Skip to content
This repository was archived by the owner on May 15, 2018. It is now read-only.

Add Password parameter, and change Test-TargetResource to match the Subj... #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Password parameter, and change Test-TargetResource to match the Subj... #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 44 additions & 17 deletions DSCResources/StackExchange_CertificateStore/StackExchange_CertificateStore.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,21 +70,45 @@ function Set-TargetResource
[parameter()]
[ValidateSet('Present','Absent')]
[string]
$Ensure = 'Present'
$Ensure = 'Present',
[parameter()]
[string]
$Password
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CertUtil (Win2008) requires a clear text password, and Import-PFXCertificate requires a SecureString for password.
So the choice is to pass in a clear text password in $Password, then convert to SecureString. Or pass in a SecureString and decrypt to get the clear text.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing in a SecureString and decrypting the plain text if needed would be the better choice. (Though it looks like we'd actually be passing in a PSCredential, since that's what DSC will encrypt for you in the MOF document. It doesn't know what to do with SecureString objects passed by themselves.)

)

$CertificateBaseLocation = "cert:\$Location\$Store"

if ($Ensure -like 'Present')
{
Write-Verbose "Adding $path to $CertificateBaseLocation."
Import-PfxCertificate -CertStoreLocation $CertificateBaseLocation -FilePath $Path
{
write-verbose "Is Password Null: $($password -eq $null)"

if ($password -ne $null){
write-verbose "Import PFX Cert using password"
if ((Get-WmiObject Win32_OperatingSystem | select -ExpandProperty Version) -eq "6.3.9600"){
write-verbose "Windows 2012 detected"
$SPassword = ($Password | ConvertTo-SecureString -AsPlainText -Force)
Import-PfxCertificate -CertStoreLocation $CertificateBaseLocation -FilePath $Path -Password $SPassword
}else{
write-verbose "Windows 2008 detected"
certutil -f -importpfx -p $Password $Path
}
}else
{
write-verbose "Import PFX Cert without using password"
if ((Get-WmiObject Win32_OperatingSystem | select -ExpandProperty Version) -eq "6.3.9600"){
write-verbose "Windows 2012 detected"
Import-PfxCertificate -CertStoreLocation $CertificateBaseLocation -FilePath $Path
}else{
write-verbose "Windows 2008 detected"
certutil -f -importpfx $Path
}
}
}
else
{
$CertificateLocation = Join-path $CertificateBaseLocation $Name
Write-Verbose "Removing $CertificateLocation."
dir $CertificateLocation | Remove-Item -Force -Confirm:$false
Write-Verbose "Removing $name from $CertificateBaseLocation."
gci $CertificateBaseLocation | ?{$_.Subject -match $name.Replace('*','')} | Remove-Item -Force -Confirm:$false
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to support matching a wildcard certificate, such as *.mysite.com.
Possibly a better method would be to match on a Thumbprint, instead of a certificate name. Thoughts?

}
}

Expand All @@ -110,36 +134,39 @@ function Test-TargetResource
[parameter()]
[ValidateSet('Present','Absent')]
[string]
$Ensure = 'Present'
$Ensure = 'Present',
[parameter()]
[string]
$Password
)

$IsValid = $false

$CertificateLocation = "cert:\$Location\$Store\$Name"
$CertificateBaseLocation = "cert:\$Location\$Store\"

if ($Ensure -like 'Present')
{
Write-Verbose "Checking for $Name to be present in the $location store under $store."
if (Test-Path $CertificateLocation)
Write-Verbose "Checking for $Name to be present in the $CertificateBaseLocation store under $store."
if (gci $CertificateBaseLocation | ?{$_.Subject -match $name.Replace('*','')})
{
Write-Verbose "Found a matching certficate at $CertificateLocation"
Write-Verbose "Found a matching certficate at $CertificateBaseLocation"
$IsValid = $true
}
else
{
Write-Verbose "Unable to find a matching certficate at $CertificateLocation"
Write-Verbose "Unable to find a matching certficate at $CertificateBaseLocation"
}
}
else
{
Write-Verbose "Checking for $Name to be absent in the $location store under $store."
if (Test-Path $CertificateLocation)
Write-Verbose "Checking for $Name to be absent in the $CertificateBaseLocation store under $store."
if (gci $CertificateBaseLocation | ?{$_.Subject -match $name.Replace('*','')})
{
Write-Verbose "Found a matching certficate at $CertificateLocation"
Write-Verbose "Found a matching certficate at $CertificateBaseLocation"
}
else
{
Write-Verbose "Unable to find a matching certficate at $CertificateLocation"
Write-Verbose "Unable to find a matching certficate at $CertificateBaseLocation"
$IsValid = $true
}
}
Expand Down
Binary file modified DSCResources/StackExchange_CertificateStore/StackExchange_CertificateStore.schema.mof
View file
Open in desktop
Binary file not shown.