Create a Certificate to Encrypt MOF Passwords that’s Compatible with DSC in PowerShell version 5.0

I’ve previously written a blog article titled “Use a certificate with PowerShell DSC to add a server to Active Directory without hard coding a password” where I had created a certificate that was used to encrypt the password in a PowerShell version 4 DSC (Desired State Configuration) MOF file.

The same procedure in PowerShell v5 generates an error stating the certificate cannot be used for encryption:

dsc-cert-error1a

ConvertTo-MOFInstance : System.ArgumentException error processing property ‘Password’ OF TYPE ‘MSFT_Credential’:
Certificate ‘6EBFB5C88AB4B8C9E3B8E30E88A5D071D6735464’ cannot be used for encryption. Encryption certificates must
contain the Data Encipherment or Key Encipherment key usage, and include the Document Encryption Enhanced Key Usage
(1.3.6.1.4.1.311.80.1).
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:303
char:13
+ ConvertTo-MOFInstance MSFT_Credential $newValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
Write-NodeMOFFile : Invalid MOF definition for node ‘SQL01’: Exception calling “ValidateInstanceText” with “1”
argument(s): “Syntax error:
At line:11, char:1
Buffer:
T_Credential1ref
{
}^;
in

At
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2275
char:21
+ … Write-NodeMOFFile $Name $mofNode $Script:NodeInstanceAlia …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : InvalidMOFDefinition,Write-NodeMOFFile

Errors occurred while processing configuration ‘test’.
At
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3705
char:5
+ throw $ErrorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (test:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration

The solution to this problem is contained in the error message. “Encryption certificates must contain the Data Encipherment or Key Encipherment key usage, and include the Document Encryption Enhanced Key Usage“.

As used in the previously referenced blog article, the PowerShell self-signed certificate generator function that Fellow Microsoft MVP Vadims Podans wrote is used to create a certificate on the target node:

dsc-cert-error2a

Notice in the previous example that the KeyUsage and EnhancedKeyUsage parameters are specified along with the values from the previously referenced error message so this certificate is generated with the necessary requirements to be used for encryption with DSC in PowerShell version 5.0.

Determine the thumbprint of the certificate (it’s the only one that’s been created in the past two days):

dsc-cert-error3a

Export the certificate to a file:

dsc-cert-error4a

The exported certificate has been copied to the computer used for authoring the configuration.

Both the MOF and meta.MOF files now generate without a problem:

dsc-cert-error5a

The password is indeed encrypted:

dsc-cert-error6a

If you’ve found an easier way to accomplish this task, I’d love to hear about it via a comment to this blog article.

µ

1 Comment

  1. Joey Piccola

    -StoreName is no longer a part of Podans’ script, also updated on https://github.com/PowerShell/PowerShell-Docs/blob/staging/dsc/secureMOF.md.

    On an entirely different note, in your presentation on “Creating a PowerShell Toolkit to Demystify DSC” at the PowerShell & DevOps Global Summit 2016 you mention “you can actually encrypt the entire MOF document”. Do you have info on that, the only info I can find is where it’s encrypted endpoint side.

    Thanks Mike, really enjoy the blog. Thanks again!

    Reply

Leave a Reply

%d bloggers like this: