docs.mjcb.ca
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. docs.mjcb.ca
  2. /
  3. Publications
  4. /
  5. Practical Guide to PKI with Windows Server
  6. /
  7. Second Edition
  8. /
  9. Command Listing
Edit page

Command Listing

Listed on this page are all commands that are included in the print edition of Practical Guide to PKI with Windows Server - Second Edition. This page is intended for anyone who purchased the physical copy of the book so that they don’t need to manually type any of the entries. The paperback and hardcover versions of the book are identical, and this page applies to both.

Not included on this page are any commands that are listed in the Preface, Introduction, Glossary and Commands sections of the book.

Commands are organized based on what page they are printed on, from top to bottom.

These commands are displayed on this page exactly as they appear in the 15 chapters in the book. These commands have not been modified in any way.

Chapter 1 - Public Key Infrastructure Overview

There are no commands in this chapter.

Chapter 2 - AD CS Overview

There are no commands in this chapter.

Chapter 3 - Test Environment Overview

There are no commands in this chapter.

Chapter 4 - Hyper-V Setup and Configuration

Page 43 

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Page 44 

DISM.exe /Online /Enable-Feature /All /FeatureName:Microsoft-Hyper-V

Page 49 

Set-VMHost -EnableEnhancedSessionMode $true

Page 50 

Set-VM -VMName "Virtual Machine Name" -EnhancedSessionTransportType HvSocket

Page 53 

mkdir D:\Hyper-V

mkdir "D:\Hyper-V\Virtual Hard Disks"

mkdir "D:\Hyper-V\Virtual Floppy Disks"

Page 54 

Set-VMHost `
-ComputerName "WIN11PRO" `
-VirtualHardDiskPath "D:\Hyper-V\Virtual Hard Disks" `
-VirtualMachinePath "D:\Hyper-V"

Page 55 

Get-VM | Format-Table VMName, VMId

Page 57 

Get-VMSwitch

Page 59 

Get-NetAdapter

New-VMSwitch `
-Name "Hyper-V External Switch" `
-NetAdapterName "Ethernet" `
-AllowManagementOS:$true

Page 63 

New-VM `
-Name "Windows Server 2022" `
-Generation 1 `
-MemoryStartupBytes 4GB `
-BootDevice VHD `
-NewVHDPath "D:\Hyper-V\Virtual Hard Disks\Windows Server 2022.vhdx" `
-NewVHDSizeBytes 40GB `
-Switch "Hyper-V External Switch"

Set-VMProcessor "Windows Server 2022" -Count 2

Set-VMDvdDrive `
-VMName "Windows Server 2022" `
-Path "D:\ISO Images\Windows Server 2022.iso"

Start-VM -Name "Windows Server 2022"

vmconnect.exe localhost "Windows Server 2022"

Page 71 

New-VFD "D:\Hyper-V\Virtual Floppy Disks\Test-Floppy.vfd"

Set-VMFloppyDiskDrive `
-VMName "Windows Server 2022" `
-Path "D:\Hyper-V\Virtual Floppy Disks\Test-Floppy.vfd"

Set-VMFloppyDiskDrive -VMName "Windows Server 2022" -Path $null

Page 72 

format.exe A:

Page 73 

Stop-VM -Name "Windows Server 2022" -Force

Get-VMHardDiskDrive -VMName "Windows Server 2022" | Format-Table Path

Remove-VM -Name "Windows Server 2022" -Force

Remove-Item "D:\Hyper-V\Virtual Hard Disks\Windows Server 2022.vhdx"

Chapter 5 - Domain and Workstation Setup 

New-VM `
-Name "TFS-DC01" `
-Generation 2 `
-MemoryStartupBytes 4GB `
-BootDevice VHD `
-NewVHDPath "D:\Hyper-V\Virtual Hard Disks\TFS-DC01.vhdx" `
-NewVHDSizeBytes 40GB `
-Switch "Hyper-V External Switch"

Set-VMProcessor "TFS-DC01" -Count 2

Add-VMDvdDrive `
-VMName "TFS-DC01" `
-Path "D:\ISO Images\Windows Server 2022.iso"

Set-VMFirmware `
-VMName "TFS-DC01" `
-FirstBootDevice $(Get-VMDvdDrive -VMName "TFS-DC01")

Start-VM -Name "TFS-DC01"

vmconnect.exe localhost "TFS-DC01"

Page 80 

Rename-Computer "TFS-DC01" -Restart

New-NetIPAddress `
-AddressFamily IPv4 `
-IPAddress 10.100.1.100 `
-PrefixLength 24 `
-DefaultGateway 10.100.1.1 `
-InterfaceIndex (Get-NetAdapter).InterfaceIndex

Set-DnsClientServerAddress `
-ServerAddresses ("1.1.1.1") `
-InterfaceIndex (Get-NetAdapter).InterfaceIndex

Page 81 

Start-Process ms-settings:windowsupdate

Page 82 

Install-WindowsFeature AD-Domain-Services, RSAT-ADDS

Page 90 

Import-Module ADDSDeployment

Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "corp.tfslabs.com" `
-DomainNetbiosName "TFSLABS" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

Page 97 

New-ADOrganizationalUnit `
-Name "TFS Labs" -Path "DC=corp,DC=tfslabs,DC=com"

New-ADOrganizationalUnit `
-Name "TFS Servers" -Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

New-ADOrganizationalUnit `
-Name "TFS Users" -Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

New-ADOrganizationalUnit `
-Name "TFS Workstations" -Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

Page 101 

New-ADUser `
-DisplayName "Mary Smith" `
-Name "Mary Smith" `
-GivenName "Mary" `
-Surname "Smith" `
-SamAccountName "msmith" `
-EmailAddress "msmith@corp.tfslabs.com" `
-Path "OU=TFS Users,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com" `
-AccountPassword (Read-Host -AsSecureString "User Password") `
-ChangePasswordAtLogon $false `
-Enabled $true

Page 104 

Set-ADUser `
-Identity Administrator `
-EmailAddress "administrator@corp.tfslabs.com"

Page 107 

New-VM `
-Name "TFS-WIN11" `
-Generation 2 `
-MemoryStartupBytes 4GB `
-BootDevice VHD `
-NewVHDPath "D:\Hyper-V\Virtual Hard Disks\TFS-WIN11.vhdx" `
-NewVHDSizeBytes 64GB `
-Switch "Hyper-V External Switch"

Set-VMProcessor "TFS-WIN11" -Count 2

Set-VMKeyProtector -VMName "TFS-WIN11" -NewLocalKeyProtector

Enable-VMTPM -VMName "TFS-WIN11"

Add-VMDvdDrive `
-VMName "TFS-WIN11" `
-Path "D:\ISO Images\Windows 11 24H2.iso"

Set-VMFirmware `
-VMName "TFS-WIN11" `
-FirstBootDevice $(Get-VMDvdDrive -VMName "TFS-WIN11")

Page 108 

Start-VM -Name "TFS-WIN11"

vmconnect.exe localhost "TFS-WIN11"

Page 109 

$password = Read-Host -AsSecureString "Administrator Password"
$username = Get-LocalUser -Name "Administrator"
$username | Set-LocalUser -Password $password

Enable-LocalUser -Name "Administrator"

Page 110 

Rename-Computer "TFS-WIN11" -Restart

New-NetIPAddress `
-AddressFamily IPv4 `
-IPAddress 10.100.1.110 `
-PrefixLength 24 `
-DefaultGateway 10.100.1.1 `
-InterfaceIndex (Get-NetAdapter).InterfaceIndex

Set-DnsClientServerAddress `
-ServerAddresses ("10.100.1.100") `
-InterfaceIndex (Get-NetAdapter).InterfaceIndex

Page 111 

ping corp.tfslabs.com

Page 112 

Add-Computer -DomainName corp.tfslabs.com -Restart

Page 115 

Get-ADComputer "TFS-WIN11" | `
Move-ADObject -TargetPath "OU=TFS Workstations,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

Start-Process ms-settings:windowsupdate

Page 117 

Checkpoint-VM -Name TFS-DC01 -SnapshotName "Pre-ADCS-Implementation"

Checkpoint-VM -Name TFS-WIN11 -SnapshotName "Pre-ADCS-Implementation"

Restore-VMSnapshot -Name "Pre-ADCS-Implementation" -VMName TFS-DC01 -Confirm:$false

Restore-VMSnapshot -Name "Pre-ADCS-Implementation" -VMName TFS-WIN11 -Confirm:$false

Page 118 

Get-VM -Name TFS-DC01 | Get-VMSnapShot -Name "Pre-ADCS-Implementation" | Remove-VMSnapshot

Get-VM -Name TFS-WIN11 | Get-VMSnapShot -Name "Pre-ADCS-Implementation" | Remove-VMSnapshot

Chapter 6 - Offline Root CA Setup

Page 121 

New-VM `
-Name "TFS-ROOT-CA" `
-Generation 1 `
-MemoryStartupBytes 4GB `
-BootDevice VHD `
-NewVHDPath "D:\Hyper-V\Virtual Hard Disks\TFS-ROOT-CA.vhdx" `
-NewVHDSizeBytes 40GB

Page 122 

Set-VMProcessor "TFS-ROOT-CA" -Count 2

Set-VMDvdDrive `
-VMName "TFS-ROOT-CA" `
-Path "D:\ISO Images\Windows Server 2022.iso"

Remove-VMNetworkAdapter -VMName "TFS-ROOT-CA" -VMNetworkAdapterName "Network Adapter"

Start-VM -Name "TFS-ROOT-CA"

vmconnect.exe localhost "TFS-ROOT-CA"

Page 123 

Rename-Computer "TFS-ROOT-CA" -Restart

Add-Computer -WorkgroupName "TFS-CA" -Restart

Disable-VMIntegrationService -VMName "TFS-ROOT-CA" -Name "Guest Service Interface"

Page 126 

SConfig.cmd

Page 128 

New-VFD "D:\Hyper-V\Virtual Floppy Disks\RootCAFiles.vfd"

Set-VMFloppyDiskDrive `
-VMName "TFS-ROOT-CA" `
-Path "D:\Hyper-V\Virtual Floppy Disks\RootCAFiles.vfd"

format.exe A:

Set-VMFloppyDiskDrive -VMName "TFS-ROOT-CA" -Path $null

Page 129 

Install-WindowsFeature BitLocker `
-IncludeAllSubFeature `
-IncludeManagementTools `
-Restart

Page 137 

Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector | Out-Null

(Get-BitLockerVolume -MountPoint C).KeyProtector | Out-File A:\TFS-ROOT-CA-Key.txt

$password = Read-Host -AsSecureString "BitLocker Password"
Enable-BitLocker -MountPoint "C:" -Password $password -PasswordProtector

Restart-Computer -Force

Page 141 

(Get-BitLockerVolume -MountPoint C).KeyProtector | Out-File A:\TFS-ROOT-CA-Key.txt

Page 144 

[Version]
Signature = "$Windows NT$"

[PolicyStatementExtension]
Policies = AllIssuancePolicy, InternalPolicy
Critical = FALSE

[AllIssuancePolicy]
; Enables all Certificate Templates.
OID = 2.5.29.32.0

[InternalPolicy]
OID = 1.2.3.4.1455.67.89.5
Notice = "The TFS Labs Certification Authority is an internal only resource."
URL = http://pki.corp.tfslabs.com/cps.html

[Certsrv_Server]
; Renewal information for the Root CA.
RenewalKeyLength = 4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits = 10

; Disable support for issuing certificates using RSASSA-PSS.
AlternateSignatureAlgorithm = 0

; The CRL publication period is the lifetime of the Root CA.
CRLPeriod = Years
CRLPeriodUnits = 10

; The option for Delta CRL is disabled since this is a Root CA.
CRLDeltaPeriod = Days
CRLDeltaPeriodUnits = 0

Page 146 

Add-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools

Page 152 

Checkpoint-VM -Name TFS-ROOT-CA -SnapshotName "Pre-ADCS-Implementation"

Page 153 

Restore-VMSnapshot -Name "Pre-ADCS-Implementation" -VMName TFS-ROOT-CA -Confirm:$false

Page 154 

Install-AdcsCertificationAuthority `
-CAType StandaloneRootCA `
-CACommonName "TFS Labs Certificate Authority" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-ValidityPeriod Years `
-ValidityPeriodUnits 10 `
-DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") `
-Force

Page 163 

certutil.exe -setreg `
CA\DSConfigDN "CN=Configuration,DC=corp,DC=tfslabs,DC=com"

certutil.exe -setreg CA\ValidityPeriodUnits 5
certutil.exe -setreg CA\ValidityPeriod "Years"

certutil.exe -setreg CA\CRLPeriodUnits 52
certutil.exe -setreg CA\CRLPeriod "Weeks"

certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
certutil.exe -setreg CA\CRLOverlapPeriod "Hours"

net stop CertSvc
net start CertSvc

Page 164 

(Get-ADUser -Identity Administrator).DistinguishedName

Page 165 

auditpol.exe /set /category:"Object Access" /failure:enable /success:enable

certutil.exe -setreg CA\AuditFilter 127

net stop CertSvc
net start CertSvc

Page 168 

certutil.exe -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n6:http://pki.corp.tfslabs.com/CertData/%3%8%9.crl"

certutil.exe -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://pki.corp.tfslabs.com/CertData/%1_%3%4.crt"

net stop CertSvc
net start CertSvc

Page 170 

http://pki.corp.tfslabs.com/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

http://pki.corp.tfslabs.com/CertData/<ServerDNSName>_<CaName><CertificateName>.crt

Page 171 

certutil.exe -getreg CA\CRLPublicationURLs

certutil.exe -getreg CA\CACertPublicationURLs

Page 172 

certutil.exe -crl

Chapter 7 - Subordinate CA Setup

Page 177 

New-VM `
-Name "TFS-CA01" `
-Generation 1 `
-MemoryStartupBytes 4GB `
-BootDevice VHD `
-NewVHDPath "D:\Hyper-V\Virtual Hard Disks\TFS-CA01.vhdx" `
-NewVHDSizeBytes 40GB `
-Switch "Hyper-V External Switch"

Page 178 

Set-VMProcessor "TFS-CA01" -Count 2

Set-VMDvdDrive `
-VMName "TFS-CA01" `
-Path "D:\ISO Images\Windows Server 2022.iso"

Start-VM -Name "TFS-CA01"

vmconnect.exe localhost "TFS-CA01"

Rename-Computer "TFS-CA01" -Restart

Page 179 

New-NetIPAddress `
-AddressFamily IPv4 `
-IPAddress 10.100.1.101 `
-PrefixLength 24 `
-DefaultGateway 10.100.1.1 `
-InterfaceIndex (Get-NetAdapter).InterfaceIndex

Set-DnsClientServerAddress `
-ServerAddresses ("10.100.1.100") `
-InterfaceIndex (Get-NetAdapter).InterfaceIndex

Page 180 

ping corp.tfslabs.com

Add-Computer -DomainName corp.tfslabs.com -Restart

Page 181 

Get-ADComputer "TFS-CA01" | `
Move-ADObject -TargetPath "OU=TFS Servers,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

Page 182 

Add-DnsServerResourceRecordCName `
-Name "OCSP" `
-HostNameAlias "TFS-CA01.corp.tfslabs.com" `
-ZoneName "corp.tfslabs.com"

Add-DnsServerResourceRecordCName `
-Name "PKI" `
-HostNameAlias "TFS-CA01.corp.tfslabs.com" `
-ZoneName "corp.tfslabs.com"

Page 185 

[Version]
Signature = "$Windows NT$"

[PolicyStatementExtension]
Policies = AllIssuancePolicy, InternalPolicy
Critical = FALSE

[AllIssuancePolicy]
; Enables all Certificate Templates.
OID = 2.5.29.32.0

[InternalPolicy]
OID = 1.2.3.4.1455.67.89.5
; Certification Practice Statement
Notice = "The TFS Labs Certification Authority is an internal only resource."
URL = http://pki.corp.tfslabs.com/cps.html

[Certsrv_Server]
; Renewal information for the Subordinate CA.
RenewalKeyLength = 4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits = 5

; Disable support for issuing certificates using RSASSA-PSS.
AlternateSignatureAlgorithm = 0

; Load all certificate templates by default.
LoadDefaultTemplates = 1

Page 187 

Add-WindowsFeature `
-Name ADCS-Cert-Authority, ADCS-Web-Enrollment, Web-Mgmt-Service `
-IncludeManagementTools

Page 196 

Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "TFS Labs Enterprise CA" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-Force

Install-AdcsWebEnrollment -Force

Page 204 

cd C:\Windows\System32\inetsrv\

appcmd.exe add vdir /app.name:"Default Web Site/" ^
/path:/CertData /physicalPath:C:\CertData

appcmd.exe set config "Default Web Site/CertData" ^
/section:directoryBrowse /enabled:true

Page 208 

cd C:\Windows\System32\inetsrv\

appcmd.exe set config /section:requestfiltering /allowdoubleescaping:true

Restart-Service W3SVC

Page 217 

certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

net stop CertSvc
net start CertSvc

certutil.exe -setreg CA\ValidityPeriodUnits 1
certutil.exe -setreg CA\ValidityPeriod "Years"

net stop CertSvc
net start CertSvc

cd C:\Windows\System32\inetsrv\

appcmd.exe set config "Default Web Site/CertEnroll" ^
/section:directoryBrowse /enabled:true

Page 222 

auditpol.exe /set /category:"Object Access" /failure:enable /success:enable

certutil.exe -setreg CA\AuditFilter 127

net stop CertSvc
net start CertSvc

Page 224 

certutil.exe -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n6:http://pki.corp.tfslabs.com/CertEnroll/%3%8%9.crl"

certutil.exe -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://pki.corp.tfslabs.com/CertEnroll/%1_%3%4.crt"

net stop CertSvc
net start CertSvc

Page 226 

http://pki.corp.tfslabs.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

http://pki.corp.tfslabs.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

Page 227 

certutil.exe -getreg CA\CRLPublicationURLs

certutil.exe -getreg CA\CACertPublicationURLs

Page 228 

certutil.exe -crl

Page 229 

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>TFS Labs Certification Practice Statement</title>
</head>
<body>

<h1>TFS Labs Certification Practice Statement</h1>

<p>The TFS Labs Certificate Authority is an internal only resource.</p>

<p>Issued certificates from this Certificate Authority are for internal use only.</p>

</body>
</html>

Page 231 

Enable-NetFirewallRule `
-DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)"

Enable-NetFirewallRule -DisplayName "World Wide Web Services (HTTP Traffic-In)"

Page 232 

Enable-NetFirewallRule -DisplayName "World Wide Web Services (HTTPS Traffic-In)"

Page 235 

Start-Process ms-settings:windowsupdate

Chapter 8 - Deploy CA Certificates

Page 242 

gpupdate.exe /force

Page 245 

cd C:\Windows\System32\inetsrv\

appcmd.exe add vdir /app.name:"Default Web Site/" ^
/path:/Certificates /physicalPath:C:\Certificates

appcmd.exe set config "Default Web Site/Certificates" ^
/section:directoryBrowse /enabled:true

Page 247 

certutil.exe -encode der-certificate.cer base64-certificate.cer

certutil.exe -decode base64-certificate.cer der-certificate.cer

Chapter 9 - Online Responder Role

Page 252 

Add-WindowsFeature Adcs-Online-Cert, RSAT-Online-Responder

Page 254 

Install-AdcsOnlineResponder -Force

Page 255 

certutil.exe -vocsproot

Restart-Service W3SVC

Page 256 

certutil.exe -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://pki.corp.tfslabs.com/CertEnroll/%1_%3%4.crt\n32:http://ocsp.corp.tfslabs.com/ocsp"

net stop CertSvc
net start CertSvc

Page 257 

certutil.exe -getreg CA\CACertPublicationURLs

Page 270 

certutil.exe -cainfo xchg

Page 271 

Enable-NetFirewallRule -DisplayName "World Wide Web Services (HTTP Traffic-In)"

certutil.exe -URL "C:\TFS-WIN11.cer"

Chapter 10 - Private Key Archive and Recovery

Page 287 

certutil.exe -getkey 4d00000012f5f019637cf204f2000000000012 msmith

Page 288 

certutil.exe -recoverkey .\msmith msmith.pfx

Chapter 11 - Certificate Templates

Page 299 

Restart-Service W3SVC

Chapter 12 - Certificate Enrollment

Page 305 

[req]
default_bits           = 2048
prompt                 = no
distinguished_name     = req_distinguished_name
req_extensions         = req_ext

[req_distinguished_name]
commonName             = TFS-WEB01.corp.tfslabs.com
countryName            = CA
stateOrProvinceName    = Ontario
localityName           = Toronto
organizationName       = TFS Labs
organizationalUnitName = IT
emailAddress           = administrator@corp.tfslabs.com

[req_ext]
subjectAltName         = @alt_names

[alt_names]
DNS.1                  = TFS-WEB01.corp.tfslabs.com
DNS.2                  = WWW.corp.tfslabs.com

openssl req \
-out tfs-web01.csr \
-newkey rsa:2048 \
-nodes \
-keyout tfs-web01.key \
-config tfs-web01.cnf

Page 308 

openssl pkcs7 -print_certs -in certnew.p7b -out tfs-labs-ca

cp certnew.cer tfs-web01.cer

sudo yum install httpd

sudo yum install mod_ssl

ServerName TFS-WEB01.corp.tfslabs.com

SSLCertificateFile /etc/ssl/TFS-WEB01/tfs-web01.cer
SSLCertificateKeyFile /etc/ssl/TFS-WEB01/tfs-web01.key
SSLCertificateChainFile /etc/ssl/TFS-WEB01/tfs-labs-ca

Page 309 

sudo systemctl restart httpd

sudo systemctl enable httpd

Page 310 

sudo yum install nginx

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate /etc/ssl/TFS-WEB01/tfs-web01.cer;
    ssl_certificate_key /etc/ssl/TFS-WEB01/tfs-web01.key;
}

sudo systemctl restart nginx

sudo systemctl enable nginx

Chapter 13 - AD CS Maintenance Tasks

Page 312 

certutil.exe -crl

certutil.exe -addstore -f root "C:\CertData\TFS Labs Certificate Authority.crl"

Page 313 

Backup-CARoleService `
-Path "C:\CA-Backup" `
-Password (Read-Host -prompt "CA Backup Password" -AsSecureString)

reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc "C:\CA-Backup\TFS-CA01.reg"

Page 317 

net stop CertSvc

Restore-CARoleService `
-Path C:\CA-Backup\ `
-Password (Read-Host -prompt "CA Restore Password" -AsSecureString) `
-Force

net start CertSvc

Chapter 14 - AD CS on an Existing Domain

Page 326 

certutil.exe -dump

Chapter 15 - AD CS Quick Start

Page 331 

Install-WindowsFeature AD-Domain-Services, RSAT-ADDS

Import-Module ADDSDeployment

Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "corp.tfslabs.com" `
-DomainNetbiosName "TFSLABS" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

Page 332 

New-ADOrganizationalUnit `
-Name "TFS Labs" `
-Path "DC=corp,DC=tfslabs,DC=com"

New-ADOrganizationalUnit `
-Name "TFS Servers" `
-Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

New-ADOrganizationalUnit `
-Name "TFS Users" `
-Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

Set-ADUser `
-Identity Administrator `
-EmailAddress "administrator@corp.tfslabs.com"

Page 334 

[Version]
Signature = "$Windows NT$"

[PolicyStatementExtension]
Policies = AllIssuancePolicy, InternalPolicy
Critical = FALSE

[AllIssuancePolicy]
; Enables all Certificate Templates.
OID = 2.5.29.32.0

[InternalPolicy]
OID = 1.2.3.4.1455.67.89.5
Notice = "The TFS Labs Certification Authority is an internal only resource."
URL = http://pki.corp.tfslabs.com/cps.html

[Certsrv_Server]
; Renewal information for the Root CA.
RenewalKeyLength = 4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits = 10

; Disable support for issuing certificates using RSASSA-PSS.
AlternateSignatureAlgorithm = 0

; The CRL publication period is the lifetime of the Root CA.
CRLPeriod = Years
CRLPeriodUnits = 10

; The option for Delta CRL is disabled since this is a Root CA.
CRLDeltaPeriod = Days
CRLDeltaPeriodUnits = 0

Page 335 

Add-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools

Page 336 

Install-AdcsCertificationAuthority `
-CAType StandaloneRootCA `
-CACommonName "TFS Labs Certificate Authority" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-ValidityPeriod Years `
-ValidityPeriodUnits 10 `
-DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") `
-Force

Page 338 

certutil.exe -setreg `
CA\DSConfigDN "CN=Configuration,DC=corp,DC=tfslabs,DC=com"

certutil.exe -setreg CA\ValidityPeriodUnits 5
certutil.exe -setreg CA\ValidityPeriod "Years"

certutil.exe -setreg CA\CRLPeriodUnits 52
certutil.exe -setreg CA\CRLPeriod "Weeks"

certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
certutil.exe -setreg CA\CRLOverlapPeriod "Hours"

net stop CertSvc
net start CertSvc

Page 340 

certutil.exe -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n6:http://pki.corp.tfslabs.com/CertData/%3%8%9.crl"

certutil.exe -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://pki.corp.tfslabs.com/CertData/%1_%3%4.crt"

net stop CertSvc
net start CertSvc

certutil.exe -crl

Page 341 

Get-ADComputer "TFS-CA01" | `
Move-ADObject -TargetPath "OU=TFS Servers,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"

Page 342 

Add-DnsServerResourceRecordCName `
-Name "PKI" -HostNameAlias "TFS-CA01.corp.tfslabs.com" -ZoneName "corp.tfslabs.com"

[Version]
Signature = "$Windows NT$"

[PolicyStatementExtension]
Policies = AllIssuancePolicy, InternalPolicy
Critical = FALSE

[AllIssuancePolicy]
; Enables all Certificate Templates.
OID = 2.5.29.32.0

[InternalPolicy]
OID = 1.2.3.4.1455.67.89.5
; Certification Practice Statement
Notice = "The TFS Labs Certification Authority is an internal only resource."
URL = http://pki.corp.tfslabs.com/cps.html

[Certsrv_Server]
; Renewal information for the Subordinate CA.
RenewalKeyLength = 4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits = 5

; Disable support for issuing certificates using RSASSA-PSS.
AlternateSignatureAlgorithm = 0

; Load all certificate templates by default.
LoadDefaultTemplates = 1

Page 344 

Add-WindowsFeature `
-Name ADCS-Cert-Authority, ADCS-Web-Enrollment, Web-Mgmt-Service `
-IncludeManagementTools

Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "TFS Labs Enterprise CA" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-Force

Page 345 

Install-AdcsWebEnrollment -Force

Page 346 

cd C:\Windows\System32\inetsrv\

appcmd.exe add vdir /app.name:"Default Web Site/" ^
/path:/CertData /physicalPath:C:\CertData

appcmd.exe set config "Default Web Site/CertData" ^
/section:directoryBrowse /enabled:true

cd C:\Windows\System32\inetsrv\

Page 347 

appcmd.exe set config "Default Web Site" ^
/section:system.webServer/Security/requestFiltering ^
-allowDoubleEscaping:True

Restart-Service W3SVC

Page 349 

certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

net stop CertSvc
net start CertSvc

certutil.exe -setreg CA\ValidityPeriodUnits 1
certutil.exe -setreg CA\ValidityPeriod "Years"

net stop CertSvc
net start CertSvc

Page 350 

cd C:\Windows\System32\inetsrv\

appcmd.exe set config "Default Web Site/CertEnroll" ^
/section:directoryBrowse /enabled:true

certutil.exe -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n6:http://pki.corp.tfslabs.com/CertEnroll/%3%8%9.crl"

certutil.exe -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://pki.corp.tfslabs.com/CertEnroll/%1_%3%4.crt"

Page 351 

net stop CertSvc
net start CertSvc

certutil.exe -crl

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>TFS Labs Certification Practice Statement</title>
</head>
<body>

<h1>TFS Labs Certification Practice Statement</h1>

<p>The TFS Labs Certificate Authority is an internal only resource.</p>

<p>Issued certificates from this Certificate Authority are for internal use only.</p>

</body>
</html>

Page 352 

certutil.exe -dspublish `
-f "C:\CertData\TFS-ROOT-CA_TFS Labs Certificate Authority.crt" RootCA

certutil.exe -addstore `
-f root "C:\CertData\TFS-ROOT-CA_TFS Labs Certificate Authority.crt"

certutil.exe -addstore `
-f root "C:\CertData\TFS Labs Certificate Authority.crl"