Create Cert Auth by script Resource

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Станислав Шумейко Станислав Шумейко 1 year, 11 months ago.

  • Author
  • #21314

    Hi Scripting guys, Help me pls in my task:
    I have Pull Server and clients in my Workgroup env. On client site allow only Certificate Authenticate by WinRM. All works fine but in the case, when the build administrator credential need to change I should recreate WinRM settings with help command below:

    New-Item -Path "WSMan:\localhost\ClientCertificate" -Credential $(Get-Credential) -Subject '' -URI * -Issuer '18B10C2E8F7E8FC0F2F04BE230CABFDAB63CFB04' -Force  

    This command works but I should perform it on each of node manually.
    I tried to automate this process but I can write script only include plain-text password, like :

    Script CreateCertAuth
                    SetScript = { 
                     $temp = @"
                    `$securePass =`$null
                    `$myCreds = `$null
                    `$userName = "Administrator"
                    `$pass = "Passw0rd"
                    `$securePass = ConvertTo-SecureString –String `$pass –AsPlainText -Force
                    `$myCreds = New-Object System.Management.Automation.PSCredential (`$userName, `$securePass)
                    Get-ChildItem WSMan:\localhost\ClientCertificate | ?{`$_.keys -eq "Subject=' "} | Remove-Item  -Recurse
                    New-Item -Path WSMan:\localhost\ClientCertificate -Credential `$myCreds -Subject ' ' -URI * -Issuer '18B10C2E8F7E8FC0F2F04BE230CABFDAB63CFB04' -Force 
                    & Invoke-Expression -Command $temp

    How I can change my script without any playn-text information ($userName, $pass), is it possible?
    I would like to give something like:

    $cred = Get-credential
    New-Item -Path WSMan:\localhost\ClientCertificate -Credential $cred -Subject ' ' -URI * -Issuer '18B10C2E8F7E8FC0F2F04BE230CABFDAB63CFB04' -Force 
  • #21315
    Profile photo of Dave Wyatt
    Dave Wyatt

    You would need to write a custom resource for this, instead of using the built-in Script resource. When you've done that, and you declare one of your resource's parameters to be of type [pscredential], then DSC can encrypt the password for you when it creates the MOF document. (This does require some setup, though; the managed hosts need to have a certificate to decrypt the password, and the computer that compiles the MOF file has to know what certificate to use when encrypting each node's credentials.)

  • #21316

You must be logged in to reply to this topic.