DscResource.Tests icon indicating copy to clipboard operation
DscResource.Tests copied to clipboard
verified publisher icon PowerShell

Self signed cert generation for tests

Open ChrisLGardner opened this issue 8 years ago • 6 comments

As part of a change to xWebAdministration (PR 307) I ported some code from xCertificate written by @PlagueHO to find certificates installed on the machine as part of the same DSC config (as detailed in #261). In this code there is some tests which generate a self signed cert using a script from Technet by an MVP. No one in the PR was particularly happy with this method of generating the self signed cert particularly because the repo didn't have any control over that script and the author didn't want to put it on the Gallery.

I recommend we include that self signed cert generating script (or a version of it) into the common test helper so that it can be maintained in a controlled way and used in any resources that make use of the Find-Certificate command or have other needs to generate self signed certs for testing purposes.

As far as actually including the script, I'd like to think we can just ask the original author if we can include it and attribute him as the author and make use of it that way.

ChrisLGardner avatar Sep 20 '17 14:09 ChrisLGardner

We could rewrite "our" own copy of this but it feels like such a waste of time. The best solution would be for the author to publish it to PSGallery but he has said he doesn't think the PSGallery is the right place for scripts.

I could attempt to email the author directly to ask but as these are Microsoft repos I think this is something they would need to sign off on. @kwirkykat, are you able to find out the Microsoft position on including a script from the Microsoft script gallery in this repo?

PlagueHO avatar Sep 20 '17 19:09 PlagueHO

PR #241 adds a helper function New-DscSelfSignedCertificate that creates a self-signed certificate and the certificate thumbprint is saved in the environment variable $env:DscCertificateThumbprint and the path to the public portion of the certificate is saved in $env:DscPublicCertificatePath.

See problem using the PSPKI module in issue https://github.com/PowerShell/DscResource.Tests/issues/240.

johlju avatar Jun 27 '18 07:06 johlju

This new helper module could be extended to create any type of self-signed certificate.

johlju avatar Jun 27 '18 07:06 johlju

As per previous comment, there is a helper function New-DscSelfSignedCertificate that are now using PSPKI. Currently it take no parameters, and only generates a certificate used for compiling secure DSC configuration (.mof files). This helper function can be extended so that any certificate can be generated that are supported by PSPKI module. This helper module DscResource.Tests/TestHelper.psm1 can then be imported in any test to generate a certificate.

https://github.com/PowerShell/DscResource.Tests/blob/b3ddf6ed8c5ff77a1bfc14900d9a8da3bbb36f54/TestHelper.psm1#L1781-L1797

johlju avatar Aug 05 '18 07:08 johlju

@Community This need to support both New-SelfSignedCertificate and New-SelfSignedCertificateEx - what properties would be required initially to support generating necessary certificates?

New-SelfSignedCertificate

New-SelfSignedCertificate
   [-SecurityDescriptor <FileSecurity>]
   [-TextExtension <String[]>]
   [-Extension <X509Extension[]>]
   [-HardwareKeyUsage <HardwareKeyUsage[]>]
   [-KeyUsageProperty <KeyUsageProperty[]>]
   [-KeyUsage <KeyUsage[]>]
   [-KeyProtection <KeyProtection[]>]
   [-KeyExportPolicy <KeyExportPolicy[]>]
   [-KeyLength <Int32>]
   [-KeyAlgorithm <String>]
   [-SmimeCapabilities]
   [-ExistingKey]
   [-KeyLocation <String>]
   [-SignerReader <String>]
   [-Reader <String>]
   [-SignerPin <SecureString>]
   [-Pin <SecureString>]
   [-KeyDescription <String>]
   [-KeyFriendlyName <String>]
   [-Container <String>]
   [-Provider <String>]
   [-CurveExport <CurveParametersExportType>]
   [-KeySpec <KeySpec>]
   [-Type <CertificateType>]
   [-FriendlyName <String>]
   [-NotAfter <DateTime>]
   [-NotBefore <DateTime>]
   [-SerialNumber <String>]
   [-Subject <String>]
   [-DnsName <String[]>]
   [-SuppressOid <String[]>]
   [-HashAlgorithm <String>]
   [-AlternateSignatureAlgorithm]
   [-TestRoot]
   [-Signer <Certificate>]
   [-CloneCert <Certificate>]
   [-CertStoreLocation <String>]

New-SelfSignedCertificateEx

New-SelfSignedCertificateEx
    [-Subject] <String>
    [[-NotBefore] <DateTime>]
    [[-NotAfter] <DateTime>]
    [-SerialNumber <String>]
    [-ProviderName <String>]
    [-AlgorithmName <String>]
    [-KeyLength <Int32>]
    [-KeySpec <String> {Exchange | Signature} ]
    [-EnhancedKeyUsage <Oid[]>]
    [-KeyUsage <X509KeyUsageFlags>]
    [-SubjectAlternativeName <String[]>]
    [-IsCA <Boolean>]
    [-PathLength <Int32>]
    [-CustomExtension <X509ExtensionCollection>]
    [-SignatureAlgorithm <String> {MD5 | SHA1 | SHA256 | SHA384 | SHA512} ]
    [-FriendlyName <String>]
    [-StoreLocation <StoreLocation>] 
    [-AllowSMIME] 
    [-Exportable] 

New-SelfSignedCertificateEx
    [-Subject] <String>
    [[-NotBefore] <DateTime>] 
    [[-NotAfter] <DateTime>] 
    [-SerialNumber <String>] 
    [-ProviderName <String>] 
    [-AlgorithmName <String>] 
    [-KeyLength <Int32>] 
    [-KeySpec <String> {Exchange | Signature} ] 
    [-EnhancedKeyUsage <Oid[]>] 
    [-KeyUsage <X509KeyUsageFlags>] 
    [-SubjectAlternativeName <String[]>] 
    [-IsCA <Boolean>] 
    [-PathLength <Int32>] 
    [-CustomExtension <X509ExtensionCollection>] 
    [-SignatureAlgorithm <String> {MD5 | SHA1 | SHA256 | SHA384 | SHA512} ] 
    [-FriendlyName <String>] 
    -Path <FileInfo> 
    -Password <SecureString> 
    [-AllowSMIME] 
    [-Exportable]

johlju avatar Aug 05 '18 11:08 johlju

There was a helper function added her to generate a certificate. https://github.com/PowerShell/SqlServerDsc/blob/55d950a0c6a0e71bbe75130863257b4a339b5c16/Tests/TestHelpers/CommonTestHelper.psm1#L234-L288

It would be great to have this as a common function in the test framework.

johlju avatar Sep 26 '18 13:09 johlju