DSC Push Model - Certificate ID is not valid

This topic contains 12 replies, has 2 voices, and was last updated by Profile photo of Matt Keller Matt Keller 2 months, 2 weeks ago.

  • Author
    Posts
  • #61564
    Profile photo of Matt Keller
    Matt Keller
    Participant

    All – trying to make my first foray into DSC so pardon my noobness. I've been cooking this up for a few months and I'm trying to encrypt my MOF file so I can use credentials and so on to configure a web server.

    Firstly, here's the error. It kicks this out when I try to actually run start-dscconfiguration. Set-DSCLocalConfigurationManager seems to work – I can provide that output if someone wants it.

    The Certificate ID is not valid: 'cb1de4107a9d731a272671644f6b8bf18ec3bd7b'
    At line:1 char:1
    + Start-dscconfiguration -Path "C:\DSC" -wait -debug -erroraction stop ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 4

    Now here's the configuration & how I'm trying to run/invoke it.

    configuration CertTest
    {
      param
      (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $CertPassword = (Get-Credential -Message "Enter Cert PFX extraction password." -Username "Ignore"),
        [PsCredential] $DFSCredentials = (Get-Credential -Message "Enter domain credentials with access to the area of DFS you're using.")
      )
         Import-DscResource -ModuleName xWebAdministration
         Import-DscResource –ModuleName PSDesiredStateConfiguration
         Import-DscResource -ModuleName xCertificate
    
    node $AllNodes.NodeName
      {
            #Set a path for where you want logging and the app pool recycle hour
            #make sure the $logFilePath exists on the Target server.
              $logFilePath = 'C:\IISLogs'
              $appPoolRecycleHour = '02'
    
            #Give the LCM a cert to encrypt with
            LocalConfigurationManager
            {
                CertificateID = $node.Thumbprint
            }
            
            #Ensure the Cert & CertStore Directories are Present on the machine
                File DirectoryCertStore
                {
                    Ensure = "Present"
                    Type = "Directory"
                    DestinationPath = "C:\CertStore"
                }
              #Copy the Website Cert to the proper location from DFS
              File CopyPersonalCert
              {
                Credential = $DFSCredentials
                Ensure = "Present"
                Type = "File"
                SourcePath = "my source path"
                DestinationPath = "C:\CertStore\cert.pfx"
                DependsOn = "[File]DirectoryCertStore"
              }
                #PersonalWildCardCert           
                xPfxImport InstallPersonalCert
                {
                    Location = "LocalMachine"
                    Store = "Personal"
                    Thumbprint = "‎‎74aacd8f3a5d5704b4db5855f0481075c0537488"
                    Credential = $CertPassword
                    Path = "C:\CertStore\cert.pfx"
                    DependsOn = "[File]CopyPersonalCert"
                }
    
        }
    }
    ######################################################
    #End Config
    ######################################################
    
    #Set the exported certificate file in a variable for use in ConfigData
    $certfile = 'C:\certs\DSCPublicKey.cer'
    
    $ConfigData= 
            @{
                AllNodes = @(
                                @{
                                    #the name of the node we are describing
                                    NodeName = "MyServer"
                                    Role = "Web"
    
                                    #The path to the .cer file containing the public key of the encryption cert
                                    CertificateFile = $certfile
    
                                    #The thumbprint of the encryption cert used to decrypt the credentials on target node
                                    Thumbprint = '‎‎‎‎cb1de4107a9d731a272671644f6b8bf18ec3bd7b'
                                };
                            );
             }
    
    #Run the configuration to generate MOF's
    CertTest -outputpath "C:\DSC" -ConfigurationData $ConfigData -Verbose
    
    #helper function to configure the LCM and try and push the config
    function Start-MyDSCPush
    {
    
    #Setup LCM to decrypt credentials
    Set-DscLocalConfigurationManager -ComputerName "MyServer" -path "C:\DSC" -Verbose
    
    #Start DSC Configuration
    Start-dscconfiguration -Path "C:\DSC" -wait -debug -erroraction stop -force -Verbose
    
    }
    

    If you have questions on how I generated the cert and what not I can try and provide that as well.

    I'm using certreq.exe since this is on Server 2008 R2 and I can't easily use the seemingly preferred New-SelfSignedCertificeEx.ps1 & Import-Certificate & Export-Certificate cmdlets that everyone seems to be using on Server 2012. I definitely had to work through some cert generation issues and tackled those errors one by one so I'm confident now that my cert is good. Or at least I'm pretty confident. Basically I use the script & ini below to generate it on the target node. I export the public key using MMC without the private key then import it on my author node.

    makecert.ps1

    cd "C:\Windows\SysWOW64"
    .\certreq.exe -new "C:\certs1\CertGeneration.ini" "c:\certs1\DSCPublicKey.cer"
    

    certgeneration.ini

    [Version]
    Signature = "$Windows NT$"
    
    [Strings]
    szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
    szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"
    
    [NewRequest]
    Subject = "CN=DSC Certificate"
    MachineKeySet = true
    KeyLength = 2048
    KeySpec = AT_KEYEXCHANGE
    HashAlgorithm = Sha1
    Exportable = true
    RequestType = Cert
    
    KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
    ValidityPeriod = "Years"
    ValidityPeriodUnits = "1000"
    
    [Extensions]
    %szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"
    
  • #61567
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Make sure the certificate is installed in the MACHINE store, not in the USER store. That's where the LCM looks, and I'm guessing it's not finding it.

    • #61572
      Profile photo of Matt Keller
      Matt Keller
      Participant

      Yeah I went down that road some time ago and THOUGHT I got it in the right place. Certificates (Local Computer) >> Personal >> Certificates is where I have it currently.

  • #61573
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Can you verify that the certificate ID shows up in the CERT: drive in that location? Cuz that's what the error generally means – either the cert isn't there, or it's there but not trusted.

    • #61575
      Profile photo of Matt Keller
      Matt Keller
      Participant

      Hmmm I'm not sure what you're asking, sorry. Is there some sort of trust relationship I need to setup beyond just exporting public key from the target and importing it to the author node? Again I did not export the private key when I generated it on the target node.

      If you're asking if the Cert ID shows up in the thumbprint correctly on both my author node and target node, it does. This is a different/newer cert than whats in the code I posted above but just for demonstration to show you what I think you're asking me to check. Or do you mean something different – and if so how do I check it?

      Target

      Author

  • #61576
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Let's focus on the encryption certificate first, not the publisher's certificate.

    First, can you use the CERT: drive on the node to verify that the certificate exists, with the thumbprint you've used, in the MACHINE store of both the authoring machine and the target node?

    Also, the authoring node does need the certificate's public key to be local; the target node that needs to decrypt this needs its private key, of course.

    Your CA – whatever one issued the certificate – should appear in everyone's (authoring node and target node) Trusted Root Publishers (easiest way to get to this is from Internet Options in Control Panel or IE). This is how the nodes "trust" the certificates issued by the CA. You can't determine this easily in the GUI by just look at the certificate, because all it will include is the Certificate Path, not whether or not the node trusts that path to begin with.

    • #61579
      Profile photo of Matt Keller
      Matt Keller
      Participant

      Hmmm a little more background perhaps then – from your post it sounds like the cert isn't trusted. This is almost certainly the problem but I don't know how to resolve.

      I've scoured various posts and tutorials on setting up simple DSC push models but never did I read anything about having Trust Root Publishers or worrying about trusts etc (clearly, I'm far too novice with certificates in general.)

      To be clear – I haven't done anything else with the encryption/dsc certificate other than what I listed in the original post. I generated the cert on the target using the method above. I made sure it was in local machine >> personal >> certificates and I verified the thumbprint there. I then exported it without the private key and copied it to my author node. I imported it on my author node in local machine >> personal >> certificates. I haven't done any other sort of trusts or importing.

      I didn't issue the certificate from a Certificate Authority – is that required? This is in a domain environment between two development servers that can reach one another.

      Here is the target node Trusted Publishers from IE.... author node looks the same. Is this what you mean? This has to be where I've gone wrong!!!

  • #61581
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Normally, we'd use GPO to deploy the Root Certificate from the Root CA (including only its public key, obviously) to all the nodes in the domain. If you're not in a domain, you have to do this using the little "Import" button.

    This is not, unfortunately, a set of tasks for the certificate novice. It's really easy to muck things up (and create enormous security holes) in a way that is hard to correct, and knowing zero about your PKI, it's a little hard for me to offer specific advice. Certificates are a pre-req to DSC, more or less; you may want to fall back and get that foundation under you before you go any further.

    • #61584
      Profile photo of Matt Keller
      Matt Keller
      Participant

      Definitely a fair assessment and I appreciate that advice which is spot on. For me though, this is just a proof of concept in a development environment. I was fine proceeding with sort of minimal security outside of demonstrating that I can in fact encrypt the MOF file. I'm merely trying to demonstrate that it can be done and this is sort of what it would look like as opposed to this is our final production solution. If you can offer advice sort of near-term/small solution that would be great as I really don't think I'm that far off from being able to show SOMETHING that actually works in our dev environment.

      Thankfully I will eventually have the support of our security and server folks to lean on for our PKI – though I would still need to be able to articulate what it is exactly that I need and I'm not sure I'm even clear on that currently? I'm confused as to how a Root CA & Root Certificate would work in a push model scenario (again, pardon my lack of certificate knowledge)??

      I thought I remember reading that, for push model, you would generate separate certs on each target node them import them on the author node... is that not correct? How would this work/interact with the root certificate?

  • #61588
    Profile photo of Don Jones
    Don Jones
    Keymaster

    What you have done is created a driver's license. A digital one, but that's what a certificate is. It's a digital ID.

    The problem is, your driver's license came out of a Cracker Jack box, not from the DMV. We all trust the DMV's certificates, but we don't know anything about this ID you created.

    The DMV, in this case, is a root CA that we're all pre-configured to trust. Your certificate did not come from a root CA we are configured to trust. And so you will need to configure us nodes to trust wherever the hell your certificate did come from.

    So whatever created your ID – that is, the _root certificate authority_ at the top of the chain – needs to be _trusted_ by everyone, or we're not going to let you use your ID to buy booze. This has nothing to do with push scenarios or DSC at all. Forget about DSC. This is certificate 101. Tell your PKI people, "I made this, um, certificate, and, um, I like, um [the um's show that you have proper respect for their godlike powers, and are necessary] need to make sure my, um, computers, um, like, trust the root CA that the certificate came from um wouldthatbeokay?"

    A certificate isn't just a big encryption thing. It is literally an ID. And the ID is utterly useless if you don't trust the people who made the ID in the first place. Go ahead – print up a fake driver's license on your printer, and go speeding down the highway. Show your fake ID to the cop and see what happens. This is part of what your nodes are experiencing. They are expecting a legit ID and you have given them cardboard. They can be configured to believe that the cardboard is a legit ID, and that's what the Trusted Root CAs tab is all about.

    Certificates are markedly more complex than you were perhaps prepared for ;). This is also probably a poor venue for the basic education in them, but hopefully the above illustrated a bit of it.

    • #61593
      Profile photo of Matt Keller
      Matt Keller
      Participant

      I think I know enough about certs to catch on to what you're saying there so here's how I'm going to proceed (and cross my fingers that it doesn't take the supporting teams too long to actually deliver a cert I can actually use to test this in my dev envioronment....)

      I'm going to ask them to generate/issue a new cert from the Root CA and ask that it is trusted between both my target and author nodes? Thats it right? It's still not 100% clear to me because every post I've seen talks about importing/exporting with public and private keys.... but.... once they issue the cert if I don't see it in the local machine area I can handle importing and exporting the public key and so on I believe.

      I hope its that simple.

  • #61594
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well, no. Trust isn't "between" two nodes, no. Again – I'm not really sure this is the right venue for this. What you need is for your nodes to trust whatever is issuing the certificates, completely regardless of DSC. So no, it's not quite that simple. I think it's worth just maybe having a discussion with your PKI team about what you're trying to do, and show them this thread, perhaps.

    • #61597
      Profile photo of Matt Keller
      Matt Keller
      Participant

      Yup totally agree – I'm already heading down that path – I just wanted to frame the question(s) properly is all. Hopefully this thread can provide some help to some other certificate novice in the future who is trying to learn DSC.

      I'm just stunned that I spent so much time looking at this stuff and I had the certificate generation/import/export wrong from the get-go. I'll be honest – its just not very clear in most of the push-model posts/examples/how-to's I've seen.

      Thanks so much for your help regardless. I'm on the right track now.

You must be logged in to reply to this topic.