Powershell and Certificate Requests

I recently became involved in a project to get SCCM working on all our endpoints in various DMZ’s. These servers are all in workgroups in DMZ’s so can’t use the standard method of using the Certificate MMC Snap-in to enroll in certificates (needed to encrypt the SCCM communication).

In case you aren’t aware, to do a Computer-based certificate request you need to do the following:

  • create an INF file that includes all the information for your certificate template
  • create the .cer request based off of the INF
  • submit it to your PKI server
  • download the completed cert and complete the request
  • export the request to a pfx file

In the case of our scenario where your DMZ box needs a certificate issued by your internal PKI you need to create and submit the request from a domain joined machine by an account with access to enroll in the certificate. Then you have to export the certificate and import it into the DMZ server directly. You also have to import your certificate chain into the DMZ machine, but that’s relatively easy and I’m not going to cover it in this article.

Here’s the script, and ‘ll explain it below


param(
$MYCERTNAME
)

$Path = "d:\scripts\certreqs"

$BuildINF = $null
$BuildINF = "[NewRequest]"
$BuildINF += "`r`n"
$BuildINF += "Subject = ""CN=$MyCertName""`r`n"
$BuildINF += "MachineKeySet = TRUE`r`n"
$BuildINF += "Exportable = TRUE`r`n"
$BuildINF += "KeyLength = 2048`r`n"
$BuildINF += "[Extensions]`r`n"
$BuildINF += "2.5.29.17 = ""{text}""`r`n"
$BuildINF += "_continue_ = ""dns=$MYCERTNAME""`r`n"
$BuildINF += "[RequestAttributes]`r`n"
$BuildINF += "CertificateTemplate = ConfigMgrClientCertificate`r`n"
$BuildINF += "SAN = ""DNS=$MYCERTNAME""`r`n"

$BuildINF | out-file -filepath $path\$MyCertName.inf

sleep 4
certreq -new $path\$MYCERTNAME.inf $path\$MYCERTNAME.req
certreq -submit -config "omacsgipkis01.csgicorp.com\PKI Server" $path\$MYCERTNAME.req $path\$MYCERTNAME.cer
certreq -accept $path\$MYCERTNAME.cer
certutil -exportpfx -p "Welcome123" MY $MYCERTNAME $path\clientcerts\$MYCERTNAME.pfx

remove-item -path $path\$MYCERTNAME.req -force
remove-item -path $path\$MYCERTNAME.inf -force
remove-item -path $path\$MYCERTNAME.cer -force

So let’s say our DMZ machine has a fully qualified domain name (FQDN) of testserver1.testdomain.com

We call the script with .\cert.ps1 testserver1.testdomain.com

The first thing the script does is build the INF file that we need:


[NewRequest]

Subject = "CN=testdomain1.testdomain.com"
MachineKeySet = TRUE
Exportable = TRUE
KeyLength = 2048
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=testdomain1.testdomain.com"
[RequestAttributes]
CertificateTemplate = ConfigMgrClientCertificate
SAN = "DNS=testdomain1.testdomain.com"

The rest of the commands are pretty obvious how to read from the code, but essentially it throws out a bunch of certreq commands to create and submit the certificate request and then export it to the pfx we need to ultimately copy to the new DMZ box. And then it cleans up after itself and deletes the working files.

To import our trusted root certificates into the DMZ box, run the following commands:


Certutil –addstore –f “ROOT” “d:\certs\rootca.cer”

Certutil –addstore –f “ROOT” “d:\certs\subca.cer”

After we import the root certificates into the trusted root store, we need to import the PFX file we created with the powershell script above.


Certutil –p Welcome123 –importpfx “d:\<pfx file name>.pfx”

And that’s it. You’ve now created your pfx certificate and imported it into the DMZ machine.

Advertisements

Systems Center 2012

So I’m signed up for the 2 beta exams next week. Having fun studying 🙂

Basically running through this very informative guide here: http://technet.microsoft.com/en-us/evalcenter/hh505660

You have to log in and then sign up. Once in there you can download all the main software and the “Microsoft Private Cloud Evaluation Guide”. It gives a very straightforward guide on how to prep and install all the Systems Center 2012 components and configure them to talk to each other. I’m not all the way through it yet, but so far some pretty heady stuff. You have to have around 7 or 8 servers, depending on what all you want to install. I don’t have a server with Hyper-V on it since I’m working in a VM cloud environment, so hopefully that doesn’t kill me too much down the line.

There is a ton of prep work involved with downloading and extracting all the software. You also have to download and prep all the prerequisite software. It won’t let you go any further in the process unless you have it.

You also can’t cheap out like I did and try to install multiple components on the same server. So be prepared and have all your servers up and running with base OS (2008 R2). There’s also a step in there to setup GPO’s to enable some WinRM settings. I again tried to cheap out and hurry up and not do that part and it came back and bit me on the butt. So in other words: Follow the guide!

Here’s where I’m at now. There’s more coming!

RTFM!

If you don’t know what RTFM means, go google that before you get any further. I’m trying to keep my potty mouth off the web.

Okay, done?

Over the past couple of months I’ve been playing with various Windows Patching Solutions. First was SCCM 2012 (bust), CA Patch Manager (mostly bust), and now VMWare Configuration Manager (not sure yet). I’m a big believer in just popping in the CD/DVD and hitting setup and letting the chips fall where they may. I feel like that’s the best way to learn and a good product usually lets you get away with it.

Not one of these 3 products has allowed me to do this. Although I’ve certainly tried. I run into various problems, stupid issues, and just plain old “Huh?” moments that I wouldn’t have or shouldn’t have if I’d just plain RTFM. Annoying, yes, but I guess since these are complex products I can understand it. (The old sage in me thinks you should be able to click Setup, run through the wizard, then just add the machines you want to manage, type in your creds, and go.) But in these cases that did nothing but waste days/weeks of my time.

So the takeaway from this? Yeah, I’m still going to surge forward without reading the manual, but when I run into issues maybe I’ll skate back and start over there 🙂

Maybe.

SCCM 2012 404 error

So I’ve been working on trying to get the SCCM 2012 RC to work in my test lab at work so that I can test patching in various environments with it. It was a bear to install, with very specific pre-req’s that it doesn’t bother to tell you about until after you’ve gone thru the install. It’ll either blow up or just plain not work. More into that in a later post.

But one of the big things I wanted to test was getting the web console to work so that I can see what functionality you have thru it. The first time I went there I got:

404 Server Error on CMApplicationCatalog

Turns out this error is produced because you don’t have the .Net Framework 4.0 either installed or configured. I DID install it as one of the pre-req’s but apparently that wasn’t enough. You still have to enable it, so to do so:

  1. Open an Administrator Command Prompt
  2. Browse to %windir%Microsoft.netFramework64v4.0.30319
  3. Run the following command –
aspnet_regiis.exe -i -enable

Then just re-open your browser and you are good!

SCCM 2012

Whoo hoo! As you can tell from the image I’m playing with the SCCM 2012 RC next week. (Systems Center 2012 Configuration Manager). Aren’t you jealous? Looking to see what kind of advances it gives us for patch management. I’ll keep you updated as I find stuff.

An update on the CA post… still no update. I finally got Patch Manager to install, but it’s still not working. I’ve got a call in to CA support and haven’t heard back. So we’ll see.