Powershell and Certificate Requests

I recently became involved in a project to get SCCM working on all our endpoints in various DMZ’s. These servers are all in workgroups in DMZ’s so can’t use the standard method of using the Certificate MMC Snap-in to enroll in certificates (needed to encrypt the SCCM communication).

In case you aren’t aware, to do a Computer-based certificate request you need to do the following:

  • create an INF file that includes all the information for your certificate template
  • create the .cer request based off of the INF
  • submit it to your PKI server
  • download the completed cert and complete the request
  • export the request to a pfx file

In the case of our scenario where your DMZ box needs a certificate issued by your internal PKI you need to create and submit the request from a domain joined machine by an account with access to enroll in the certificate. Then you have to export the certificate and import it into the DMZ server directly. You also have to import your certificate chain into the DMZ machine, but that’s relatively easy and I’m not going to cover it in this article.

Here’s the script, and ‘ll explain it below


param(
$MYCERTNAME
)

$Path = "d:\scripts\certreqs"

$BuildINF = $null
$BuildINF = "[NewRequest]"
$BuildINF += "`r`n"
$BuildINF += "Subject = ""CN=$MyCertName""`r`n"
$BuildINF += "MachineKeySet = TRUE`r`n"
$BuildINF += "Exportable = TRUE`r`n"
$BuildINF += "KeyLength = 2048`r`n"
$BuildINF += "[Extensions]`r`n"
$BuildINF += "2.5.29.17 = ""{text}""`r`n"
$BuildINF += "_continue_ = ""dns=$MYCERTNAME""`r`n"
$BuildINF += "[RequestAttributes]`r`n"
$BuildINF += "CertificateTemplate = ConfigMgrClientCertificate`r`n"
$BuildINF += "SAN = ""DNS=$MYCERTNAME""`r`n"

$BuildINF | out-file -filepath $path\$MyCertName.inf

sleep 4
certreq -new $path\$MYCERTNAME.inf $path\$MYCERTNAME.req
certreq -submit -config "omacsgipkis01.csgicorp.com\PKI Server" $path\$MYCERTNAME.req $path\$MYCERTNAME.cer
certreq -accept $path\$MYCERTNAME.cer
certutil -exportpfx -p "Welcome123" MY $MYCERTNAME $path\clientcerts\$MYCERTNAME.pfx

remove-item -path $path\$MYCERTNAME.req -force
remove-item -path $path\$MYCERTNAME.inf -force
remove-item -path $path\$MYCERTNAME.cer -force

So let’s say our DMZ machine has a fully qualified domain name (FQDN) of testserver1.testdomain.com

We call the script with .\cert.ps1 testserver1.testdomain.com

The first thing the script does is build the INF file that we need:


[NewRequest]

Subject = "CN=testdomain1.testdomain.com"
MachineKeySet = TRUE
Exportable = TRUE
KeyLength = 2048
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=testdomain1.testdomain.com"
[RequestAttributes]
CertificateTemplate = ConfigMgrClientCertificate
SAN = "DNS=testdomain1.testdomain.com"

The rest of the commands are pretty obvious how to read from the code, but essentially it throws out a bunch of certreq commands to create and submit the certificate request and then export it to the pfx we need to ultimately copy to the new DMZ box. And then it cleans up after itself and deletes the working files.

To import our trusted root certificates into the DMZ box, run the following commands:


Certutil –addstore –f “ROOT” “d:\certs\rootca.cer”

Certutil –addstore –f “ROOT” “d:\certs\subca.cer”

After we import the root certificates into the trusted root store, we need to import the PFX file we created with the powershell script above.


Certutil –p Welcome123 –importpfx “d:\<pfx file name>.pfx”

And that’s it. You’ve now created your pfx certificate and imported it into the DMZ machine.

New Microsoft Certification Tracks

So I, like most of us, got an email from Microsoft in the last week or so telling me that I’d attained a new certification by doing absolutely nothing. I’ve been an MCSE since 1998 on Windows NT, then Windows 2000, then Windows 2003. When they came out with the MCITP certification back in 2009/2010, I was a little annoyed since all of the products and technologies I like to show expertise on now each required their own certification. So I got the MCITP on EA, SQL and Exchange. It was a lot of tests and some extra tests I wouldn’t have normally taken, except I wanted the cert.

But back to my original point: I got an email that I’ve attained the new cert “Microsoft Certified Solutions Associate” on Windows 2008. Being always suspicious of “free” stuff I immediately put 2 and 2 together and saw that my new cert was MCSA, which has always been the lesser of Microsoft certs. I’d seen all the articles lately saying that they were completely changing the program again for Windows 8 (now 2012) so I assumed that when the new software got released that I’d have to change over. Who knew that you needed to re-up before the new one even came out??

Here’s a good article on the changes: http://www.microsoft.com/en-us/news/features/2012/04-11CloudCertifications.aspx

So now to get your MCSE (Microsoft Certified Solutions Expert) you have to decide which track you want (Cloud, SQL, etc.) and take yet another couple of exams. (And then of course take more tests when Windows 2012 comes out). Who’s ready to take more tests? Annoying!

Regardless of my complaints, here I am studying up on Systems Center, which seems like a heck of a lot of bloated software (my test environment has 8 servers, with 7 different pieces of software running) to do some very cool stuff. But who wants to go back to being an MCSA??

 

Systems Center 2012

So I’m signed up for the 2 beta exams next week. Having fun studying 🙂

Basically running through this very informative guide here: http://technet.microsoft.com/en-us/evalcenter/hh505660

You have to log in and then sign up. Once in there you can download all the main software and the “Microsoft Private Cloud Evaluation Guide”. It gives a very straightforward guide on how to prep and install all the Systems Center 2012 components and configure them to talk to each other. I’m not all the way through it yet, but so far some pretty heady stuff. You have to have around 7 or 8 servers, depending on what all you want to install. I don’t have a server with Hyper-V on it since I’m working in a VM cloud environment, so hopefully that doesn’t kill me too much down the line.

There is a ton of prep work involved with downloading and extracting all the software. You also have to download and prep all the prerequisite software. It won’t let you go any further in the process unless you have it.

You also can’t cheap out like I did and try to install multiple components on the same server. So be prepared and have all your servers up and running with base OS (2008 R2). There’s also a step in there to setup GPO’s to enable some WinRM settings. I again tried to cheap out and hurry up and not do that part and it came back and bit me on the butt. So in other words: Follow the guide!

Here’s where I’m at now. There’s more coming!

RTFM!

If you don’t know what RTFM means, go google that before you get any further. I’m trying to keep my potty mouth off the web.

Okay, done?

Over the past couple of months I’ve been playing with various Windows Patching Solutions. First was SCCM 2012 (bust), CA Patch Manager (mostly bust), and now VMWare Configuration Manager (not sure yet). I’m a big believer in just popping in the CD/DVD and hitting setup and letting the chips fall where they may. I feel like that’s the best way to learn and a good product usually lets you get away with it.

Not one of these 3 products has allowed me to do this. Although I’ve certainly tried. I run into various problems, stupid issues, and just plain old “Huh?” moments that I wouldn’t have or shouldn’t have if I’d just plain RTFM. Annoying, yes, but I guess since these are complex products I can understand it. (The old sage in me thinks you should be able to click Setup, run through the wizard, then just add the machines you want to manage, type in your creds, and go.) But in these cases that did nothing but waste days/weeks of my time.

So the takeaway from this? Yeah, I’m still going to surge forward without reading the manual, but when I run into issues maybe I’ll skate back and start over there 🙂

Maybe.

SCCM 2012 404 error

So I’ve been working on trying to get the SCCM 2012 RC to work in my test lab at work so that I can test patching in various environments with it. It was a bear to install, with very specific pre-req’s that it doesn’t bother to tell you about until after you’ve gone thru the install. It’ll either blow up or just plain not work. More into that in a later post.

But one of the big things I wanted to test was getting the web console to work so that I can see what functionality you have thru it. The first time I went there I got:

404 Server Error on CMApplicationCatalog

Turns out this error is produced because you don’t have the .Net Framework 4.0 either installed or configured. I DID install it as one of the pre-req’s but apparently that wasn’t enough. You still have to enable it, so to do so:

  1. Open an Administrator Command Prompt
  2. Browse to %windir%Microsoft.netFramework64v4.0.30319
  3. Run the following command –
aspnet_regiis.exe -i -enable

Then just re-open your browser and you are good!