今日长缨在手，何时缚住苍龙。这篇文章主要讲述Windows Server Core 2022--安装AD DS和AD CS证书服务相关的知识，希望能为你提供帮助。
1.安装AD DS:
Install-WindowsFeature -Name AD-Domain-Services
Install-ADDSForest -CreateDnsDelegation:$false -DomainMode WinThreshold -DomainName afd.ink   -DomainNetbiosName a -ForestMode WinThreshold -InstallDns:$true -NoRebootOnCompletion:$true -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -Force:$true
Restart-Computer
set-ADUser administrator -PasswordNeverExpires   $true
New-ADUser -Name gazh -SamAccountName gazh -DisplayName gazh -Enabled $True   -PasswordNeverExpires $True -UserPrincipalName gazh@afd.ink -AccountPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -PassThru
$SUG = @()
$SUG = (Get-ADUser -Identity "Administrator" -Properties * ).MemberOf
ForEach ($Group in $SUG )Add-ADGroupMember -Identity $Group -Members "gazh"
(Get-ADUser -Identity gazh -Properties *).MemberOf
2.安装ADCS:
Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment
Install-AdcsCertificationAuthority   -ValidityPeriod   Years   -ValidityPeriodUnits 50 -CACommonName A-CA
配置 Certificate Authority Web Enrollment:
Install-AdcsWebEnrollment
certutil -getreg ca\\ValidityPeriod
certutil -getreg ca\\ValidityPeriodUnits
certutil -setreg ca\\ValidityPeriodUnits 20
Restart-Service -name certsvc
  dnscmd . /RecordAdd afd.ink ca A 192.168.111.10
Get-CACrlDistributionPoint | ?$_.uri -like "http*" -or $_.uri -like "ldap*"  
Add-CACrlDistributionPoint -Uri "http://ca.afd.ink/CertEnroll/< CAName> < CRLNameSuffix> < DeltaCRLAllowed> .crl" -AddToCrlIdp:$false -AddToFreshestCrl:$true -AddToCertificateCdp:$true -Confirm -Force
Get-CAAuthorityInformationAccess | fl
Add-CAAuthorityInformationAccess -AddToCertificateOcsp:$true   -Uri "http://ca.afd.ink/CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt" -Confirm -Force


Get-CAAuthorityInformationAccess | fl
Remove-CAAuthorityInformationAccess -Uri "http://< ServerDNSName> /CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt"
Add-CAAuthorityInformationAccess -AddToCertificateAia -Uri "http://< ServerDNSName> /CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt"
Add-CAAuthorityInformationAccess -AddToCertificateOcsp -Uri "http://< ServerDNSName> /CertEnroll/< ServerDNSName> _< CAName> < CertificateName> .crt"
Get-CACrlDistributionPoint | fl
Remove-CACrlDistributionPoint -URI "http://< ServerDNSName> /CertEnroll/< CAName> < CRLNameSuffix> < DeltaCRLAllowed> .crl"
Add-CACRLDistributionPoint -Uri "http://< ServerDNSName> /CertEnroll/< CAName> < CRLNameSuffix> < DeltaCRLAllowed> .crl" -AddToCertificateCdp -AddToCrlIdp -AddToFreshestCrl
Restart-Service -name certsvc


新增和管理模板：
Install-Module -Name ADCSTemplate
Get-ADCSTemplate | select displayname
Export-ADCSTemplate -DisplayName "Web 服务器" > .\\webserver_template.json
Export-ADCSTemplate -DisplayName "Web Server" > .\\webserver_template.json  
notepad .\\webserver_template.json
替换pKIExpirationPeriod的值为Validity period时间由默认的2年改为20年：
将
"pKIExpirationPeriod":   [
                                0,
                                128,
                                114,
                                14,
                                93,
                                194,
                                253,
                                255
                            ],
替换为：
    "pKIExpirationPeriod":   [
                                0,
                                0,
                                121,
                                144,
                                162,
                                151,
                                233,
                                255
                            ],
保存。
New-ADCSTemplate -DisplayName "Web20" -JSON (Get-Content .\\webserver_template.json -Raw) -Publish
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity a\\Domain Users -Enroll
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity a\\Domain Computers -Enroll
申请证书：
创建CSR工具：https://www.digicert.com/StaticFiles/DigiCertUtil.zip
1)To create a policy file (.inf) in Notepad and save it as requestconfig.inf:
[Version]
Signature="$Windows NT$"
[NewRequest]
; Change to your,country code, company name and common name
Subject = "CN=afd.ink"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
FriendlyName = "afd-ca"
[Extensions]
2.5.29.17 = "text"
_continue_ = "dns=afd.ink& "
_continue_ = "dns=*.afd.ink& "
_continue_ = "dns=nipit.cn& "
_continue_ = "dns=*.nipit.cn& "
_continue_ = "dns=ykx.ai& "
_continue_ = "dns=*.ykx.ai& "
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing
[RequestAttributes]
CertificateTemplate = Web20
SAN = "dns=afd.ink& dns=*.afd.ink& dns=nipit.cn& dns=*.nipit.cn& dns=ykx.ai& dns=*.ykx.ai"


2)On the computer for which you are requesting a certificate:
certreq –new requestconfig.inf certrequest.req
certreq -submit certrequest.req certnew.cer
3)导入导出证书：
Import-Certificate -FilePath .\\afd-wildcard.cer -CertStoreLocation Cert:\\LocalMachine\\My
Get-ChildItem -Path Cert:\\LocalMachine\\My
Get-ChildItem -Path cert:\\localMachine\\my\\266FBD875596D7029690CA907AA2977D35341788 | Export-PfxCertificate -FilePath .\\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
Set-Location -Path cert:\\localMachine\\my
PS Cert:\\localMachine\\my> Import-PfxCertificate -FilePath c:\\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
3.启用远程管理IIS--Enabling IIS Remote Management
Install-WindowsFeature   Web-Mgmt-Service
Set-ItemProperty -Path   HKLM:\\SOFTWARE\\Microsoft\\WebManagement\\Server -Name EnableRemoteManagement   -Value 1
Set-Service -name WMSVC   -StartupType Automatic -Status Running
New-NetFirewallRule -DisplayName "IIS Remote Management" -Direction Inbound   -Action Allow -Service   WMSVC
Copy-Item -Path C:\\afd.ink.pfx   -Destination "\\\\$_\\c$"
certutil -p P@$$w0rd1 -importpfx c:\\afd.ink.pfx
Remove-Item -Path "\\\\$_\\c$\\afd.ink.pfx
Import-Module WebAdministration
Get-ChildItem -Path   Cert:\\LocalMachine\\My
Remove-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
$cert = Get-ChildItem -Path   Cert:\\LocalMachine\\My | Where $_.subject -like "*afd.ink*" |   Select-Object -ExpandProperty Thumbprint
Get-Item -Path   "cert:\\localmachine\\my\\$cert" | New-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
Remove-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
Get-Item -Path   "cert:\\localmachine\\my\\$cert" | New-Item -Path IIS:\\SslBindings\\0.0.0.0!8172


【Windows Server Core 2022--安装AD DS和AD CS证书服务】

推荐阅读

• 

  redmi|再爆新品！Redmi Watch 2将于28日发布 这次有点猛！
• 

  长沙跨境电商公司 长沙电商平台众联什么样，长沙比较大的电商公司有哪些
• 

  香榧吃了会不会胖 香榧相关介绍
• 

  如何解决人脸识别服务器超时问题？ 人脸识别服务器超时怎么办
• 

  贫血吃什么
• 

  违章代码1355是什么意思
• 

  财务报表分析程序
• 

  学什么舞蹈能提升气质
• 

  云朵简笔画 云朵简笔画怎么画
• 

  别客气用英语怎么说 welcome
• 

  分布式理论
• 

  golang获取命令行参数方法总结
• 

  玻尿酸丰胸多少钱_玻尿酸丰胸和假体丰胸哪种好
• 

  四年级我就这样长大了作文3篇
• 

  QQ飞车手游荣耀勋章第9期车大全：荣耀勋章第九期全部奖励总汇
• 

  唐朝皇帝后宫女人等级是如何，唐朝宫女等级制度
• 

  刚做完流产已经三天没吃饭只喝点水解
• 

  喊山红霞被判几年
• 

  gis罐体外卡式，gis罐体常用材料
• 

  大巴车载客人数 中型客车核载多少人

• 如何合并在wordpress中单独管理的两个菜单以在前端主题中显示为一个（）
• #私藏项目实操分享#Vue中如何合理地使用watch
• 拉勾Linux运维实战训练营
• Gitlab做java的docker CI
• #yyds干货盘点#异或操作
• #yyds干货盘点#Spring源码三千问为什么要用三级缓存来解决循环依赖问题（二级缓存行不行？一级缓存行不行？）
• 测试服务器带宽的几种常用方法
• Spring Boot + Redis 实现各种操作 #yyds干货盘点#
• java版gRPC实战之二（服务发布和调用）