Sign in with
Sign up | Sign in
Your question

Installing Certificate Services using sysocmgr

Last response: in Windows 2000/NT
Share
Anonymous
July 28, 2004 6:32:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am trying to intall Certificate Services silently using sysocmgr on W2K3 server.
sysocmgr /i:sysoc.inf /u:unattend.txt

Here's the unattend.txt I used:

[components]
certsrv=ON
certsrv_server=ON
certsrv_client=ON

[certserv_server]
CAType=StandaloneRoot
CSPProvider="Microsoft Strong Cryptographic Provider"
HashAlgorithm=SHA-1
KeyLength=4096
Name=MyCA
SharedFolder=%SYSTEMROOT%\CAConfig
UseSharedFolder=yes
validityPeriod=20
validityPeriodUnits=years

The certocm.log shows that installation is cancelled because: certsrv_server The parameter is incorrect.

Any help in troubleshooting this will be highly appreciated.
Anonymous
July 29, 2004 12:31:37 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <C1C74CDD-32A4-48CC-8D7C-5C745E53388A@microsoft.com>, in the
microsoft.public.win2000.security news group, <=?Utf-8?B?Tm9vciBTeWVk?=
<Noor Syed@discussions.microsoft.com>> says...

> I am trying to intall Certificate Services silently using sysocmgr on W2K3 server.
> sysocmgr /i:sysoc.inf /u:unattend.txt
>

Why are you trying to install Certificate Services this way? I would
never, ever recommend that you install Certificate Services in this
fashion.

You might want to have a look at the white papers on the PKI portal,
www.microsoft.com/pki. Specifically the Best Practices one.

I do a ton of PKI deployments, and PKI is not something you can get
almost correct. Also, since even a very large organization is not going
to require a ton of CAs, I don't see the benefit in installing this way.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
Anonymous
July 29, 2004 12:31:38 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The org. where I work requires installing everything silently.
BTW, when MS provided the unattended answer, that means its doable.
Any help would be greatly appreciated. Thanks -Noor.

"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <C1C74CDD-32A4-48CC-8D7C-5C745E53388A@microsoft.com>, in the
> microsoft.public.win2000.security news group, <=?Utf-8?B?Tm9vciBTeWVk?=
> <Noor Syed@discussions.microsoft.com>> says...
>
> > I am trying to intall Certificate Services silently using sysocmgr on W2K3 server.
> > sysocmgr /i:sysoc.inf /u:unattend.txt
> >
>
> Why are you trying to install Certificate Services this way? I would
> never, ever recommend that you install Certificate Services in this
> fashion.
>
> You might want to have a look at the white papers on the PKI portal,
> www.microsoft.com/pki. Specifically the Best Practices one.
>
> I do a ton of PKI deployments, and PKI is not something you can get
> almost correct. Also, since even a very large organization is not going
> to require a ton of CAs, I don't see the benefit in installing this way.
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Related resources
Anonymous
July 29, 2004 12:40:52 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <7AB01A6C-2E14-411A-8952-19D645E8A232@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?Tm9vciBTeWVk?=
<NoorSyed@discussions.microsoft.com> says...

> The org. where I work requires installing everything silently.
> BTW, when MS provided the unattended answer, that means its doable.
> Any help would be greatly appreciated. Thanks -Noor.
>

Blindly requiring everything to be done a certain way, just for the sake
of doing that way is not a good policy. BTW - just because an option to
do something a certain way is provided does not mean that is an
appropriate method of doing it that way.

I am trying to give you the benefit of my experience here (and I have a
_lot_ of experience in this particular field). Installing Certificate
Services the way you are attempting to do so will more than likely cause
your PKI to fail.

Have you configured a CAPolicy.inf file? Are you sure that all of the
PKI enabled applications, services, and hardware devices in your org
that are going to be using certificates will support the key length
you're using for your CA, etc, etc,

Feel free to disregard my advice here, your choice.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
Anonymous
July 29, 2004 12:45:13 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <7AB01A6C-2E14-411A-8952-19D645E8A232@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?Tm9vciBTeWVk?=
<NoorSyed@discussions.microsoft.com> says...

> Any help would be greatly appreciated. Thanks -Noor.
>
>

BTW - and again, you really should not be using this method, however,
you've got a simple typo in your unattend.txt file.

[certserv_server] needs to be [certsrv_server]

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
Anonymous
July 29, 2004 12:45:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you very much Paul for your advice, I have to go a long/hard way to get an approval for manual installation, I did have certsrv_server in my unattend.txt.
Just to avoid the headache, and if its possible for unattended installation, I wanted to use it. I am no expert to disregard your advice, but....

Thanks, -Noor.


"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <7AB01A6C-2E14-411A-8952-19D645E8A232@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?Tm9vciBTeWVk?=
> <NoorSyed@discussions.microsoft.com> says...
>
> > Any help would be greatly appreciated. Thanks -Noor.
> >
> >
>
> BTW - and again, you really should not be using this method, however,
> you've got a simple typo in your unattend.txt file.
>
> [certserv_server] needs to be [certsrv_server]
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Anonymous
July 29, 2004 8:37:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Noor Syed wrote:

> I am trying to intall Certificate Services silently using sysocmgr on W2K3 server.
> sysocmgr /i:sysoc.inf /u:unattend.txt
>
> Here's the unattend.txt I used:
>
> [components]
> certsrv=ON
> certsrv_server=ON
> certsrv_client=ON
>
> [certserv_server]

Instead of [certserv_server], try [certsrv_server]


> CAType=StandaloneRoot
> CSPProvider="Microsoft Strong Cryptographic Provider"
> HashAlgorithm=SHA-1
> KeyLength=4096
> Name=MyCA
> SharedFolder=%SYSTEMROOT%\CAConfig
> UseSharedFolder=yes
> validityPeriod=20
> validityPeriodUnits=years
>
> The certocm.log shows that installation is cancelled because: certsrv_server The parameter is incorrect.
>
> Any help in troubleshooting this will be highly appreciated.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
Anonymous
July 30, 2004 6:37:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Finally, after numerous trail and errors, I got this working.
In the [certsrv_server] section, i had to make these changes.
HashAlgorithm=SHA-1 --------->should be SHA1
SharedFolder=%SYSTEMROOT%\CAConfig ----->I had to hardcode; C:\CAConfig.
Also, I had to change the source file locations in the registry(HKCU\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath) value to source dir which contains the i386 (default is the source from where the OS was installed), in case if you are not installing from initial source path.

thanks, -Noor Syed.




"Torgeir Bakken (MVP)" wrote:

> Noor Syed wrote:
>
> > I am trying to intall Certificate Services silently using sysocmgr on W2K3 server.
> > sysocmgr /i:sysoc.inf /u:unattend.txt
> >
> > Here's the unattend.txt I used:
> >
> > [components]
> > certsrv=ON
> > certsrv_server=ON
> > certsrv_client=ON
> >
> > [certserv_server]
>
> Instead of [certserv_server], try [certsrv_server]
>
>
> > CAType=StandaloneRoot
> > CSPProvider="Microsoft Strong Cryptographic Provider"
> > HashAlgorithm=SHA-1
> > KeyLength=4096
> > Name=MyCA
> > SharedFolder=%SYSTEMROOT%\CAConfig
> > UseSharedFolder=yes
> > validityPeriod=20
> > validityPeriodUnits=years
> >
> > The certocm.log shows that installation is cancelled because: certsrv_server The parameter is incorrect.
> >
> > Any help in troubleshooting this will be highly appreciated.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.m...
>
!