Encrypt password with certificate in partial configuration pull server

This topic contains 4 replies, has 3 voices, and was last updated by  sirirako 2 years, 5 months ago.

  • Author
  • #22936


    According to this instruction : http://blogs.msdn.com/b/powershell/archive/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx, essentially each nodes are requesting a cert from a cert server and the pull server is using the public key of that cert to encryt the password in the MOF file. Which means, 1 configuration MOF for 1 node?

    In the case of partial configuration with GUID configId, multiple nodes are requesting and configuring using the same MOF (configuration). Is there a way that each node are requesting the same certificate for the cert server so that I can use the same public key to encrypt the password and only have 1 configuration for multiple nodes?

    Is there a better way to do this?

    Thank you very much!

  • #22937

    Dave Wyatt

    Well, if you want to use the same certificate, you'd just need to export it from the first server and distribute the PFX file to the others. That's annoying, though; it's a much better practice to have each server use its own certificate. I'm not sure how that fits in with partial configurations; will pass this question on to the MVP list and see what turns up.

  • #22940

    Steven Murawski

    At configuration generation time (may or may not be on the pull server), you'll need a public key to encrypt the password portion of any credentials. This can be a one-to-one mapping with one cert per server, a one to many with one cert for all servers, or a many to many with one cert for a group of servers but several groups. At configuration time, the thumbprint identified will be used to select the proper public key.

    Given that the public key cannot be used to decrypt anything already encrypted, it should not be a security consideration to distribute that amongst all the configuration generation points for the various partial configurations (just make sure the private key is only available on the node where the creds need to be decrypted).

    At most you should have one key pair per node, but you could have fewer – depending on your security requirements and practical limitations (since the configuration generation node has to have the public key at configuration generation time).

  • #22941

    Dave Wyatt

    I just re-read this article: http://www.powershellmagazine.com/2014/10/02/partial-dsc-configurations-in-windows-management-framework-wmf-5-0/ . It looks like you wind up compiling a copy of the partial configuration for every node (rather than having a single, shared MOF document.) With this in mind, it's no different than how encrypting credentials works with a single MOF file. You should ideally have a certificate for every node, and use that certificate's public key when encrypting credentials for that node's MOF files.

  • #22952


    Thank you very much! If each node request its own cert (which it should) , there is no point of using GUID for configurationId which allow to have only 1 shared MOF. Then the configuration need to be recompiled when the cert expired and got updated.

You must be logged in to reply to this topic.