Self-signed certificates? about certificatedsc HOT 7 OPEN

Actually this wouldn't be too bad. CertReq.exe handles this if requesttype is 'Cert'. We would need to add a parameter, either a boolean for self-signed or just expose RequestType and validate against a list. Thoughts?
https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx

from certificatedsc.

Since the resource already using the CertReq.exe to do work, I don't see a problem extending it to do this as well. I would expect the resource to be able to do anything CertReq.exe is capable of (eventually). It that sense I think exposing RequestType is the right move (using a ValidateSet).

When parameter RequestType is 'Cert' I guess there need to be a new code path. When running certreq.exe -new -machine SelfSignedCert.inf sqltest.company.local.cer it automatically installs the certificate to both the stores Cert:\LocalMachine\My and Cert:\LocalMachine\CA, as well writing the certificate to disk. But for the certificate to be trusted we also need to add it to the Cert:\LocalMachine\root store, it does not do this automatically.

from certificatedsc.

Hi @shurick81 - unfortunately not using xCertificate at this time. Although this could potentially be added as a new resource.

Alternately, for now you could use the Script or xScript resource to do this fairly easily.

The problem though is that we'd want to use the New-SelfSignedCertificate cmdlet to do the work in this resource, but unfortunately, this cmdlet was only introduced in Windows 10/Windows Server 2016 with full functionality. It did exist in Windows Server 2012/R2, but it was very limited in functionality. So whether or not such a resource would work would depend on the Windows OS version. However, there is a script in MS Script center that could be used to issue certs on older OS's, but I'm not sure how easy it would be to bring in.

All worth considering though. I'm not sure I'd have the time to look into this for a while though - bit of a back log! Although someone else might wish to contribute something.

from certificatedsc.

I didn't actually realize certreq.exe could be used to generate self-signed certs. So if it can do this then we should definitely make use of it. I reckon it wouldn't be too difficult to stitch this into xCertReq.

@johlju - good thinking on needing to add this to the trusted store - but we'd probably want to make this optional (by adding a switch). Because sometimes you might want to create the cert and then export it as a PFX/CER and for use in something other than the certificate store.

I'm going to try and get some time this weekend on DSC, but I'll probably be putting any DSC time into getting some of the xScheduledTask features added 😉

from certificatedsc.

Hi, do you know if this is still on the table? I tried to find any other DSC resources for generating self-signed certs, but no luck so far.

from certificatedsc.

Hi @shurick81 - yes, this is definitely on the table. Ideally someone in the community will have one already that they want to contribute, but if not it'll be something I get to when I have the time. Sorry it does take so long though.

from certificatedsc.

Relabeled to Help wanted so that someone in the community can run with this.

from certificatedsc.