Automated CA installs using VB script on Windows Server 2008 and 2008R2 [UPDATED]

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate Services. SetupCA.vbs was designed to have the functionality present in the setup UI but in an easy command line that can be used in automation. Most of the functionality of the script is fairly straight forward in just setting properties on the setup object. A couple of features, like the key/cert re-use, take a bit of code to get the setting right.

All of the ICertSrvSetup COM object properties and methods are documented in the MSDN at

The setup script is attached to this post, simply click the link for setupca.vbs and save the file to your local system.


Some example usages of the script:

Install Enterprise Root CA
Cscript setupca.vbs /ie /sn MyRootCA /sk 4096 /sp “RSA#Microsoft Software Key Storage Provider” /sa SHA256

Install Standalone Sub CA
Cscript setupca.vbs /it /sn MySubCA /sr MyParentCAMachine\MyRootCA /sk 384 /sp “ECDSA_P384#Microsoft Software Key Storage Provider” /sa SHA1

Uninstall CA:
Cscript setupca.vbs /uc

Install Web Pages:
Cscript setupca.vbs /iw /sr MyParentCAMachine\MyRootCA

There is also a usage that lists all the parameters if you run the script without any arguments.


UPDATE: Script has been updated to include option for offline requests using new /OR switch. Example:

Install Enterprise Sub CA saving request to a file:

Cscript setupca.vbs /if /sn “My Sub CA” /sp “RSA#Microsoft Software Key Storage Provider” /sk 4096 /or “c:\temp\ca.req”


Comments (13)

  1. Anonymous says:

    I have to reinstall Enterprise Root CA from existing backups of CA databases and private key, how can I do it?

    When i use your script it creates new certificate, I can't specify existing юЗ12 file.

  2. Anonymous says:

    Great install script. Is there a way to specify the CA validity period and units? (Not the renewal) It appears the default is set to 5 years but just wondering if there is a simple argument to include in the install script that would allow for a validity period of 25 years instead of the default 5. Thanks again!

  3. Anonymous says:

    How would one go about adding and configuring the Network Device Enrollment Service?

  4. Anonymous says:

    I searched the better part of 2 days trying to find a way to configure cert services on R2 core.

    Thanks for providing this script.  It works very nicely.

  5. @lsickscoobyl:

    I took the liberty of lifting the script from here to add that functionality this morning, here are the details of how I shoe-horned it in:

    I deliberately avoided attaching a modified version of the script in case this master copy gets amended in the future, so the blog entry details the bits I inserted so you can follow my steps (and do it better no doubt ;))

  6. Unfortunately I am not aware of an automated SCEP installation script.

  7. PatRick says:

    Cool script, thank you for that.

    I wonder if the same could not be achive using PowerShell.

    for instance POSH is used to manage Exchange, AD and other servcies.

    Is there a particular reason to use "old" vbScript rather than "new" POSH scripts?

    Thank you for your feedback

  8. Dan_IT says:

    I agree with Patrick!  Why aren't there CMDlets for this yet?

  9. Andy Arismendi says:

    Where are the cmdlets for this? Or more setup functionality in servermanagercmd?

    With the VBS, is there a way to specify the length of certificate validity?

  10. chrisl says:

    Which script do I use, this one or the one here:…/ee918754(WS.10).aspx

  11. Darren Bennett says:

    Refer to…/ee918754(WS.10).aspx
    .  This contains an updated version of the script as of June 19th, 2012

  12. Rich Megginson says:

    The script works great if you are logged in.  What I would like to do is install and setup the CA as part of an unattended install, as an Enterprise Root CA (setupca.vbs /IE).   I cannot get this to work on 2008 R2.  No matter in which pass I put it "specialize" (RunSynchronous) "oobeSystem" (FirstLogonCommands) or even in SetupComplete.cmd, I always get this error:

    InstallAndVerifyCA: Error! Must be a domain administrator to create Enterprise CA

    I know it needs AD to be up and running – I can setup AD unattended with dcpromo /unattend:file.ini – then a reboot is required – is there some way I can do the following during an unattended setup:

    dcpromo /unattend:file.init


    setupca.vbs /IE