Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SDNExpress - Deployment fails when computer certificate auto-enrollment is in place #557

Open
MassimoPascucci opened this issue Feb 9, 2023 · 6 comments

Comments

@MassimoPascucci
Copy link

MassimoPascucci commented Feb 9, 2023

Our Active Directory environment includes an Enterprise Certification Authority.
Certificate auto-enrollment is enabled for all computers: each machine in the domain automatically obtains a computer certificate from the internal CA. Please note that the default Computer certificate template doesn't allow the private key to be exported.

This creates a lots of troubles with the SDN Express deployment.

When a computer is joined to the domain, it automatically receives a Computer certificate with the machine FQDN as its subject; these certificates are detected and deemed usable by the SDN Express deployment scripts, however they are actually not: when the scripts try to export them and move them around, they crash when the private keys export fails.
This applies to all SDN VMs, but also to the host certificates on the physical servers managed by SDN.

The only workaround we found to allow SDN Express deployment to proceed is to disable certificate auto-enrollment and remove all offending certificates from all involved systems.

@MassimoPascucci
Copy link
Author

MassimoPascucci commented Feb 9, 2023

As a side note, I'm wondering why are private keys being exported all around in the first place.

In the SDN context, certificates are used by systems to authenticate each other; they are exported from one system and imported into the trusted roots store in another. Only public keys should be needed (and used) in this process.

The only certificate that actually requires an export of the private key is the main network controller cluster certificate, which must be installed with its private key on all network controller nodes.

@MassimoPascucci
Copy link
Author

Was anybody able to have a look into this issue?

@AnirbanPaul
Copy link
Contributor

Acknowledging the issue. SDN Express scripts currently have some issues with CA signed certificates. We are working to improve the experience.
Note that we have recently published scripts to rotate certificates. So, you can change the self-signed certificates to CA based certs post deployment: https://github.com/microsoft/SdnDiagnostics/wiki/CertificateRotation

@MassimoPascucci
Copy link
Author

Acknowledging the issue. SDN Express scripts currently have some issues with CA signed certificates. We are working to improve the experience. Note that we have recently published scripts to rotate certificates. So, you can change the self-signed certificates to CA based certs post deployment: https://github.com/microsoft/SdnDiagnostics/wiki/CertificateRotation

This is good to know. But the actual problem here is, the scripts as they currently work just crash if any of the involved servers already has a CA computer certificate when you run them.

@AnirbanPaul
Copy link
Contributor

We are looking into this.

@MassimoPascucci
Copy link
Author

Hello,

any news on this issue?

Also, it would be useful to be able to use your own certificate at deployment, instead of having to replace them afterwards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants