-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement a resource to Configure NDES #92
Comments
Hi @paule96 - this resource would be gratefully accepted. I'd suggest you align the parameter names to be the same as the PowerShell cmdlet parameter names as this will simplify the code somewhat and also align to what Microsoft use: https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcsnetworkdeviceenrollmentservice?view=win10-ps I'd generally recommend keeping the properties as closely aligned to the cmdlet parameters as possible. For example, I'd recommend against using object/hashtable for the RA info. Instead using the same parameters as the cmdlets: The same would go for the ndesCryptogtaphy. I'd also recommend against including things like "NDES" in the property names because it is redundant information because it is part of the NDES resource. Finally, you'll want to use the IsSingleInstance resource pattern here too (as only a single NDES instance can be installed per node). See the other ActiveDirectoryCSDsc resources for examples there. Would be very keen to get this in! So thank you for contributing! |
I have started a little bit of investigating in that issue. The currently working code is this: Script ActiveNetworkDeviceEnrollmentService{
SetScript = {
$secureStringPassword = ConvertTo-SecureString $Using:UserPassword -AsPlainText -Force
Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName $Using:UserDomainName -ServiceAccountPassword $secureStringPassword -CAConfig $Using:CaConfigName -RAName $Using:RaName -RACountry "DE" -RACompany $Using:DomainName -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096
}
GetScript={
}
TestScript = {
# stolen from https://github.com/microsoftgraph/powershell-intune-samples/blob/958cb9990fa3ab5a3eafd3f44e2284ef5b7e9774/CertificationAuthority/Validate-NDESConfiguration.ps1#L908
return Test-Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP
}
} Currently, I don't know how to get a complete Test or Get method implemented because of the registry Name Property
---- --------
CAInfo Configuration : ca01.side01.local\Side01 Root CA
CAType CAType : 1
CertsInMYStore CertsInMYStore : 1
EnforcePassword EnforcePassword : 1
PasswordVDir PasswordVDir : CertSrv/mscep_admin
UseSinglePassword UseSinglePassword : 0
But I don't know where I can find the So maybe I know more tomorrow. :) So I can start with a real DSC resource in this project. |
Okay the information I was searching for are included in the ndes certificate. |
Cool! Good stuff @paule96 |
update of my script wich I currently use:
I think I have now enough know how to start a real implementation of that DSC resource. |
Description
I have currently the problem I must implement NDES in my CA to let Linux devices request certificates. But I don't find any resources on how to automate this doing.
The UI steps what are todo to configure NDES can find here
Proposed properties
That are only the properties for the installation of NDES. For the configuration see the linked article. The list with the registry keys is maybe the easy step to implement.
Special considerations or limitations
The text was updated successfully, but these errors were encountered: