Q&A: Configuring Active Directory Certificate Services for DSC Credential Encryption

DSC expert Melissa Januszko offers tips and advice for setting these up ahead of her Live! 360 session on the topic.

Melissa Januszko knows her Directory Certificate Services: She's coauthor of The DSC Book with Don Jones and a veteran automation expert and enterprise architect. We got a chance to talk with her about her upcoming session, "Configuring Active Directory Certificate Services for DSC Credential Encryption," that she'll be presenting (along with a PowerShell session) in the TechMentor section of Live! 360 in Orlando this November.

What's the benefit of using DSC for infrastructure builds?
What if the private key from your root gets compromised? What if you have a disaster and have to rebuild your PKI infrastructure, and how long would it take to build manually? Using DSC, the two-tier PKI build takes approximately 10 minutes once the operating systems for the root, subordinate, and domain controller are running.

Why use a PKI for this?
DSC runs under the local system account. If you have the need to configure a setting with DSC that requires elevated privileges, you need to specify the elevated credentials in your DSC configuration -- but you don't want those credentials to be exposed in a file. Using a PKI allows you to issue certificates that will encrypt the credentials inside the file and decrypt them when the DSC configuration is applied.

Can you share a best practice for setting up a PKI for this?
General ADCS best practices define a two-tier infrastructure setup. The root tier is "standalone" -- meaning it's not domain joined, it's not on the network, and its only job is to sign the certificates for the issuing CAs. The subordinate tier does the heavy lifting by issuing the certificates to the end users and computers, and is integrated with Active Directory which makes certificate management easier.

What should people absolutely NOT do when setting this up?
The DSC code for building out this solution has a Catch-22. There are parts in this configuration where elevated credentials are needed. If you have an existing PKI (and you're using this to build a new one), use the existing PKI to issue a certificate to encrypt the credentials. If you're building the first PKI in your infrastructure, you'd have no choice but to have the credentials unencrypted in the MOF on the first run, in which case you really need to protect the MOF and the machine you're authoring from while those credentials are unencrypted. Once the PKI is built, issue certificates for the two nodes and encrypt the credentials.

Are there any legacy concerns to be aware of?
Don't use the Windows 2008 Certificate Template GUI to try to create the template for DSC. I learned this the hard way. The default provider is not the provider that is required. Use the 2012 GUI or higher (or the DSC code from the demo.)

For more about Live! 360, go here.

About the Author

Becky Nagel is vice president of AI for 1105 Media, where she specializes in training internal and external customers on maximizing their business potential via a wide variety of generative AI technologies as well as developing cutting-edge AI content and events. She's the author of "ChatGPT Prompt 101 Guide for Business Uses," regularly leads research studies on generative AI business usage, and serves as the director of AI Boardroom, a new resource for C-level executives looking to excel in the AI era. Prior to her current position she was a technical leader for 1105 Media's Web, advertising and production teams as well as editorial director for a suite of enterprise technology publications, including serving as founding editor of She has 20 years of enterprise technology journalism experience, and regularly speaks and writes about generative AI, AI, edge computing and other cutting-edge technologies. She can be reached at [email protected].


comments powered by Disqus

Subscribe on YouTube