CertificateDsc icon indicating copy to clipboard operation
CertificateDsc copied to clipboard

Published 20 hours ago verified publisher icon dsccommunity

xCertificateImport / xPfxImport: -- Thumbprint Key is redundant

Open mrpullen opened this issue 7 years ago • 1 comments

Details of the scenario you tried and the problem that is occurring: By requiring thumbprint you create an additional step that is dependent on the user to identify the thumbprint of the certificate before importing the certificate. This information can be found in the certificate when you supply the path.

I understand that the thumbprint is quite useful when Ensure = Absent, so it should be left and as an optional parameter, and "required by code" in the instance you are attempting to remove the cert, but not required to add the certificate.

The DSC configuration that is using the resource (as detailed as possible):

xCertificateImport SSLCert { Thumbprint = 'c81b94933420221a7ac004a90242d8b1d3e5070d' Location = 'LocalMachine' Store = 'Root' Path = '\Server\Share\Certificates\MyTrustedRoot.cer' }

xPfxImport CompanyCert { Thumbprint = 'c81b94933420221a7ac004a90242d8b1d3e5070d' Path = '\Server\Share\Certificates\CompanyCert.pfx' Location = 'LocalMachine' Store = 'WebHosting' Credential = $Credential DependsOn = '[WindowsFeature]IIS' }

To generate my configuration I need to resolve the thumbprint of each certificate. So If I am using DSC to automate the standup of several hundred IIS Servers / applications each with it's own certificate, it's a real pain to get the thumbprint off all the certs. It would be much easier If I could just supply the path to the correct certificate and be done.

Version of the Operating System and PowerShell the DSC Target Node is running: All Version of the DSC module you're using, or 'dev' if you're using current dev branch: Latest / NA

mrpullen avatar Nov 03 '17 15:11 mrpullen

Hi @mrpullen - this is definitely a good use case and I can see the benefit in implementing it.

We currently use the Thumbprint to determine if the certificate has or has not been imported into the certificate store. However, it is fairly easy (at least for x509 CER files) to pull the thumbprint out of the CER file (I think I've implemented something like for PKCS12 PFX too). This could potentially allow us to remove the key from the Thumbprint parameter. This would prevent a breaking change but support your user story.

But I'll leave this open for more discussion for a bit for more discussion before making a start to make sure there are no additional side affects.

PlagueHO avatar Nov 03 '17 20:11 PlagueHO