gjyoung1974/Issuing CA Post Install.ps1

## Issuing CA Post Install.ps1
<#::::::::::::::::::::::::::::::::::::::::::::::::
:: 2017 Gordon Young, gjyoung1974@gmail.com	::
:: The purpose of this script			::
:: is to perform post installation		::
:: of an AD certificate services CA		::
::::::::::::::::::::::::::::::::::::::::::::::::::#>

##
# !!! The AIA and CDP values must be edited per each unique CA !!

# This is a Microsoft ADCS Enterprise SubCA CA post install script
# This script sets SubCA extentions and properties which are not set during initial installation:
# TODO set the Security groups (C2 Groups) on the CA ACL
# TODO, if we can't supress loading of default templates in CAPolicy.inf, we may need to delete them with Certutil -policy command
# TODO, certutil -SetCAtemplates –SubCA

###
# Since this is DEV, Disable checking for SubCA's certificate status on offline root's CRL:
# Never do this in production!!
	$cmdArgs = " -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE"
		try{
			[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

			if($myProcess1.ExitCode){
				# Throw an exception is command fails for any reason
				Write-Host "**certutil" + $cmdArgs + " has failed!**"
				Exit
			}

			$myProcess1.WaitForExit()
		}
	catch{
		Write-Host "**Failed to set CRLF_REVCHECK_IGNORE_OFFLINE.**"
		return
	}


#CRLPeriodUnits 1
#CRLPeriod "Weeks"

	# set the Base CRL publication interval
    ##
	$cmdArgs = "-setreg CA\CRLPeriodUnits 1"
		try{
			[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

			if($myProcess1.ExitCode){
				# Throw an exception is command fails for any reason
				Write-Host "**certutil" + $cmdArgs + " has failed!**"
				Exit
			}

			$myProcess1.WaitForExit()
		}
	catch{
		Write-Host "**Failed to run set CRLPeriodUnits.**"
		return
	}

    ####
    ## Set validity period as Hours:

    $cmdArgs = "-setreg CA\CRLPeriod `"Weeks`""
	try{
		[Diagnostics.Process]$myProcess2 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

		if($myProcess2.ExitCode){
			# Throw an exception is command fails for any reason
			Write-Host "**certutil" + $cmdArgs + " has failed!**"
			Exit
		}

		$myProcess2.WaitForExit()
	}

	catch{
		Write-Host "**Failed to run set CRLPeriod .**"
		return
	}

    ##
    # Disable delta CRLs
	$cmdArgs = "-setreg CA\CRLOverlapUnits 2"
		try{
			[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

			if($myProcess3.ExitCode){
				# Throw an exception is command fails for any reason
				Write-Host "**certutil" + $cmdArgs + " has failed!**"
				Exit
			}

			$myProcess3.WaitForExit()
		}
	catch{
		Write-Host "**Failed to run set CRLOverlapUnits .**"
		return
	}

        ##
    # Disable delta CRLs
	$cmdArgs = "-setreg CA\CRLOverlapPeriod Days"
		try{
			[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

			if($myProcess3.ExitCode){
				# Throw an exception is command fails for any reason
				Write-Host "**certutil" + $cmdArgs + " has failed!**"
				Exit
			}

			$myProcess3.WaitForExit()
		}
	catch{
		Write-Host "**Failed to run set CRLOverlapUnits .**"
		return
	}


#CRLDeltaPeriodUnits 12
#CRLDeltaPeriod "Hours"

	# Configure Delta CRLs:
    ##
		$cmdArgs = "-setreg CA\CRLDeltaPeriod `"Hours`""
		try{
			[Diagnostics.Process]$myProcess4 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

			if($myProcess4.ExitCode){
				# Throw an exception is command fails for any reason
				Write-Host "**certutil" + $cmdArgs + " has failed!**"
				Exit
			}

			$myProcess4.WaitForExit()
		}

		catch{
			Write-Host "**Failed to run set CRLDeltaPeriod .**"
			return
		}

		$cmdArgs = "-setreg CA\CRLDeltaPeriodUnits 12"
			try{
				[Diagnostics.Process]$myProcess5 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

				if($myProcess5.ExitCode){
					# Throw an exception is command fails for any reason
					Write-Host "**certutil" + $cmdArgs + " has failed!**"
					Exit
				}

				$myProcess5.WaitForExit()
			}
		catch{
			Write-Host "**Failed to run set CRLDeltaPeriodUnits .**"
			return
		}

		$cmdArgs = "-setreg CA\CRLDeltaOverlapPeriod `"Hours`""
		try{
			[Diagnostics.Process]$myProcess6 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

			if($myProcess6.ExitCode){
				# Throw an exception is command fails for any reason
				Write-Host "**certutil" + $cmdArgs + " has failed!**"
				Exit
			}

			$myProcess6.WaitForExit()
		}
		catch{
			Write-Host "**Failed to run set CRLDeltaOverlapPeriod .**"
			return
		}

		$cmdArgs = "-setreg CA\CRLDeltaOverlapUnits 2"
			try{
				[Diagnostics.Process]$myProcess7 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

				if($myProcess7.ExitCode){
					# Throw an exception is command fails for any reason
					Write-Host "**certutil" + $cmdArgs + " has failed!**"
					Exit
				}

				$myProcess7.WaitForExit()
			}
		catch{
			Write-Host "**Failed to run set CRLDeltaOverlapUnits .**"
			return
		}

		# Set the CDP Extentions: (Write CRL to Disk and embed HTTP CDP URL in issued certificates:
        ##
			$cmdArgs = "-setreg CA\CRLPublicationURLs `"1:$env:systemroot\system32\CertSrv\%3%8%9.crl\n2:http://crl.ACME.com/%3%8%9.crl`""
				try{
					[Diagnostics.Process]$myProcess8 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

					if($myProcess8.ExitCode){
						# Throw an exception is command fails for any reason
						Write-Host "**certutil" + $cmdArgs + " has failed!**"
						Exit
					}

					$myProcess8.WaitForExit()
				}
			catch{
				Write-Host "**Failed to run set CRLPublicationURLs .**"
				return
			}

			# Set the AIA Extentions: (CAIssuer's and OCSP)
            ##
					$cmdArgs = "-setreg CA\CACertPublicationURLs `"3:http://crl.ACME.com/%1_%3%4.crt\n32:http://crl.ACME.com/ocsp`""
						try{
							[Diagnostics.Process]$myProcess9 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

							if($myProcess9.ExitCode){
								# Throw an exception is command fails for any reason
								Write-Host "**certutil" + $cmdArgs + " has failed!**"
								Exit
							}

							$myProcess9.WaitForExit()
						}
			catch{
				Write-Host "**Failed to run set CACertPublicationURLs .**"
				return
			}

			# Enable all auditable events on the CA
            ##
			$cmdArgs = "-setreg CA\AuditFilter 127"
				try{
					[Diagnostics.Process]$myProcess10 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

					if($myProcess10.ExitCode){
						# Throw an exception is command fails for any reason
						Write-Host "**certutil" + $cmdArgs + " has failed!**"
						Exit
					}

					$myProcess10.WaitForExit()
				}
			catch{
				Write-Host "**Failed to run set AuditFilter .**"
				return
			}

			# Set Maximum Validity Period for Issued Certificates to 3 years
            ##
			$cmdArgs = "-setreg CA\ValidityPeriodUnits 5"
				try{
					[Diagnostics.Process]$myProcess11 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

					if($myProcess11.ExitCode){
						# Throw an exception is command fails for any reason
						Write-Host "**certutil" + $cmdArgs + " has failed!**"
						Exit
					}

					$myProcess11.WaitForExit()
				}
			catch{
				Write-Host "**Failed to run set ValidityPeriodUnits .**"
				return
			}

			$cmdArgs = "-setreg CA\ValidityPeriod `"Years`""
			try{
				[Diagnostics.Process]$myProcess12 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

				if($myProcess12.ExitCode){
					# Throw an exception is command fails for any reason
					Write-Host "**certutil" + $cmdArgs + " has failed!**"
					Exit
				}

				$myProcess12.WaitForExit()
			}
			catch{
				Write-Host "**Failed to run set ValidityPeriod .**"
				return
			}

			# Set Max debug in application log:
            ##
				$cmdArgs = "-setreg CA\loglevel 4"
					try{
						[Diagnostics.Process]$myProcess13 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

						if($myProcess13.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**certutil" + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess13.WaitForExit()
					}
				catch{
					Write-Host "**Failed to run set loglevel .**"
					return
				}

				#Allow KeyUsage extention to be set to 0x06 Critical=True for issued SubCA certs
                ##
					$cmdArgs = "-setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE"
					try{
						[Diagnostics.Process]$myProcess150 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

						if($myProcess150.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**certutil" + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess150.WaitForExit()
					}
					catch{
						Write-Host "**Failed to set KeyUsage.**"
						return
					}

				#Configure PathLength for SubCA certs and enforce it on RootCA (sets PathLength=0 in subCA certificates)
                ##
					$cmdArgs = "–setreg Policy\CAPathLength 0"
					try{
						[Diagnostics.Process]$myProcess15 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

						if($myProcess15.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**certutil" + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess15.WaitForExit()
					}
					catch{
						Write-Host "**Failed to set CAPathLength.**"
						return
					}

				# Stop Certsrv.exe CA process: (to consume new settings)
                ##
					$cmdArgs = "stop certsvc"
					try{
						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

						if($myProcess16.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**net " + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess16.WaitForExit()
					}
					catch{
						Write-Host "**Failed to stop certsvc.exe .**"
						return
					}

###
# Create the local audit policy "SecEdit" config file at $pwd\audit.inf

Add-Content $pwd\audit.inf "[Unicode]"
Add-Content $pwd\audit.inf "Unicode=yes"
Add-Content $pwd\audit.inf "[Event Audit]"
Add-Content $pwd\audit.inf "AuditSystemEvents = 3"
Add-Content $pwd\audit.inf "AuditLogonEvents = 3"
Add-Content $pwd\audit.inf "AuditObjectAccess = 3"
Add-Content $pwd\audit.inf "AuditPrivilegeUse = 3"
Add-Content $pwd\audit.inf "AuditPolicyChange = 3"
Add-Content $pwd\audit.inf "AuditAccountManage = 3"
Add-Content $pwd\audit.inf "AuditAccountLogon = 3"
Add-Content $pwd\audit.inf "[Version]"
Add-Content $pwd\audit.inf "signature=`"`$CHICAGO`$`""
Add-Content $pwd\audit.inf "Revision=1"
Add-Content $pwd\audit.inf "[Registry Values]"
Add-Content $pwd\audit.inf "[Profile Description]"
Add-Content $pwd\audit.inf "Description=Set local audit policies"

				# Enable local audit policies:
                ##                                               ##secedit .inf file Path is relative to this script:
					$cmdArgs = " /configure /db secedit.sdb /cfg $pwd\audit.inf"
					try{
						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\SecEdit.exe',$cmdArgs)

						if($myProcess16.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**net " + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess16.WaitForExit()
					}
					catch{
						Write-Host "**Failed to set local audit policy .**"
						return
					}

###
# Remove the audit.inf file:
Remove-Item $pwd\audit.inf
Remove-Item $pwd\secedit.sdb

                # Enable C2 trusted role seperation:
                ##
					$cmdArgs = " -setreg ca\RoleSeparationEnabled 0" # Disable C2 Role Segregation in DEV
					try{
						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

						if($myProcess16.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**net " + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess16.WaitForExit()
					}
					catch{
						Write-Host "**Failed to enable C2 Role Seperation.**"
						return
					}

                # Enable OCSPNoCheck OID:
                ##
					$cmdArgs = " -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5"
					try{
						[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

						if($myProcess16.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**net " + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess16.WaitForExit()
					}
					catch{
						Write-Host "**Failed to enable OCSPnoCheckOid 1.3.6.1.5.5.7.48.1.5.**"
						return
					}

	  			    # Start Certsrv.exe CA process:
                    ##
					$cmdArgs = "start certsvc"
					try{
						[Diagnostics.Process]$myProcess17 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

						if($myProcess17.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**net " + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess17.WaitForExit()
					}
					catch{
						Write-Host "**Failed to start certsvc.exe .**"
						return
					}

	  			    # Publish a CRL: (to set new validity period)
                    ##
					$cmdArgs = "-CRL"
					try{
						[Diagnostics.Process]$myProcess18 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

						if($myProcess18.ExitCode){
							# Throw an exception is command fails for any reason
							Write-Host "**certutil" + $cmdArgs + " has failed!**"
							Exit
						}

						$myProcess18.WaitForExit()
					}
					catch{
						Write-Host "**Failed to write CRL .**"
						return
					}

write-host "`nif there are no exceptions in the script output then the script is now complete!"
#EOF
	<#::::::::::::::::::::::::::::::::::::::::::::::::
	:: 2017 Gordon Young, gjyoung1974@gmail.com ::
	:: The purpose of this script ::
	:: is to perform post installation ::
	:: of an AD certificate services CA ::
	::::::::::::::::::::::::::::::::::::::::::::::::::#>

	##
	# !!! The AIA and CDP values must be edited per each unique CA !!

	# This is a Microsoft ADCS Enterprise SubCA CA post install script
	# This script sets SubCA extentions and properties which are not set during initial installation:
	# TODO set the Security groups (C2 Groups) on the CA ACL
	# TODO, if we can't supress loading of default templates in CAPolicy.inf, we may need to delete them with Certutil -policy command
	# TODO, certutil -SetCAtemplates –SubCA

	###
	# Since this is DEV, Disable checking for SubCA's certificate status on offline root's CRL:
	# Never do this in production!!
	$cmdArgs = " -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE"
	try{
	[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess1.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess1.WaitForExit()
	}
	catch{
	Write-Host "Failed to set CRLF_REVCHECK_IGNORE_OFFLINE."
	return
	}



	#CRLPeriodUnits 1
	#CRLPeriod "Weeks"

	# set the Base CRL publication interval
	##
	$cmdArgs = "-setreg CA\CRLPeriodUnits 1"
	try{
	[Diagnostics.Process]$myProcess1 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess1.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess1.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLPeriodUnits."
	return
	}

	####
	## Set validity period as Hours:

	$cmdArgs = "-setreg CA\CRLPeriod `"Weeks`""
	try{
	[Diagnostics.Process]$myProcess2 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess2.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess2.WaitForExit()
	}

	catch{
	Write-Host "Failed to run set CRLPeriod ."
	return
	}

	##
	# Disable delta CRLs
	$cmdArgs = "-setreg CA\CRLOverlapUnits 2"
	try{
	[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess3.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess3.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLOverlapUnits ."
	return
	}

	##
	# Disable delta CRLs
	$cmdArgs = "-setreg CA\CRLOverlapPeriod Days"
	try{
	[Diagnostics.Process]$myProcess3 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess3.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess3.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLOverlapUnits ."
	return
	}


	#CRLDeltaPeriodUnits 12
	#CRLDeltaPeriod "Hours"

	# Configure Delta CRLs:
	##
	$cmdArgs = "-setreg CA\CRLDeltaPeriod `"Hours`""
	try{
	[Diagnostics.Process]$myProcess4 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess4.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess4.WaitForExit()
	}

	catch{
	Write-Host "Failed to run set CRLDeltaPeriod ."
	return
	}

	$cmdArgs = "-setreg CA\CRLDeltaPeriodUnits 12"
	try{
	[Diagnostics.Process]$myProcess5 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess5.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess5.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLDeltaPeriodUnits ."
	return
	}

	$cmdArgs = "-setreg CA\CRLDeltaOverlapPeriod `"Hours`""
	try{
	[Diagnostics.Process]$myProcess6 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess6.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess6.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLDeltaOverlapPeriod ."
	return
	}

	$cmdArgs = "-setreg CA\CRLDeltaOverlapUnits 2"
	try{
	[Diagnostics.Process]$myProcess7 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess7.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess7.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLDeltaOverlapUnits ."
	return
	}

	# Set the CDP Extentions: (Write CRL to Disk and embed HTTP CDP URL in issued certificates:
	##
	$cmdArgs = "-setreg CA\CRLPublicationURLs `"1:$env:systemroot\system32\CertSrv\%3%8%9.crl\n2:http://crl.ACME.com/%3%8%9.crl`""
	try{
	[Diagnostics.Process]$myProcess8 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess8.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess8.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CRLPublicationURLs ."
	return
	}

	# Set the AIA Extentions: (CAIssuer's and OCSP)
	##
	$cmdArgs = "-setreg CA\CACertPublicationURLs `"3:http://crl.ACME.com/%1_%3%4.crt\n32:http://crl.ACME.com/ocsp`""
	try{
	[Diagnostics.Process]$myProcess9 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess9.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess9.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set CACertPublicationURLs ."
	return
	}

	# Enable all auditable events on the CA
	##
	$cmdArgs = "-setreg CA\AuditFilter 127"
	try{
	[Diagnostics.Process]$myProcess10 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess10.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess10.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set AuditFilter ."
	return
	}

	# Set Maximum Validity Period for Issued Certificates to 3 years
	##
	$cmdArgs = "-setreg CA\ValidityPeriodUnits 5"
	try{
	[Diagnostics.Process]$myProcess11 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess11.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess11.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set ValidityPeriodUnits ."
	return
	}

	$cmdArgs = "-setreg CA\ValidityPeriod `"Years`""
	try{
	[Diagnostics.Process]$myProcess12 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess12.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess12.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set ValidityPeriod ."
	return
	}

	# Set Max debug in application log:
	##
	$cmdArgs = "-setreg CA\loglevel 4"
	try{
	[Diagnostics.Process]$myProcess13 = [Diagnostics.Process]::Start('c:\windows\system32\certutil.exe',$cmdArgs)

	if($myProcess13.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess13.WaitForExit()
	}
	catch{
	Write-Host "Failed to run set loglevel ."
	return
	}

	#Allow KeyUsage extention to be set to 0x06 Critical=True for issued SubCA certs
	##
	$cmdArgs = "-setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE"
	try{
	[Diagnostics.Process]$myProcess150 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess150.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess150.WaitForExit()
	}
	catch{
	Write-Host "Failed to set KeyUsage."
	return
	}

	#Configure PathLength for SubCA certs and enforce it on RootCA (sets PathLength=0 in subCA certificates)
	##
	$cmdArgs = "–setreg Policy\CAPathLength 0"
	try{
	[Diagnostics.Process]$myProcess15 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess15.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess15.WaitForExit()
	}
	catch{
	Write-Host "Failed to set CAPathLength."
	return
	}

	# Stop Certsrv.exe CA process: (to consume new settings)
	##
	$cmdArgs = "stop certsvc"
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to stop certsvc.exe ."
	return
	}

	###
	# Create the local audit policy "SecEdit" config file at $pwd\audit.inf

	Add-Content $pwd\audit.inf "[Unicode]"
	Add-Content $pwd\audit.inf "Unicode=yes"
	Add-Content $pwd\audit.inf "[Event Audit]"
	Add-Content $pwd\audit.inf "AuditSystemEvents = 3"
	Add-Content $pwd\audit.inf "AuditLogonEvents = 3"
	Add-Content $pwd\audit.inf "AuditObjectAccess = 3"
	Add-Content $pwd\audit.inf "AuditPrivilegeUse = 3"
	Add-Content $pwd\audit.inf "AuditPolicyChange = 3"
	Add-Content $pwd\audit.inf "AuditAccountManage = 3"
	Add-Content $pwd\audit.inf "AuditAccountLogon = 3"
	Add-Content $pwd\audit.inf "[Version]"
	Add-Content $pwd\audit.inf "signature=`"`$CHICAGO`$`""
	Add-Content $pwd\audit.inf "Revision=1"
	Add-Content $pwd\audit.inf "[Registry Values]"
	Add-Content $pwd\audit.inf "[Profile Description]"
	Add-Content $pwd\audit.inf "Description=Set local audit policies"

	# Enable local audit policies:
	## ##secedit .inf file Path is relative to this script:
	$cmdArgs = " /configure /db secedit.sdb /cfg $pwd\audit.inf"
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\SecEdit.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to set local audit policy ."
	return
	}

	###
	# Remove the audit.inf file:
	Remove-Item $pwd\audit.inf
	Remove-Item $pwd\secedit.sdb

	# Enable C2 trusted role seperation:
	##
	$cmdArgs = " -setreg ca\RoleSeparationEnabled 0" # Disable C2 Role Segregation in DEV
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to enable C2 Role Seperation."
	return
	}

	# Enable OCSPNoCheck OID:
	##
	$cmdArgs = " -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5"
	try{
	[Diagnostics.Process]$myProcess16 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess16.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess16.WaitForExit()
	}
	catch{
	Write-Host "Failed to enable OCSPnoCheckOid 1.3.6.1.5.5.7.48.1.5."
	return
	}

	# Start Certsrv.exe CA process:
	##
	$cmdArgs = "start certsvc"
	try{
	[Diagnostics.Process]$myProcess17 = [Diagnostics.Process]::Start('C:\Windows\System32\net.exe',$cmdArgs)

	if($myProcess17.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "net " + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess17.WaitForExit()
	}
	catch{
	Write-Host "Failed to start certsvc.exe ."
	return
	}

	# Publish a CRL: (to set new validity period)
	##
	$cmdArgs = "-CRL"
	try{
	[Diagnostics.Process]$myProcess18 = [Diagnostics.Process]::Start('C:\Windows\System32\certutil.exe',$cmdArgs)

	if($myProcess18.ExitCode){
	# Throw an exception is command fails for any reason
	Write-Host "certutil" + $cmdArgs + " has failed!"
	Exit
	}

	$myProcess18.WaitForExit()
	}
	catch{
	Write-Host "Failed to write CRL ."
	return
	}

	write-host "`nif there are no exceptions in the script output then the script is now complete!"
	#EOF