dsccommunity / certificatedsc Goto Github PK
View Code? Open in Web Editor NEWDSC resources to simplify administration of certificates on a Windows Server.
Home Page: https://dsccommunity.org
License: MIT License
DSC resources to simplify administration of certificates on a Windows Server.
Home Page: https://dsccommunity.org
License: MIT License
A recent change in DSCResource.Tests (PowerShell/DscResource.Tests#186) caused the unit tests for the DSCResource.Tests module itself to be executed during the test run in this module.
For non-harness type modules this is being fixed in DSCResource.Tests itself, but for harness type, this must be fixed using this suggested change:
dsccommunity/NetworkingDsc#263 (comment)
If you replace these rows
With these rows, it will not run the test that is failing
if ($PSBoundParameters.ContainsKey('DscTestsPath') -eq $true)
{
$getChildItemParameters = @{
Path = $DscTestsPath
Recurse = $true
Filter = '*.Tests.ps1'
}
# Get all tests '*.Tests.ps1'.
$commonTestFiles = Get-ChildItem @getChildItemParameters
# Remove DscResource.Tests unit and integration tests.
$commonTestFiles = $commonTestFiles | Where-Object -FilterScript {
$_.FullName -notmatch 'DSCResource.Tests\\Tests'
}
$testsToRun += @( $commonTestFiles.FullName )
}
It seems there was a PR rolled back on that subject, bu I have a similar issue, my root cert contains space, and the certreq -submit fails because of it. Is there a quickfix on that matter?
edit : i'm on 2.6.0.0, and it doesn't look like it's related to the 2.5.0.0 fix
Details of the scenario you tried and the problem that is occurring:
As of Pester v4 the syntax of the Should
cmdlet has changed from Should Be
to Should -Be
.
There is a helpful script that can be used to easily perform the conversion:
https://gist.github.com/indented-automation/aeb14825e39dd8849beee44f681fbab3
This script should be used to correct the Pester syntax.
This module needs to be modified to meet HQRM guidelines:
https://github.com/PowerShell/DscResources/blob/master/HighQualityModuleGuidelines.md
The tasks that need to be performed are:
When running xCertReq, it throws an error after trying to create the .req file from the .inf file when it tries to use the .req file:
PowerShell DSC resource MSFT_xCertReq failed to execute Set-TargetResource functionality with error message: Certificate Request file 'C:\windows\TEMP\xCertReq-3a43205a-a1b6-40e6-a1c3-40a56
fc7c375.req' not found.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : TB-Test1
I've tried to run certreq.exe manualy on the server with the "-q" option, with the same result. When running it without "-q" it gives a popup about not finding the template and "continue anyway" option, which in turn generates the required .req file.
Is this a known problem, or might there be some PEBCAK in the picture?
These are the parameters specified:
xCertReq RequestCertificate
{
Subject = "$($Node.NodeName)"
CAServerFQDN = 'TB-CA.thebachelorettes.local'
CARootName = 'thebachelorettes-TB-CA-ca'
KeyLength = '2048'
AutoRenew = $true
}
User Story: Need to be able to use certificates that are either already in the Windows Certificate Mahine Store (or have been requested via xCertReq) in software that does not use the Windows Certificate Store to store certificates. An example is Java Key Store (JKS) files.
This would require a certificate to be found in the machine store (via Thumbprint, Subject, Serial Number, KU, Issuer etc) and then exported to a file (if the file does not exist), encrypting with a password or user/group combination (for Windows Server 2012+).
Export of the Private key would only be able to occur if it was available and exportable for the certificate identified for export.
If no one else is working on this I'll look at getting this one implemented (if there are no objections).
After importing pfx file how to set permissions on private key with DSC?
e.g., After loading cert into localcomputer \ my store how would one set IIS_IUSRS access to private key for use with IIS site using DSC process?
Details of the scenario you tried and the problem that is occurring:
It is not obvious from the README.MD that there is a Wiki containing the full documentation.
The DSC configuration that is using the resource (as detailed as possible):
N/A
Version of the Operating System and PowerShell the DSC Target Node is running:
N/A
Version of the DSC module you're using, or 'dev' if you're using current dev branch:
N/A
Details of the scenario you tried and the problem that is occurring:
The Wiki is not enabled on the xCertificate repo. I need this to be enabled because this repo is now auto-documentation enabled.
@kwirkykat or @zjalexander - can either of you please turn this on in the repo for me? Thank you
The DSC configuration that is using the resource (as detailed as possible):
N/A
Version of the Operating System and PowerShell the DSC Target Node is running:
N/A
Version of the DSC module you're using, or 'dev' if you're using current dev branch:
N/A
Details of the scenario you tried and the problem that is occurring:
The Wiki documentation for PFXImport is generated incorrectly for the credential parameter. This is because the description contains [PSCredential] which trips up the generation code.
The DSC configuration that is using the resource (as detailed as possible):
PFXImport
Version of the Operating System and PowerShell the DSC Target Node is running:
N/A
Version of the DSC module you're using, or 'dev' if you're using current dev branch:
N/A
I don't think I should have direct edit access to the wiki. I was expecting to create a pull request for the wiki fix, but it let me edit it directly instead. You probably need to fix permissions here.
Would be nice to be able to specify this. I want to create the cert, but later I want to use the name in another task or script. Nothing to key off of otherwise.
Details of the scenario you tried and the problem that is occurring:
By requiring thumbprint you create an additional step that is dependent on the user to identify the thumbprint of the certificate before importing the certificate. This information can be found in the certificate when you supply the path.
I understand that the thumbprint is quite useful when Ensure = Absent, so it should be left and as an optional parameter, and "required by code" in the instance you are attempting to remove the cert, but not required to add the certificate.
The DSC configuration that is using the resource (as detailed as possible):
xCertificateImport SSLCert {
Thumbprint = 'c81b94933420221a7ac004a90242d8b1d3e5070d'
Location = 'LocalMachine'
Store = 'Root'
Path = '\Server\Share\Certificates\MyTrustedRoot.cer'
}
xPfxImport CompanyCert
{
Thumbprint = 'c81b94933420221a7ac004a90242d8b1d3e5070d'
Path = '\Server\Share\Certificates\CompanyCert.pfx'
Location = 'LocalMachine'
Store = 'WebHosting'
Credential = $Credential
DependsOn = '[WindowsFeature]IIS'
}
To generate my configuration I need to resolve the thumbprint of each certificate. So If I am using DSC to automate the standup of several hundred IIS Servers / applications each with it's own certificate, it's a real pain to get the thumbprint off all the certs. It would be much easier If I could just supply the path to the correct certificate and be done.
Version of the Operating System and PowerShell the DSC Target Node is running:
All
Version of the DSC module you're using, or 'dev' if you're using current dev branch:
Latest / NA
If a template name contains a space, the template name is not correctly sent / recognised by the CA due to a lack of quoting in the certificate request.
OS: Windows Server 2012
Module version: 3.0.0.0
At the company I work for we're going to be needing some additional features in this resource:
Would there be any objections to us adding these features and submitting them to this resource over the next few weeks?
As part of the move to HQRM the CA abbreviation should be removed from parameter names.
I have a custom Document Signing Certificate Template that I would like to request from the CA.
There are 2 reasons the current implementation of xCertReq does not work for this:
I would be happy to implement this if the CR is accepted.
As 1024 bits is no longer considered secure, xCertReq should default to issuing certificates with 2048 bits.
The xPfxImport is great for importing certificates with a private key, but it would be nice if we could import public keys into the trusted root store.
I would propose adding a xCertificateImport-resource which mirrors much of the functionality given by the xPfxImport-resource, except that it expects a plain certificate file (any format supported by the Import-Certificate command) instead of a PFX/P12.
One common way we use xCertReq is to request certificates for web servers that have both a CNAME and a computer name + FQDN. E.g.
dns=www.contoso.com&dns=webserver99232&dns=webserver99232.contoso.local
It would be awesome if the SubjectAltName could be specified in such a way that the computername and FQDN were filled in automatically by the xCertReq resource at apply time (not at compile time). E.g.
SubjectAltName = 'dns=www.contoso.com&dns={ComputerName}&dns={FQDN}'
At apply time the SubjectAltName could be adjusted by the xCertReq to be:
SubjectAltName = 'dns=www.contoso.com&dns=webserver99232&dns=webserver99232.contoso.local'
based on the computer applying the DSC config. This enables a single DSC config work on any number of machines (e.g. a web farm). I know that certificate wildcards could also solve this problem, but our security team would prefer to not use this.
I could submit the change for this feature if acceptable.
Import fails on 2008 R2 because Import-PfxCertificate PS utility / command does not exist on Win 2008 R2
All modules in this resource don't meet style guidelines and are missing Integration tests (and some unit tests).
I'm currently working on bringing this resource up to HQRM before I work on the other fixes and features.
I was unable to use the xPfxImport to import a certificate. It was giving me an error message that my hash was invalid. I used the same hash and certificate with the import-pfxcertificate cmdlet and it worked fine. If there is any more information that I can supply, let me know, I'd like to avoid using the script resources for this if I can.
Please see error below:
PowerShell DSC resource MSFT_xCertReq failed to execute Set-TargetResource functionality with error message: The process 'C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe' with arguments '-Command "& C:\Windows\system32\certreq.exe @('-submit','-q','-config','CA01.xxxx.xxx\xxxxxx-CA01-CA','C:\Windows\TEMP\xCertReq-b6e74f80-5f35-46b2-a477-24098ca9b417.req','C:\Windows\TEMP\xCertReq-b6e74f80-5f35-46b2-a477-24098ca9b417.cer') | Set-Content -Path 'C:\Windows\TEMP\xCertReq-b6e74f80-5f35-46b2-a477-24098ca9b417.out'"' failed to start within the specified timeout.
Certificate is succesfully created but not put in to the right cert store, certificate stays in C:\Windows\Temp directory.
I suggest we add a VS Code workspace setting file with the following settings:
// Place your settings in this file to overwrite default and user settings.
{
"powershell.codeFormatting.openBraceOnSameLine": false,
"powershell.codeFormatting.newLineAfterOpenBrace": false,
"powershell.codeFormatting.newLineAfterCloseBrace": true,
"powershell.codeFormatting.whitespaceBeforeOpenBrace": true,
"powershell.codeFormatting.whitespaceBeforeOpenParen": true,
"powershell.codeFormatting.whitespaceAroundOperator": true,
"powershell.codeFormatting.whitespaceAfterSeparator": true,
"powershell.codeFormatting.ignoreOneLineBlock": false,
"powershell.codeFormatting.alignPropertyValuePairs": true,
"files.trimTrailingWhitespace": true,
"files.insertFinalNewline": true
}
This is discussed here PowerShell/DscResources#284.
That will make it possible inside VS Code to press SHIFT+ALT+F or press F1 and choose 'Format document' in the list. The PowerShell code will then be formatted according to the Style Guideline (although maybe not complete, but would help a lot).
One common scenario we find our selves using xScript for is taking a certificate that is issued by xCertReq and exporting it to a PFX. The PFX then gets inserted into a new or existing Java Key Store (JKS) file.
This would allow more easily deploying Java based workloads on Windows nodes.
This would require the use of Java KeyTool.exe to perform the JKS conversion.
Is it possible to use xCertificateImport on .crl's? If so how do you get the thumbprint of a CRL?
PS C:\Users\GlennMate> Install-Module xNetworking -Force
PackageManagement\Install-Package : A command with name 'Get-LocalizedData' is already available on this system. This
module 'xNetworking' may override the existing commands. If you still want to install this module 'xNetworking', use
-AllowClobber parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package],
Exception
+ FullyQualifiedErrorId : CommandAlreadyAvailable,Validate-ModuleCommandAlreadyAvailable,Microsoft.PowerShell.Pack
ageManagement.Cmdlets.InstallPackage
As of the 4.0.0.0 release today, this module now conflicts with the newly released 3.0.0.0 version of xStorage. The only way to install this module is to use Install-Module xNetworking -Force -AllowClobber
. This should break aliases between DSC resources.
Please address ASAP, this is a big breaking change.
This issue was raised by @glennmate in xNetworking here: dsccommunity/NetworkingDsc#213
Is there a way to generate a self-signed SSL / signing certificate via DSC?
Hello,
I have set the Store to WebHosting and its still importing into Personal store the debug info confirms its going into Cert:\LocalMachine\My.
Paul
xCertificateImport currently fails on Test-Thumbprint because [System.AppDomain] does not exist in Nano server.
Since GPOs is not supported on Nano server the xCertificateImport would be the perfect mechanism to import Enterprise Root certs into the nano server
Add the files:
We should use the ones from xFailOverCluster.
Hello,
I have reliability issues with xCertReq on Windows Server 2016: randomly (about 1 every 10 times), it fails with error "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".
I use it in a DC hosted in Azure that gets deployed from scratch, below is the relevant portion:
WindowsFeature AddCertAuthority { Name = "ADCS-Cert-Authority"; Ensure = "Present"; DependsOn = "[xPendingReboot]Reboot1" }
WindowsFeature AddADCSManagementTools { Name = "RSAT-ADCS-Mgmt"; Ensure = "Present"; DependsOn = "[xPendingReboot]Reboot1" }
xADCSCertificationAuthority ADCS
{
Ensure = "Present"
Credential = $DomainCredsNetbios
CAType = "EnterpriseRootCA"
DependsOn = "[WindowsFeature]AddCertAuthority"
}
xCertReq ADFSSiteCert
{
CARootName = "$DomainNetbiosName-$ComputerName-CA"
CAServerFQDN = "$ComputerName.$DomainFQDN"
Subject = "$ADFSSiteName.$DomainFQDN"
KeyLength = '2048'
Exportable = $true
ProviderName = '"Microsoft RSA SChannel Cryptographic Provider"'
OID = '1.3.6.1.5.5.7.3.1'
KeyUsage = '0xa0'
CertificateTemplate = 'WebServer'
AutoRenew = $true
#SubjectAltName = "certauth.$ADFSSiteName.$DomainFQDN"
Credential = $DomainCredsNetbios
DependsOn = '[xADCSCertificationAuthority]ADCS'
}
Here is the full execution of the resource, with the error:
[[xCertReq]ADFSSiteCert]
VERBOSE: [2017-06-20 12:21:08Z] [VERBOSE] [DC]: LCM: [ Start Test ]
[[xCertReq]ADFSSiteCert]
VERBOSE: [2017-06-20 12:21:08Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Test-TargetResource: Testing Certificate with Subject
'CN=ADFS.contoso.local' issued by DC.contoso.local\contoso-DC-CA.
VERBOSE: [2017-06-20 12:21:08Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Test-TargetResource: No valid certificate found with
subject 'CN=ADFS.contoso.local' issued by DC.contoso.local\contoso-DC-CA.
VERBOSE: [2017-06-20 12:21:08Z] [VERBOSE] [DC]: LCM: [ End Test ]
[[xCertReq]ADFSSiteCert] in 0.0630 seconds.
VERBOSE: [2017-06-20 12:21:08Z] [VERBOSE] [DC]: LCM: [ Start Set ]
[[xCertReq]ADFSSiteCert]
VERBOSE: [2017-06-20 12:21:08Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Set-TargetResource: Starting Certificate request with
Subject 'ADFS.contoso.local' issued by DC.contoso.local\contoso-DC-CA.
VERBOSE: [2017-06-20 12:21:08Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Set-TargetResource: Creating certificate request
'C:\Windows\TEMP\xCertReq-479eb889-ebef-46bc-a56c-3fc0e1449657.req' from
'C:\Windows\TEMP\xCertReq-479eb889-ebef-46bc-a56c-3fc0e1449657.inf'.
VERBOSE: [2017-06-20 12:21:09Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Set-TargetResource: Create certificate request result:
Active Directory Enrollment Policy
VERBOSE: [2017-06-20 12:21:09Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Set-TargetResource: Submitting certificate request
'C:\Windows\TEMP\xCertReq-479eb889-ebef-46bc-a56c-3fc0e1449657.req' returning
'C:\Windows\TEMP\xCertReq-479eb889-ebef-46bc-a56c-3fc0e1449657.cer' issued by
DC.contoso.local\contoso-DC-CA.
VERBOSE: [2017-06-20 12:21:09Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Set-TargetResource: Submitting certificate request
using separate process.
VERBOSE: [2017-06-20 12:21:10Z] [VERBOSE] [DC]:
[[xCertReq]ADFSSiteCert] Set-TargetResource: Submitting certificate request
result: Certificate Request Processor: The RPC server is unavailable.
0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
VERBOSE: [2017-06-20 12:21:10Z] [VERBOSE] [DC]: LCM: [ End Set ]
[[xCertReq]ADFSSiteCert] in 2.3780 seconds.
VERBOSE: [2017-06-20 12:21:10Z] [ERROR] PowerShell DSC resource MSFT_xCertReq
failed to execute Set-TargetResource functionality with error message:
Certificate file
'C:\Windows\TEMP\xCertReq-479eb889-ebef-46bc-a56c-3fc0e1449657.cer' not found.
Additional information:
Could it occur because I run xCertReq just after xADCSCertificationAuthority?
Do you have any idea of a possible workaround? I'm thinking about testing a timer between xADCSCertificationAuthority and xCertReq but I don't know if it's relevant.
User Story: Need to be able to export certificates that are either already in the Windows Certificate Machine Store or have been requested via xCertReq.
This would require a certificate to be found in the machine store (via Thumbprint, Subject, Serial Number, KU, Issuer etc) and then exported to a file (if the file does not exist) as an x509 CER file.
This will be combined with the xPFXExport resource requested in #26
This will export x509 certificates or PKCS#12 certificates (with Private Key and optional trust chain).
Convert this resource module over to use the auto-documentation format from SharePointDsc/xNetworking/xStorage/xDFS.
I thought I had already enabled this in this module, but it turns out I had forgotten.
Optin to these tests once BOM is fixed:
Common Tests - Validate Module Files
Common Tests - Validate Script Files
It would be cool if xPfxImport could import a PFX from Azure Key Vault
(https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/#add)
I might be converting a DSC configuration to use the Azure VM DSC Extension, and would like to use Key Vault to store the certificates, so might work on this soon.
Details of the scenario you tried and the problem that is occurring:
With FIPS mode enabled, all xPfxImport and xCertificateImport in my configuration fail. I think it may be a resource issue and not DSC itself, as these are the only resources that are failing. Below is the error:
PowerShell DSC resource MSFT_xPfxImport failed to execute Test-TargetResource functionality with error message: Cannot validate argument on
parameter 'Thumbprint'. Exception calling ".ctor" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated
cryptographic algorithms."
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
Version of the Operating System and PowerShell the DSC Target Node is running:
Server 2016, WMF 5.1
Version of the DSC module you're using, or 'dev' if you're using current dev branch:
3.0.0.0
When using the interactive Windows Certificates snap-in, a 3rd very important cert target store type can be selected:
One can select "my user account", "computer account" and "service account" as target for certificates.
xCertificateImport currently seems to only support 2 target store types:
Location: 'LocalMachine' or 'CurrentUser'
As an admin it would be very cool to be able to also use xCertificateImport to also manage service-related certificates, as there are otherwise no PowerShell means to do so and the GUI cert tool is a PITA, as its not scriptable. And there are Microsoft own services out there that needs such certificates. For example Microsoft AD LDS uses certificates stored in the service accounts section for SSL/TLS certificates. e.g. in:
[HKLM\SOFTWARE\Microsoft\Cryptography\Services\ADAM_inst1\SystemCertificates\My\Certificates]
There seems to be no means to use xCertificateImport to manage that path
(Referring to https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136(v=vs.85).aspx#CERT_SYSTEM_STORE_SERVICES)
(the old fashioned state based Powershell Cert commands seem to have the same deficits, but why not do it right in this command - that would probably need a 3rd parameter Location="service" and a further Servicename="...." parameter)
I'm trying to use xCertReq to request an SSL certificate from my CA. I'm actually getting a strange timeout value in the end but I'm not sure why, and if I look in C:\Windows\Temp I can actually find the requested certificate there and it appears to be correctly issued and OK. See attached error. Why is it attempting to request a certificate using a new process when one was already requested just previously?
This will override a user defined value. See PowerShell/DscResources#284 (comment)
xCertReq's Test-TargetResource returns true if the certificate is found but SubjectAltName is incorrect. It should return false if SubjectAltName is incorrect.
The verbose preference does not appear to get passed from a *-TargetResource function into and "common" functions that are being called.
An example of this is the calls to Find-CertificateAuthority
in the xCertReq
. The Verbose messages will not be displayed even when *-TargetResource
is called -Verbose.
@johlju reported this on xSQLServer in this issue: dsccommunity/SqlServerDsc#641
Other xCertificate resources have "accidentally" worked around this by building splats from the PSBoundParameters, which will cause the VerbosePreference to be passed through, but a better approach is required.
User story: we have different CA's for different AD forests. Each CA in each AD domain has a different name. We want to use the same DSC configuration scripts across all domains.
To do this means that the CA details should be able to be automatically detected if not provided. This can be done by using certutil.exe -dump:
Are there any objections to this being implemented?
Some of the modules are using New-InvalidArgumentError in CertificateDSc.Common.psm1 instead of the standard New-InvalidOperationException
and New-InvalidArgumentException
cmdlets in CertificateDsc.ResourceHelper.psm1 that were copied from PSDscResources.
Hello, I generate a certificate using xCertReq, then I want to use xCertificateImport to save its public key to disk.
How can I get the thumbprint of my new certificate and pass it to xCertificateImport?
Could xCertReq be updated to add possibility to export public key to disk?
Or could xCertificateImport be updated to find certificate based on its subject as an alternative to its thumbprint?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.