gjyoung1974 · February 10, 2017 23:45
diff --git a/Issuing CA Post Install.ps1 b/Issuing CA Post Install.ps1
 <#::::::::::::::::::::::::::::::::::::::::::::::::
 :: 2017 Gordon Young, [email protected]	::
 :: The purpose of this script			::
 :: is to perform post installation		::
 :: of an AD certificate services CA		::
 ::::::::::::::::::::::::::::::::::::::::::::::::::#>

 ##
 # !!! The AIA and CDP values must be edited per each unique CA !!

 # This is a Microsoft ADCS Enterprise SubCA CA post install script
 # This script sets SubCA extentions and properties which are not set during initial installation:
 # TODO set the Security groups (C2 Groups) on the CA ACL
 # TODO, if we can't supress loading of default templates in CAPolicy.inf, we may need to delete them with Certutil -policy command
 # TODO, certutil -SetCAtemplates –SubCA

 ###
 # Since this is DEV, Disable checking for SubCA's certificate status on offline root's CRL:
 # Never do this in production!!
 	$cmdArgs = " -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE"
 		try{
 			[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 			if($myProcess1.ExitCode){
 				# Throw an exception is command fails for any reason
 				Write-Host "**certutil" + $cmdArgs + " has failed!**"
 				Exit
 			}

 			$myProcess1.WaitForExit()
 		}
 	catch{
 		Write-Host "**Failed to set CRLF_REVCHECK_IGNORE_OFFLINE.**"
 		return
 	}



 #CRLPeriodUnits 1
 #CRLPeriod "Weeks"

 	# set the Base CRL publication interval
    ##
 	$cmdArgs = "-setreg CA\CRLPeriodUnits 1"
 		try{
 			[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 			if($myProcess1.ExitCode){
 				# Throw an exception is command fails for any reason
 				Write-Host "**certutil" + $cmdArgs + " has failed!**"
 				Exit
 			}

 			$myProcess1.WaitForExit()
 		}
 	catch{
 		Write-Host "**Failed to run set CRLPeriodUnits.**"
 		return
 	}
    
    ####
    ## Set validity period as Hours:
 	
    $cmdArgs = "-setreg CA\CRLPeriod `"Weeks`""
 	try{
 		[Diagnostics.Process]$myProcess2 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 		if($myProcess2.ExitCode){
 			# Throw an exception is command fails for any reason
 			Write-Host "**certutil" + $cmdArgs + " has failed!**"
 			Exit
 		}

 		$myProcess2.WaitForExit()
 	}

 	catch{
 		Write-Host "**Failed to run set CRLPeriod .**"
 		return
 	}
    
    ##
    # Disable delta CRLs  
 	$cmdArgs = "-setreg CA\CRLOverlapUnits 2"
 		try{
 			[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 			if($myProcess3.ExitCode){
 				# Throw an exception is command fails for any reason
 				Write-Host "**certutil" + $cmdArgs + " has failed!**"
 				Exit
 			}

 			$myProcess3.WaitForExit()
 		}
 	catch{
 		Write-Host "**Failed to run set CRLOverlapUnits .**"
 		return
 	}
    
        ##
    # Disable delta CRLs  
 	$cmdArgs = "-setreg CA\CRLOverlapPeriod Days"
 		try{
 			[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 			if($myProcess3.ExitCode){
 				# Throw an exception is command fails for any reason
 				Write-Host "**certutil" + $cmdArgs + " has failed!**"
 				Exit
 			}

 			$myProcess3.WaitForExit()
 		}
 	catch{
 		Write-Host "**Failed to run set CRLOverlapUnits .**"
 		return
 	}
    

 #CRLDeltaPeriodUnits 12 
 #CRLDeltaPeriod "Hours" 

 	# Configure Delta CRLs:
    ##
 		$cmdArgs = "-setreg CA\CRLDeltaPeriod `"Hours`""
 		try{
 			[Diagnostics.Process]$myProcess4 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 			if($myProcess4.ExitCode){
 				# Throw an exception is command fails for any reason
 				Write-Host "**certutil" + $cmdArgs + " has failed!**"
 				Exit
 			}

 			$myProcess4.WaitForExit()
 		}

 		catch{
 			Write-Host "**Failed to run set CRLDeltaPeriod .**"
 			return
 		}

 		$cmdArgs = "-setreg CA\CRLDeltaPeriodUnits 12"
 			try{
 				[Diagnostics.Process]$myProcess5 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 				if($myProcess5.ExitCode){
 					# Throw an exception is command fails for any reason
 					Write-Host "**certutil" + $cmdArgs + " has failed!**"
 					Exit
 				}

 				$myProcess5.WaitForExit()
 			}
 		catch{
 			Write-Host "**Failed to run set CRLDeltaPeriodUnits .**"
 			return
 		}

 		$cmdArgs = "-setreg CA\CRLDeltaOverlapPeriod `"Hours`""
 		try{
 			[Diagnostics.Process]$myProcess6 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 			if($myProcess6.ExitCode){
 				# Throw an exception is command fails for any reason
 				Write-Host "**certutil" + $cmdArgs + " has failed!**"
 				Exit
 			}

 			$myProcess6.WaitForExit()
 		}
 		catch{
 			Write-Host "**Failed to run set CRLDeltaOverlapPeriod .**"
 			return
 		}

 		$cmdArgs = "-setreg CA\CRLDeltaOverlapUnits 2"
 			try{
 				[Diagnostics.Process]$myProcess7 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 				if($myProcess7.ExitCode){
 					# Throw an exception is command fails for any reason
 					Write-Host "**certutil" + $cmdArgs + " has failed!**"
 					Exit
 				}

 				$myProcess7.WaitForExit()
 			}
 		catch{
 			Write-Host "**Failed to run set CRLDeltaOverlapUnits .**"
 			return
 		}

 		# Set the CDP Extentions: (Write CRL to Disk and embed HTTP CDP URL in issued certificates:
        ##
 			$cmdArgs = "-setreg CA\CRLPublicationURLs `"1:$env:systemroot\system32\CertSrv\%3%8%9.crl\n2:http://crl.ACME.com/%3%8%9.crl`""
 				try{
 					[Diagnostics.Process]$myProcess8 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 					if($myProcess8.ExitCode){
 						# Throw an exception is command fails for any reason
 						Write-Host "**certutil" + $cmdArgs + " has failed!**"
 						Exit
 					}

 					$myProcess8.WaitForExit()
 				}
 			catch{
 				Write-Host "**Failed to run set CRLPublicationURLs .**"
 				return
 			}

 			# Set the AIA Extentions: (CAIssuer's and OCSP)
            ##
 					$cmdArgs = "-setreg CA\CACertPublicationURLs `"3:http://crl.ACME.com/%1_%3%4.crt\n32:http://crl.ACME.com/ocsp`""
 						try{
 							[Diagnostics.Process]$myProcess9 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 							if($myProcess9.ExitCode){
 								# Throw an exception is command fails for any reason
 								Write-Host "**certutil" + $cmdArgs + " has failed!**"
 								Exit
 							}

 							$myProcess9.WaitForExit()
 						}
 			catch{
 				Write-Host "**Failed to run set CACertPublicationURLs .**"
 				return
 			}

 			# Enable all auditable events on the CA
            ##
 			$cmdArgs = "-setreg CA\AuditFilter 127"
 				try{
 					[Diagnostics.Process]$myProcess10 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 					if($myProcess10.ExitCode){
 						# Throw an exception is command fails for any reason
 						Write-Host "**certutil" + $cmdArgs + " has failed!**"
 						Exit
 					}

 					$myProcess10.WaitForExit()
 				}
 			catch{
 				Write-Host "**Failed to run set AuditFilter .**"
 				return
 			}

 			# Set Maximum Validity Period for Issued Certificates to 3 years
            ##
 			$cmdArgs = "-setreg CA\ValidityPeriodUnits 5"
 				try{
 					[Diagnostics.Process]$myProcess11 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 					if($myProcess11.ExitCode){
 						# Throw an exception is command fails for any reason
 						Write-Host "**certutil" + $cmdArgs + " has failed!**"
 						Exit
 					}

 					$myProcess11.WaitForExit()
 				}
 			catch{
 				Write-Host "**Failed to run set ValidityPeriodUnits .**"
 				return
 			}

 			$cmdArgs = "-setreg CA\ValidityPeriod `"Years`""
 			try{
 				[Diagnostics.Process]$myProcess12 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 				if($myProcess12.ExitCode){
 					# Throw an exception is command fails for any reason
 					Write-Host "**certutil" + $cmdArgs + " has failed!**"
 					Exit
 				}

 				$myProcess12.WaitForExit()
 			}
 			catch{
 				Write-Host "**Failed to run set ValidityPeriod .**"
 				return
 			}

 			# Set Max debug in application log:
            ##
 				$cmdArgs = "-setreg CA\loglevel 4"
 					try{
 						[Diagnostics.Process]$myProcess13 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

 						if($myProcess13.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**certutil" + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess13.WaitForExit()
 					}
 				catch{
 					Write-Host "**Failed to run set loglevel .**"
 					return
 				}
 					
 				#Allow KeyUsage extention to be set to 0x06 Critical=True for issued SubCA certs
                ##
 					$cmdArgs = "-setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE"
 					try{
 						[Diagnostics.Process]$myProcess150 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

 						if($myProcess150.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**certutil" + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess150.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to set KeyUsage.**"
 						return
 					}

 				#Configure PathLength for SubCA certs and enforce it on RootCA (sets PathLength=0 in subCA certificates)
                ##
 					$cmdArgs = "–setreg Policy\CAPathLength 0"
 					try{
 						[Diagnostics.Process]$myProcess15 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

 						if($myProcess15.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**certutil" + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess15.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to set CAPathLength.**"
 						return
 					}					

 				# Stop Certsrv.exe CA process: (to consume new settings)
                ##
 					$cmdArgs = "stop certsvc"
 					try{
 						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

 						if($myProcess16.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**net " + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess16.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to stop certsvc.exe .**"
 						return
 					}

 ###
 # Create the local audit policy "SecEdit" config file at $pwd\audit.inf

 Add-Content $pwd\audit.inf "[Unicode]"
 Add-Content $pwd\audit.inf "Unicode=yes"
 Add-Content $pwd\audit.inf "[Event Audit]"
 Add-Content $pwd\audit.inf "AuditSystemEvents = 3"
 Add-Content $pwd\audit.inf "AuditLogonEvents = 3"
 Add-Content $pwd\audit.inf "AuditObjectAccess = 3"
 Add-Content $pwd\audit.inf "AuditPrivilegeUse = 3"
 Add-Content $pwd\audit.inf "AuditPolicyChange = 3"
 Add-Content $pwd\audit.inf "AuditAccountManage = 3"
 Add-Content $pwd\audit.inf "AuditAccountLogon = 3"
 Add-Content $pwd\audit.inf "[Version]"
 Add-Content $pwd\audit.inf "signature=`"`$CHICAGO`$`""
 Add-Content $pwd\audit.inf "Revision=1"
 Add-Content $pwd\audit.inf "[Registry Values]"
 Add-Content $pwd\audit.inf "[Profile Description]"
 Add-Content $pwd\audit.inf "Description=Set local audit policies" 
                             
 				# Enable local audit policies:
                ##                                               ##secedit .inf file Path is relative to this script:    
 					$cmdArgs = " /configure /db secedit.sdb /cfg $pwd\audit.inf"
 					try{
 						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\SecEdit.exe',$cmdArgs)

 						if($myProcess16.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**net " + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess16.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to set local audit policy .**"
 						return
 					}    
                    
 ###                    
 # Remove the audit.inf file:
 Remove-Item $pwd\audit.inf
 Remove-Item $pwd\secedit.sdb

                # Enable C2 trusted role seperation:
                ##  
 					$cmdArgs = " -setreg ca\RoleSeparationEnabled 0" # Disable C2 Role Segregation in DEV
 					try{
 						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

 						if($myProcess16.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**net " + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess16.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to enable C2 Role Seperation.**"
 						return
 					} 

                # Enable OCSPNoCheck OID:
                ##
 					$cmdArgs = " -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5"
 					try{
 						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

 						if($myProcess16.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**net " + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess16.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to enable OCSPnoCheckOid 1.3.6.1.5.5.7.48.1.5.**"
 						return
 					}                     
                    
 	  			    # Start Certsrv.exe CA process:
                    ##
 					$cmdArgs = "start certsvc"
 					try{
 						[Diagnostics.Process]$myProcess17 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

 						if($myProcess17.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**net " + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess17.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to start certsvc.exe .**"
 						return
 					}
                    
 	  			    # Publish a CRL: (to set new validity period)
                    ##
 					$cmdArgs = "-CRL"
 					try{
 						[Diagnostics.Process]$myProcess18 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

 						if($myProcess18.ExitCode){
 							# Throw an exception is command fails for any reason
 							Write-Host "**certutil" + $cmdArgs + " has failed!**"
 							Exit
 						}

 						$myProcess18.WaitForExit()
 					}
 					catch{
 						Write-Host "**Failed to write CRL .**"
 						return
 					}
 					
 write-host "`nif there are no exceptions in the script output then the script is now complete!"
 #EOF
	<#::::::::::::::::::::::::::::::::::::::::::::::::
	:: 2017 Gordon Young, [email protected] ::
	:: The purpose of this script ::
	:: is to perform post installation ::
	:: of an AD certificate services CA ::
	::::::::::::::::::::::::::::::::::::::::::::::::::#>

	##
	# !!! The AIA and CDP values must be edited per each unique CA !!

	# This is a Microsoft ADCS Enterprise SubCA CA post install script
	# This script sets SubCA extentions and properties which are not set during initial installation:
	# TODO set the Security groups (C2 Groups) on the CA ACL
	# TODO, if we can't supress loading of default templates in CAPolicy.inf, we may need to delete them with Certutil -policy command
	# TODO, certutil -SetCAtemplates –SubCA

	###
	# Since this is DEV, Disable checking for SubCA's certificate status on offline root's CRL:
	# Never do this in production!!
	$cmdArgs = " -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE"
	try{
	[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess1.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess1.WaitForExit()
	}
	catch{
	Write-Host "Failed to set CRLF_REVCHECK_IGNORE_OFFLINE."
	return
	}



	#CRLPeriodUnits 1
	#CRLPeriod "Weeks"

	# set the Base CRL publication interval
	##
	$cmdArgs = "-setreg CA\CRLPeriodUnits 1"
	try{
	[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess1.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess1.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLPeriodUnits."
	return
	}

	####
	## Set validity period as Hours:

	$cmdArgs = "-setreg CA\CRLPeriod `"Weeks`""
	try{
	[Diagnostics.Process]$myProcess2 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess2.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess2.WaitForExit()
	}

	catch{
	Write-Host "Failed to run set CRLPeriod ."
	return
	}

	##
	# Disable delta CRLs
	$cmdArgs = "-setreg CA\CRLOverlapUnits 2"
	try{
	[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess3.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess3.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLOverlapUnits ."
	return
	}

	##
	# Disable delta CRLs
	$cmdArgs = "-setreg CA\CRLOverlapPeriod Days"
	try{
	[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess3.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess3.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLOverlapUnits ."
	return
	}


	#CRLDeltaPeriodUnits 12
	#CRLDeltaPeriod "Hours"

	# Configure Delta CRLs:
	##
	$cmdArgs = "-setreg CA\CRLDeltaPeriod `"Hours`""
	try{
	[Diagnostics.Process]$myProcess4 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess4.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess4.WaitForExit()
	}

	catch{
	Write-Host "Failed to run set CRLDeltaPeriod ."
	return
	}

	$cmdArgs = "-setreg CA\CRLDeltaPeriodUnits 12"
	try{
	[Diagnostics.Process]$myProcess5 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess5.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess5.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLDeltaPeriodUnits ."
	return
	}

	$cmdArgs = "-setreg CA\CRLDeltaOverlapPeriod `"Hours`""
	try{
	[Diagnostics.Process]$myProcess6 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess6.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess6.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLDeltaOverlapPeriod ."
	return
	}

	$cmdArgs = "-setreg CA\CRLDeltaOverlapUnits 2"
	try{
	[Diagnostics.Process]$myProcess7 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess7.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess7.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLDeltaOverlapUnits ."
	return
	}

	# Set the CDP Extentions: (Write CRL to Disk and embed HTTP CDP URL in issued certificates:
	##
	$cmdArgs = "-setreg CA\CRLPublicationURLs `"1:$env:systemroot\system32\CertSrv\%3%8%9.crl\n2:http://crl.ACME.com/%3%8%9.crl`""
	try{
	[Diagnostics.Process]$myProcess8 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess8.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess8.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLPublicationURLs ."
	return
	}

	# Set the AIA Extentions: (CAIssuer's and OCSP)
	##
	$cmdArgs = "-setreg CA\CACertPublicationURLs `"3:http://crl.ACME.com/%1_%3%4.crt\n32:http://crl.ACME.com/ocsp`""
	try{
	[Diagnostics.Process]$myProcess9 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess9.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess9.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CACertPublicationURLs ."
	return
	}

	# Enable all auditable events on the CA
	##
	$cmdArgs = "-setreg CA\AuditFilter 127"
	try{
	[Diagnostics.Process]$myProcess10 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess10.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess10.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set AuditFilter ."
	return
	}

	# Set Maximum Validity Period for Issued Certificates to 3 years
	##
	$cmdArgs = "-setreg CA\ValidityPeriodUnits 5"
	try{
	[Diagnostics.Process]$myProcess11 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess11.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess11.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set ValidityPeriodUnits ."
	return
	}

	$cmdArgs = "-setreg CA\ValidityPeriod `"Years`""
	try{
	[Diagnostics.Process]$myProcess12 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess12.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess12.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set ValidityPeriod ."
	return
	}

	# Set Max debug in application log:
	##
	$cmdArgs = "-setreg CA\loglevel 4"
	try{
	[Diagnostics.Process]$myProcess13 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess13.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess13.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set loglevel ."
	return
	}

	#Allow KeyUsage extention to be set to 0x06 Critical=True for issued SubCA certs
	##
	$cmdArgs = "-setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE"
	try{
	[Diagnostics.Process]$myProcess150 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess150.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess150.WaitForExit()
	}
	catch{
	Write-Host "Failed to set KeyUsage."
	return
	}

	#Configure PathLength for SubCA certs and enforce it on RootCA (sets PathLength=0 in subCA certificates)
	##
	$cmdArgs = "–setreg Policy\CAPathLength 0"
	try{
	[Diagnostics.Process]$myProcess15 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess15.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess15.WaitForExit()
	}
	catch{
	Write-Host "Failed to set CAPathLength."
	return
	}

	# Stop Certsrv.exe CA process: (to consume new settings)
	##
	$cmdArgs = "stop certsvc"
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to stop certsvc.exe ."
	return
	}

	###
	# Create the local audit policy "SecEdit" config file at $pwd\audit.inf

	Add-Content $pwd\audit.inf "[Unicode]"
	Add-Content $pwd\audit.inf "Unicode=yes"
	Add-Content $pwd\audit.inf "[Event Audit]"
	Add-Content $pwd\audit.inf "AuditSystemEvents = 3"
	Add-Content $pwd\audit.inf "AuditLogonEvents = 3"
	Add-Content $pwd\audit.inf "AuditObjectAccess = 3"
	Add-Content $pwd\audit.inf "AuditPrivilegeUse = 3"
	Add-Content $pwd\audit.inf "AuditPolicyChange = 3"
	Add-Content $pwd\audit.inf "AuditAccountManage = 3"
	Add-Content $pwd\audit.inf "AuditAccountLogon = 3"
	Add-Content $pwd\audit.inf "[Version]"
	Add-Content $pwd\audit.inf "signature=`"`$CHICAGO`$`""
	Add-Content $pwd\audit.inf "Revision=1"
	Add-Content $pwd\audit.inf "[Registry Values]"
	Add-Content $pwd\audit.inf "[Profile Description]"
	Add-Content $pwd\audit.inf "Description=Set local audit policies"

	# Enable local audit policies:
	## ##secedit .inf file Path is relative to this script:
	$cmdArgs = " /configure /db secedit.sdb /cfg $pwd\audit.inf"
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\SecEdit.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to set local audit policy ."
	return
	}

	###
	# Remove the audit.inf file:
	Remove-Item $pwd\audit.inf
	Remove-Item $pwd\secedit.sdb

	# Enable C2 trusted role seperation:
	##
	$cmdArgs = " -setreg ca\RoleSeparationEnabled 0" # Disable C2 Role Segregation in DEV
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to enable C2 Role Seperation."
	return
	}

	# Enable OCSPNoCheck OID:
	##
	$cmdArgs = " -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5"
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to enable OCSPnoCheckOid 1.3.6.1.5.5.7.48.1.5."
	return
	}

	# Start Certsrv.exe CA process:
	##
	$cmdArgs = "start certsvc"
	try{
	[Diagnostics.Process]$myProcess17 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

	if($myProcess17.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess17.WaitForExit()
	}
	catch{
	Write-Host "Failed to start certsvc.exe ."
	return
	}

	# Publish a CRL: (to set new validity period)
	##
	$cmdArgs = "-CRL"
	try{
	[Diagnostics.Process]$myProcess18 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess18.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess18.WaitForExit()
	}
	catch{
	Write-Host "Failed to write CRL ."
	return
	}

	write-host "`nif there are no exceptions in the script output then the script is now complete!"
	#EOF