I have a third-party issued certificate that I need to ensure is running on all targets in a given domain. Is there a way to ensure this certificate is installed by way of DSC?
2 Answers
There is currently no built-in way to do this in DSC. I wrote a custom resource for my organization that installs a certificate from a PFX. I used the Cert: PSDrive, Import-PfxCertificate cmdlet and secured credentials in DSC (for the PFX password).
Update
This is now live in Microsoft's resources! The xPfxImport resource is in the xCertificate module v1.1 (and later presumably).
Also wrote about it on my own blog.
Thanks again for the encouragement (especially jscott).
- 1You tease! Please do update your answer should you clean up your code enough to share it publicly. :) +1jscott– jscott2014-10-23 14:26:47 +00:00Commented Oct 23, 2014 at 14:26
- @jscott almost a year later, but I'm attempting to get the code added to the
xCertificatemodule in Microsoft's DSC resources, so hopefully it will soon be available as part of what was once the DSC Resource Kit (and would now be available through the PowerShell Gallery). My pull request is waiting here but you can take a look at the code now if you like.briantist– briantist2015-09-24 22:00:26 +00:00Commented Sep 24, 2015 at 22:00 - @jscott finally merged into
dev, no idea how long it will take to get into master. Thanks for the bounty and your support.briantist– briantist2015-11-07 01:10:53 +00:00Commented Nov 7, 2015 at 1:10
How about using group policy to deploy the certificate to the domain? http://technet.microsoft.com/en-us/library/cc770315%28v=ws.10%29.aspx
To deploy a certificate by using Group Policy
Open Group Policy Management Console. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy. Right-click the GPO, and then select Edit. Group Policy Management Editor opens, and displays the current contents of the policy object. In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers. Click the Action menu, and then click Import. Follow the instructions in the Certificate Import Wizard to find and import the certificate. If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store. 
- 4It doesn't sound like this is a CA certificate that he needs his systems to trust which is what the solution you describe would be for. It sounds more like he has an actual certificate and private key that the target servers will be using to host SSL based services. I don't believe you can use the Public Key Policies GPO settings to deploy something like that.Ryan Bolger– Ryan Bolger2014-10-22 19:22:21 +00:00Commented Oct 22, 2014 at 19:22