Monday, 4 September 2017

Learn PowerShell DSC - Part 4

Introduction

Sometimes you can’t find the DSC resource you need built into Windows. For example, let’s say you want to deploy a certificate from your CA - the DSC resource just doesn’t exist but then there’s GitHub. I’ll demo how you can search for and install the xCertificate DSC resource then how to use it in your configuration.

Other parts in this series:

Find DSC Resources

GitHub is a great repository for DSC resources which are not yet included in Windows. You can go to GitHub and download the additional DSC resources you need or you can just search for them using PowerShell:

Find-Module -Tag dsc

image

You can also filter by name e.g.

Find-Module -Tag dsc -Name *cert*

image

Our module is called xCertificate. Now, that was quite easy. Let’s move on.

Install DSC Resource

The DSC resource is actually part of a module which we need to install. To do this, we simply run the command below. It will prompt you to install a NuGet module if you don’t already have it - this is used to get modules from GitHub:

Install-Module xCertificate -Force

image

We can check our module is installed too:

Get-Module xCertificate -ListAvailable

image

You need to install the module on the server you’re writing your configuration on and also on the target server (the one that will receive the configuration). In upcoming articles, I’ll explain how to pull configurations using SMB or HTTPS. Using a pull server, you not only have a central repository for configurations but also have a central repository for the modules which are pulled as well. How good is that!?

To save time and install the module on a remote computer (contchidsc01), we can use remote PowerShell to install the NuGet Package Provider and xCertificate module:

icm contchidsc01 {Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
     Install-Module xCertificate -Force
     }

image

Deploy a certificate with DSC

Okay, so we now have all the pre-requisites we need. We have the DSC resource on our development machine and our target server. Let’s go ahead and write a DSC configuration. If you’re not familiar with this then go back and review part 1. You’ll see I’m using parameters in my configuration - if you’re not familiar with this, go and review part 3.

The plan is to deploy a new certificate to our target server, contchidsc01. The details are below:

  • Subject: contchidsc01.contoso.com
  • Subject alternative names: contchidsc01.contoso.com, contshidsc01
  • Exportable: true
  • Certificate Template: Server

configuration HTTPSPullServerCertificate
     {
         Param (
             [Parameter(Mandatory = $true)]
             [string] $ComputerName
         )

        # Modules must exist on target pull server
         Import-DSCResource -ModuleName PSDesiredStateConfiguration
         Import-DscResource -ModuleName xCertificate

        Node $ComputerName
             {
                 $ComputerFqdn = $ComputerName + ".contoso.com"

                xCertReq Certificate
                     {
                         Subject = $ComputerFqdn
                         SubjectAltName = "dns=$ComputerFqdn&dns=$ComputerName"
                         Exportable = $true
                         CertificateTemplate = "Server"
                     }
             }
     }

image

You’ll see we’re using our new xCertificate module and calling a new resource called xCertReq. The xCertReq DSC resource is what we need to request a certificate from the CA. There are other DSC resources available in the module and you can find all the documentation on GitHub here.

This line below simply gets the FQDN of the computer and saves it as $ComputerFqdn. We use it to add it to the certificate names:

$ComputerFqdn = $ComputerName + ".contoso.com”

Now, let’s create our MOF files:

HTTPSPullServerCertificate -ComputerName contchidsc01 -OutputPath C:\DSC\Certificate

…..and push our configuration:

Start-DscConfiguration -Path C:\DSC\Certificate -Verbose -Wait -Force

then test our configuration was deployed successfully:

Test-DscConfiguration -ComputerName contchidsc01 -Path C:\DSC\Certificate

The entire script is below:

configuration HTTPSPullServerCertificate
     {
         Param (
             [Parameter(Mandatory = $true)]
             [string] $ComputerName
         )

        # Modules must exist on target pull server
         Import-DSCResource -ModuleName PSDesiredStateConfiguration
         Import-DscResource -ModuleName xCertificate

        Node $ComputerName
             {
                 $ComputerFqdn = $ComputerName + ".contoso.com"

                xCertReq Certificate
                     {
                         Subject = $ComputerFqdn
                         SubjectAltName = "dns=$ComputerFqdn&dns=$ComputerName"
                         Exportable = $true
                         CertificateTemplate = "Server"
                     }
             }
     }

#Create MOF file
HTTPSPullServerCertificate -ComputerName contchidsc01 -OutputPath C:\DSC\Certificate
#Push the configuration
Start-DscConfiguration -Path C:\DSC\Certificate -Verbose -Wait -Force
#Test the configuration
Test-DscConfiguration -ComputerName contchidsc01 -Path C:\DSC\Certificate

image

Let’s go ahead and run it:

image

Now, that’s a lot of info because we’re using the -Verbose switch on the Start-DscConfiguration cmdlet. If you look closely at the blue section, you’ll see DSC doing this:

  • Locate the CA
  • Call certutil to ping the CA to check it’s online
  • Check for a certificate which matches the names we’ve requested
  • Create a certificate request
  • Install the certificate

At the end, in white, Test-DscConfiguration runs and states that our target machine is in the desired state so let’s check we have the correct certificate installed on our target machine:

Connect to remote PowerShell on the target computer:

Enter-PSSession contchidsc01

Open up the local computer certificate store:

cd Cert:\LocalMachine\My\

List the certificates:

dir

image

Now we have our certificate installed!

Conclusion

We’re learning quite a lot about DSC. We’re now able to find the DSC resources we need to do almost anything we need to do and we know how to find the documentation, download the modules and use the included DSC resources. So far, we’ve been pushing configurations using Start-DscConfiguration but in the upcoming posts, we’ll look at configuring SMB or HTTPS pull servers.

No comments:

Post a Comment