In-Depth
Q&A: Configuring Active Directory Certificate Services for DSC Credential Encryption
DSC expert Melissa Januszko offers tips and advice for setting these up ahead of her Live! 360 session on the topic.
Melissa Januszko knows her Directory Certificate Services: She's coauthor of The DSC Book with Don Jones and a veteran automation expert and enterprise architect. We got a chance to talk with her about her upcoming session, "Configuring Active Directory Certificate Services for DSC Credential Encryption," that she'll be presenting (along with a PowerShell session) in the TechMentor section of Live! 360 in Orlando this November.
What's the benefit of using DSC for infrastructure builds?
What if the private key from your root gets compromised? What if you have a disaster and have to rebuild your PKI infrastructure, and how long would it take to build manually? Using DSC, the two-tier PKI build takes approximately 10 minutes once the operating systems for the root, subordinate, and domain controller are running.
Why use a PKI for this?
DSC runs under the local system account. If you have the need to configure a setting with DSC that requires elevated privileges, you need to specify the elevated credentials in your DSC configuration -- but you don't want those credentials to be exposed in a file. Using a PKI allows you to issue certificates that will encrypt the credentials inside the file and decrypt them when the DSC configuration is applied.
Can you share a best practice for setting up a PKI for this?
General ADCS best practices define a two-tier infrastructure setup. The root tier is "standalone" -- meaning it's not domain joined, it's not on the network, and its only job is to sign the certificates for the issuing CAs. The subordinate tier does the heavy lifting by issuing the certificates to the end users and computers, and is integrated with Active Directory which makes certificate management easier.
What should people absolutely NOT do when setting this up?
The DSC code for building out this solution has a Catch-22. There are parts in this configuration where elevated credentials are needed. If you have an existing PKI (and you're using this to build a new one), use the existing PKI to issue a certificate to encrypt the credentials. If you're building the first PKI in your infrastructure, you'd have no choice but to have the credentials unencrypted in the MOF on the first run, in which case you really need to protect the MOF and the machine you're authoring from while those credentials are unencrypted. Once the PKI is built, issue certificates for the two nodes and encrypt the credentials.
Are there any legacy concerns to be aware of?
Don't use the Windows 2008 Certificate Template GUI to try to create the template for DSC. I learned this the hard way. The default provider is not the provider that is required. Use the 2012 GUI or higher (or the DSC code from the demo.)
For more about Live! 360, go here.
About the Author
Becky Nagel is the former editorial director and director of Web for 1105 Media's Converge 360 group, and she now serves as vice president of AI for company, specializing in developing media, events and training for companies around AI and generative AI technology. She's the author of "ChatGPT Prompt 101 Guide for Business Users" and other popular AI resources with a real-world business perspective. She regularly speaks, writes and develops content around AI, generative AI and other business tech. Find her on X/Twitter @beckynagel.