Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement a resource to Configure NDES #92

Open
paule96 opened this issue Jul 18, 2019 · 6 comments
Open

Implement a resource to Configure NDES #92

paule96 opened this issue Jul 18, 2019 · 6 comments
Labels
help wanted The issue is up for grabs for anyone in the community. resource proposal The issue is proposing a new resource in the resource module.

Comments

@paule96
Copy link

paule96 commented Jul 18, 2019

Description

I have currently the problem I must implement NDES in my CA to let Linux devices request certificates. But I don't find any resources on how to automate this doing.

The UI steps what are todo to configure NDES can find here

Proposed properties

That are only the properties for the installation of NDES. For the configuration see the linked article. The list with the registry keys is maybe the easy step to implement.

Name Type Description Sample
ndesServiceAccount string A domain user account that is a member of the local IIS_USERS on the NDES Service server contoso\ndesService
caNameForNdes string the CA that creates the certificates that are requested by the NDES service. -
ndesRegistrationAuthorityInformation object, hashtable An Object that has a Name, Country, E-Mail, Company, Department, City, and State property. That Object configures the Registration Authority Information on the CA -
ndesCryptography object, hashtable Configure the cryptography provider for the signature key and the encryption key. -

Special considerations or limitations

@PlagueHO
Copy link
Member

Hi @paule96 - this resource would be gratefully accepted.

I'd suggest you align the parameter names to be the same as the PowerShell cmdlet parameter names as this will simplify the code somewhat and also align to what Microsoft use: https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcsnetworkdeviceenrollmentservice?view=win10-ps

I'd generally recommend keeping the properties as closely aligned to the cmdlet parameters as possible. For example, I'd recommend against using object/hashtable for the RA info. Instead using the same parameters as the cmdlets:
-RAName
-RAEmail
-RACompany
-RADepartment
-RACity
-RAState
-RACountry

The same would go for the ndesCryptogtaphy.

I'd also recommend against including things like "NDES" in the property names because it is redundant information because it is part of the NDES resource.

Finally, you'll want to use the IsSingleInstance resource pattern here too (as only a single NDES instance can be installed per node). See the other ActiveDirectoryCSDsc resources for examples there.

Would be very keen to get this in! So thank you for contributing!

@PlagueHO PlagueHO added the resource proposal The issue is proposing a new resource in the resource module. label Jul 18, 2019
@paule96
Copy link
Author

paule96 commented Jul 22, 2019

I have started a little bit of investigating in that issue. The currently working code is this:

Script ActiveNetworkDeviceEnrollmentService{
            SetScript = {
                $secureStringPassword = ConvertTo-SecureString $Using:UserPassword -AsPlainText -Force
                Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName $Using:UserDomainName -ServiceAccountPassword $secureStringPassword -CAConfig $Using:CaConfigName -RAName $Using:RaName -RACountry "DE" -RACompany $Using:DomainName -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096
            }
            GetScript={

            }
            TestScript = {
                # stolen from https://github.com/microsoftgraph/powershell-intune-samples/blob/958cb9990fa3ab5a3eafd3f44e2284ef5b7e9774/CertificationAuthority/Validate-NDESConfiguration.ps1#L908
                return Test-Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP
            }
        }

Currently, I don't know how to get a complete Test or Get method implemented because of the registry HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP only return this:

Name                           Property
----                           --------
CAInfo                         Configuration : ca01.side01.local\Side01 Root CA
CAType                         CAType : 1
CertsInMYStore                 CertsInMYStore : 1
EnforcePassword                EnforcePassword : 1
PasswordVDir                   PasswordVDir : CertSrv/mscep_admin
UseSinglePassword              UseSinglePassword : 0

But I don't know where I can find the Ra* information.

So maybe I know more tomorrow. :) So I can start with a real DSC resource in this project.

@paule96
Copy link
Author

paule96 commented Jul 23, 2019

Okay the information I was searching for are included in the ndes certificate.

@PlagueHO
Copy link
Member

Cool! Good stuff @paule96

@paule96
Copy link
Author

paule96 commented Jul 23, 2019

update of my script wich I currently use:

        Script ActiveNetworkDeviceEnrollmentService{
            SetScript = {
                $secureStringPassword = ConvertTo-SecureString $Using:UserPassword -AsPlainText -Force
                Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName $Using:UserDomainName -ServiceAccountPassword $secureStringPassword -CAConfig $Using:CaConfigName -RAName $Using:RaName -RACountry "DE" -RACompany $Using:DomainName -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096
            }
            GetScript={

            }
            TestScript = {
                $validNdesCertificates = 0;
                $allCerts = Get-ChildItem "Cert:\LocalMachine\My" | select Thumbprint, Subject,Extensions -ExpandProperty Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2" -or $_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"} | Sort-Object Thumbprint -Unique;
                
                foreach($cert in $allCerts) {
                    $extension = $cert.Extension | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2" -or $_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"} | Select -First 1;
                    $templateName = $extension.Format(0);
                    # Todo: That is also not very stable because we need both certificates types. Not 2 of one.
                    if($templateName -eq "CEPEncryption" -or $templateName -eq "EnrollmentAgentOffline"){
                        # Todo: this is maybe wrong because if I set an Email thats wrong
                        # that will be fix if we have a real DSC resource with parameters
                        # then I can check the things by it self
                        if($cert.Subject -eq ("CN=" + $Using:RaName + ", O=" + $Using:DomainName  + ", C=DE") ){
                            $validNdesCertificates += 1;
                        }
                    }
                }
                # stolen from https://github.com/microsoftgraph/powershell-intune-samples/blob/958cb9990fa3ab5a3eafd3f44e2284ef5b7e9774/CertificationAuthority/Validate-NDESConfiguration.ps1#L908
                return ($validNdesCertificates -eq 2) -and (Test-Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP);
            }
        }

I think I have now enough know how to start a real implementation of that DSC resource.

@paule96
Copy link
Author

paule96 commented Jul 23, 2019

Cool! Good stuff @paule96

Thanks @PlagueHO 👍

@PlagueHO PlagueHO added the help wanted The issue is up for grabs for anyone in the community. label Jun 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted The issue is up for grabs for anyone in the community. resource proposal The issue is proposing a new resource in the resource module.
Projects
None yet
Development

No branches or pull requests

2 participants