Thursday, February 25, 2016

Generating Certificates for Desired State Configuration lab/test environments

A colleague pointed out to me today that it has been a long time since I blogged, and you know what he is right as I have mostly been posting tweets about interesting news. Given I was taking some colleagues through setting up a Desired State Configuration lab environment and ran into an issue with the certificates we were trying to use, and to make it worse the issue is something I have faced in the past but forget due to time lag, this seems like a great topic to blog about.

Now a search in your favorite search engine would show that this is not an uncommon problem but there isn't many who answer it plain and simple.

Do not use New-SelfSignedCertificate to generate a certificate for testing DSC deployments (encrypting credentials) on Windows 2012 R2 or you will most likely receive the error:

    The private key could not be acquired.
        + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], Ci
       mException
        + FullyQualifiedErrorId : MI RESULT 1
        + PSComputerName        : localhost


Solution #1: Download and use the script/function from Script Center - https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6
 

Solution #2: Generate the certificate with MakeCert.exe from the Visual Studio Command Prompt.

For example, to make a certificate called DSCDemo.

    makecert.exe -r -pe -n "CN=DSCDemo" -sky exchange -ss my -sr localMachine
Further info on makecert can be found at https://msdn.microsoft.com/library/bfsktky3%28v=vs.100%29.aspx

The background, I was trying to setup a DSCPull server with configuration for installing a SQL Server Instance using xSqlPs. This required a Credential to be stored in the config for the 'sa' account, which clearly needed to be encrypted as I didn't want to use plain text passwords in the DSC Configuration. We tried all sorts of methods for exporting the certificate from the DSCPull but eventually the clue was in the fact that even on the DSCPull server the certificate reported no Private Key data in the properties.


    PS C:\Users\mattl> get-item Cert:\LocalMachine\my\{thumbprint} | fl *
    ...

    Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                               System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName             : DSCDemo
    IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter                 : 2/25/2017 4:02:31 AM
    NotBefore                : 2/25/2016 3:42:31 AM
    HasPrivateKey            : True
    PrivateKey               :
    PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
    ...

    Issuer                   : CN=DSCDemo
    Subject                  : CN=DSCDemo

Again the clue here was the fact that the Private Key isn't even displayed on the server where it was generated, so we know there is nothing wrong with the export/import, but actually a problem with the way it was generated.

A couple of searches and I found the blog post I used last time I faced this issue, yep isn't that annoying. Turns out this is a problem with the New-SelfSignedCertificate cmdlet and when you generate the certificate with MakeCert.exe as per above the Private Key data is visible on the server it is generated on and also on the server it is imported on (as long as you export the private key data too).

Hope this helps a few others, or at least helps me remember next time I face this problem before I waste a few hours trying to figure it out again ;)
 

BTW in other news did you see the post that WMF 5.0 (aka PowerShell v5) RTM has been re-released. Happy days.

Legal Stuff: As always the contents of this blog is provided “as-is”. The information, opinions and views expressed are those of the author and do not necessarily state or reflect those of any other company with affiliation to the products discussed. This includes any URLs or Tools. The author does not accept any responsibility from the use of the information or tools mentioned within this blog, and recommends adequate evaluation against your own requirements to measure suitability.

9 comments:

  1. Kup hublot fałszywy zegarek, najlepsza replika breitling, u-boat italo fontana, repliki cartier , zegarki hublot replica, fałszywe zegarki breitling, replika montblanc, chodź tu kupić repliki zegarków uk, zegarki rolex fałszywe, repliki zegarków repliki, zegarki repliki tag heuer, zegarek omega, najtańsze fałszywe rolex, omega.
    repliki zegarków Rolex
    repliki zegarków Rolex

    ReplyDelete
  2. I bought this replica moncler shoes and bags and clothes from this store.replica moncler jackets The quality is very good. I have bought it many times and recommended it to my friends.replica moncler jacket women They all praise the quality of shoes and bags, and the service attitude of the store is good.

    ReplyDelete
  3. The Audemars Piguet Jules Audemarsfake watches collection commemorates one of the brand’s founders. The line is characterized by its traditional and timeless round cases and overall minimalist design. replica jules audemars watchesHowever, behind the simplicity of these watches is an array of impressive functions, such as tourbillons, moon phases, and chronographs. Designed with both men and women in mind, the Jules Audemars collection fully embodies both the range and restraint of the brand.

    ReplyDelete
  4. I am undeniably benefiting as much as possible from your site. You undeniably have some unprecedented information and unimaginable stories. The 192.168.l.254 are used by router brands such as Westell ADSL Modems, 3Com routers, Linksys switches, 2Wire routers, TP-Link routers Alcatel ADSL Modems, Thompson ADSL routers, ADSL billions routers, SRW2023 and others.

    ReplyDelete
  5. Louis Vuitton himself was born the son of a miller in 1821 in Anchay, a hamlet in the Jura Mountains, not far from the Swiss border. Replica bagsThe region was a poor one - serfdom had only been abolished less than 40 years previously, so Louis left to seek his fortune when he was a teenager, arriving in the French capital aged 16. This was the Paris of Victor Hugo's Les Misérables, with nearly one million inhabitants. As the composer Chopin said in a letter to a friend at the time, "Here you find the greatest luxury and the greatest filth, the greatest virtue and the greatest vice."replica Louis Vuiton bags

    ReplyDelete
  6. Best cheap Soccer Jerseys Shirts Wholesale Shop for Custom Team Soccer Jerseys Online,cheap walter gael sandoval Jerseys FCB Jerseys,cheap Euro 2020 Kit Top.

    ReplyDelete
  7. Alexander McQueen propose une série [url=https://www.mcqueenfr.com/]réplique de alexander mcqueen[/url] de vêtements pour hommes et femmes avec un style quotidien supérieur,[url=https://www.mcqueenfr.com/online/homme/]pas cher homme alexander mcqueen[/url] sur mesure avec une riche mode gothique pour créer des traditions et des articles riches. Tous les critiques ont recherché des accessoires dramatiques, tels que le cuir et les motifs de cha?nes et de cranes.

    ReplyDelete
  8. La performance d'Alexander McQueen est connue pour sa puissance émotionnelle, pas cher alexander mcqueen son pas cher enfant alexander mcqueenénergie primitive et sa nature contemporaine romantique mais déterminée. Un élément essentiel de la culture de McQueen est la juxtaposition d'éléments contrastés: pas cher enfant alexander mcqueen vulnérabilité et force, tradition et modernité, fluidité et sérieux. En respectant la tradition de l'artisanat, une vision ouverte et même passionnée s'est réalisée. La collection McQueen combine une compréhension approfondie de la couture personnalisée britannique, un superbe savoir-faire et un savoir-faire impeccable fabriqué en Italie.

    ReplyDelete