Q&A: Configuring Active Directory Certificate Services for DSC Credential Encryption
DSC expert Melissa Januszko offers tips and advice for setting these up ahead of her Live! 360 session on the topic.
Melissa Januszko knows her Directory Certificate Services: She's coauthor of The DSC Book with Don Jones and a veteran automation expert and enterprise architect. We got a chance to talk with her about her upcoming session, "Configuring Active Directory Certificate Services for DSC Credential Encryption," that she'll be presenting (along with a PowerShell session) in the TechMentor section of Live! 360 in Orlando this November.
What's the benefit of using DSC for infrastructure builds?
What if the private key from your root gets compromised? What if you have a disaster and have to rebuild your PKI infrastructure, and how long would it take to build manually? Using DSC, the two-tier PKI build takes approximately 10 minutes once the operating systems for the root, subordinate, and domain controller are running.
Why use a PKI for this?
DSC runs under the local system account. If you have the need to configure a setting with DSC that requires elevated privileges, you need to specify the elevated credentials in your DSC configuration -- but you don't want those credentials to be exposed in a file. Using a PKI allows you to issue certificates that will encrypt the credentials inside the file and decrypt them when the DSC configuration is applied.
Can you share a best practice for setting up a PKI for this?
General ADCS best practices define a two-tier infrastructure setup. The root tier is "standalone" -- meaning it's not domain joined, it's not on the network, and its only job is to sign the certificates for the issuing CAs. The subordinate tier does the heavy lifting by issuing the certificates to the end users and computers, and is integrated with Active Directory which makes certificate management easier.
What should people absolutely NOT do when setting this up?
The DSC code for building out this solution has a Catch-22. There are parts in this configuration where elevated credentials are needed. If you have an existing PKI (and you're using this to build a new one), use the existing PKI to issue a certificate to encrypt the credentials. If you're building the first PKI in your infrastructure, you'd have no choice but to have the credentials unencrypted in the MOF on the first run, in which case you really need to protect the MOF and the machine you're authoring from while those credentials are unencrypted. Once the PKI is built, issue certificates for the two nodes and encrypt the credentials.
Are there any legacy concerns to be aware of?
Don't use the Windows 2008 Certificate Template GUI to try to create the template for DSC. I learned this the hard way. The default provider is not the provider that is required. Use the 2012 GUI or higher (or the DSC code from the demo.)
For more about Live! 360, go here.