Installing Certificate Services using sysocmgr

Archived from groups: microsoft.public.win2000.security (More info?)

I am trying to intall Certificate Services silently using sysocmgr on W2K3 server.
sysocmgr /i:sysoc.inf /u:unattend.txt

Here's the unattend.txt I used:

[components]
certsrv=ON
certsrv_server=ON
certsrv_client=ON

[certserv_server]
CAType=StandaloneRoot
CSPProvider="Microsoft Strong Cryptographic Provider"
HashAlgorithm=SHA-1
KeyLength=4096
Name=MyCA
SharedFolder=%SYSTEMROOT%\CAConfig
UseSharedFolder=yes
validityPeriod=20
validityPeriodUnits=years

The certocm.log shows that installation is cancelled because: certsrv_server The parameter is incorrect.

Any help in troubleshooting this will be highly appreciated.

Archived from groups: microsoft.public.win2000.security (More info?)

The org. where I work requires installing everything silently.
BTW, when MS provided the unattended answer, that means its doable.
Any help would be greatly appreciated. Thanks -Noor.

"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <C1C74CDD-32A4-48CC-8D7C-5C745E53388A@microsoft.com>, in the
> microsoft.public.win2000.security news group, <=?Utf-8?B?Tm9vciBTeWVk?=
> <Noor Syed@discussions.microsoft.com>> says...
>
> > I am trying to intall Certificate Services silently using sysocmgr on W2K3 server.
> > sysocmgr /i:sysoc.inf /u:unattend.txt
> >
>
> Why are you trying to install Certificate Services this way? I would
> never, ever recommend that you install Certificate Services in this
> fashion.
>
> You might want to have a look at the white papers on the PKI portal,
> www.microsoft.com/pki. Specifically the Best Practices one.
>
> I do a ton of PKI deployments, and PKI is not something you can get
> almost correct. Also, since even a very large organization is not going
> to require a ton of CAs, I don't see the benefit in installing this way.
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Archived from groups: microsoft.public.win2000.security (More info?)

In article <7AB01A6C-2E14-411A-8952-19D645E8A232@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?Tm9vciBTeWVk?=
<NoorSyed@discussions.microsoft.com> says...

> The org. where I work requires installing everything silently.
> BTW, when MS provided the unattended answer, that means its doable.
> Any help would be greatly appreciated. Thanks -Noor.
>

Blindly requiring everything to be done a certain way, just for the sake
of doing that way is not a good policy. BTW - just because an option to
do something a certain way is provided does not mean that is an
appropriate method of doing it that way.

I am trying to give you the benefit of my experience here (and I have a
_lot_ of experience in this particular field). Installing Certificate
Services the way you are attempting to do so will more than likely cause
your PKI to fail.

Have you configured a CAPolicy.inf file? Are you sure that all of the
PKI enabled applications, services, and hardware devices in your org
that are going to be using certificates will support the key length
you're using for your CA, etc, etc,

Feel free to disregard my advice here, your choice.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you very much Paul for your advice, I have to go a long/hard way to get an approval for manual installation, I did have certsrv_server in my unattend.txt.
Just to avoid the headache, and if its possible for unattended installation, I wanted to use it. I am no expert to disregard your advice, but....

Thanks, -Noor.


"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <7AB01A6C-2E14-411A-8952-19D645E8A232@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?Tm9vciBTeWVk?=
> <NoorSyed@discussions.microsoft.com> says...
>
> > Any help would be greatly appreciated. Thanks -Noor.
> >
> >
>
> BTW - and again, you really should not be using this method, however,
> you've got a simple typo in your unattend.txt file.
>
> [certserv_server] needs to be [certsrv_server]
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>