Create Cert Auth by script Resource

Welcome Forums DSC (Desired State Configuration) Create Cert Auth by script Resource

This topic contains 2 replies, has 2 voices, and was last updated by

 
Participant
3 years, 10 months ago.

  • Author
    Posts
  • #21314

    Participant
    Points: 0
    Rank: Member

    Hi Scripting guys, Help me pls in my task:
    I have Pull Server and clients in my Workgroup env. On client site allow only Certificate Authenticate by WinRM. All works fine but in the case, when the build administrator credential need to change I should recreate WinRM settings with help command below:

    New-Item -Path "WSMan:\localhost\ClientCertificate" -Credential $(Get-Credential) -Subject 'pullserver.mydom.com' -URI * -Issuer '18B10C2E8F7E8FC0F2F04BE230CABFDAB63CFB04' -Force  

    This command works but I should perform it on each of node manually.
    I tried to automate this process but I can write script only include plain-text password, like :

    Script CreateCertAuth
                {
                    SetScript = { 
                     $temp = @"
                    `$securePass =`$null
                    `$myCreds = `$null
    
                    `$userName = "Administrator"
                    `$pass = "Passw0rd"
                    `$securePass = ConvertTo-SecureString –String `$pass –AsPlainText -Force
                    `$myCreds = New-Object System.Management.Automation.PSCredential (`$userName, `$securePass)
                    Get-ChildItem WSMan:\localhost\ClientCertificate | ?{`$_.keys -eq "Subject='pullserver.mydom.com "} | Remove-Item  -Recurse
                    New-Item -Path WSMan:\localhost\ClientCertificate -Credential `$myCreds -Subject 'pullserver.mydom.com ' -URI * -Issuer '18B10C2E8F7E8FC0F2F04BE230CABFDAB63CFB04' -Force 
    "@
    
                    & Invoke-Expression -Command $temp
                     
                    } 
    

    How I can change my script without any playn-text information ($userName, $pass), is it possible?
    I would like to give something like:

    $cred = Get-credential
    New-Item -Path WSMan:\localhost\ClientCertificate -Credential $cred -Subject 'pullserver.mydom.com ' -URI * -Issuer '18B10C2E8F7E8FC0F2F04BE230CABFDAB63CFB04' -Force 
     
  • #21315

    Member
    Points: 0
    Rank: Member

    You would need to write a custom resource for this, instead of using the built-in Script resource. When you've done that, and you declare one of your resource's parameters to be of type [pscredential], then DSC can encrypt the password for you when it creates the MOF document. (This does require some setup, though; the managed hosts need to have a certificate to decrypt the password, and the computer that compiles the MOF file has to know what certificate to use when encrypting each node's credentials.)

  • #21316

    Participant
    Points: 0
    Rank: Member

The topic ‘Create Cert Auth by script Resource’ is closed to new replies.