-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SDNExpress - Deployment fails when computer certificate auto-enrollment is in place #557
Comments
As a side note, I'm wondering why are private keys being exported all around in the first place. In the SDN context, certificates are used by systems to authenticate each other; they are exported from one system and imported into the trusted roots store in another. Only public keys should be needed (and used) in this process. The only certificate that actually requires an export of the private key is the main network controller cluster certificate, which must be installed with its private key on all network controller nodes. |
Was anybody able to have a look into this issue? |
Acknowledging the issue. SDN Express scripts currently have some issues with CA signed certificates. We are working to improve the experience. |
This is good to know. But the actual problem here is, the scripts as they currently work just crash if any of the involved servers already has a CA computer certificate when you run them. |
We are looking into this. |
Hello, any news on this issue? Also, it would be useful to be able to use your own certificate at deployment, instead of having to replace them afterwards. |
Our Active Directory environment includes an Enterprise Certification Authority.
Certificate auto-enrollment is enabled for all computers: each machine in the domain automatically obtains a computer certificate from the internal CA. Please note that the default Computer certificate template doesn't allow the private key to be exported.
This creates a lots of troubles with the SDN Express deployment.
When a computer is joined to the domain, it automatically receives a Computer certificate with the machine FQDN as its subject; these certificates are detected and deemed usable by the SDN Express deployment scripts, however they are actually not: when the scripts try to export them and move them around, they crash when the private keys export fails.
This applies to all SDN VMs, but also to the host certificates on the physical servers managed by SDN.
The only workaround we found to allow SDN Express deployment to proceed is to disable certificate auto-enrollment and remove all offending certificates from all involved systems.
The text was updated successfully, but these errors were encountered: