configured to record all audit events. See this page for more information on these settings: https://blogs.technet.microsoft.com/xdot509/2013/03/22/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-wrap-up/ Configuration AdcsCertificationAuthoritySettings_EnterpriseCA_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [System.Management.Automation.PSCredential] $Credential ) Import-DscResource -Module ActiveDirectoryCSDsc Node localhost { WindowsFeature ADCS-Cert-Authority { Ensure = 'Present' Name = 'ADCS-Cert-Authority' } AdcsCertificationAuthority CertificateAuthority { IsSingleInstance = 'Yes' Ensure = 'Present' Credential = $Credential CAType = 'EnterpriseRootCA' DependsOn = '[WindowsFeature]ADCS-Cert-Authority' } AdcsCertificationAuthoritySettings CertificateAuthoritySettings { IsSingleInstance = 'Yes' CACertPublicationURLs = @( '1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt' '2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11' '2:http://pki.contoso.com/CertEnroll/%1_%3%4.crt' ) CRLPublicationURLs = @( '65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl' '79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10' '6:http://pki.contoso.com/CertEnroll/%3%8%9.crl' ) CRLOverlapUnits = 8 CRLOverlapPeriod = 'Hours' CRLPeriodUnits = 1 CRLPeriod = 'Months' ValidityPeriodUnits = 10 ValidityPeriod = 'Years' DSConfigDN = 'CN=Configuration,DC=CONTOSO,DC=COM' DSDomainDN = 'DC=CONTOSO,DC=COM' AuditFilter = @( 'StartAndStopADCS' 'BackupAndRestoreCADatabase' 'IssueAndManageCertificateRequests' 'RevokeCertificatesAndPublishCRLs' 'ChangeCASecuritySettings' 'StoreAndRetrieveArchivedKeys' 'ChangeCAConfiguration' ) DependsOn = '[AdcsCertificationAuthority]CertificateAuthority' } } } |