Creating a Desired State Configuration Resource for Self Signed Certificates

For those of you who follow my blog, you know that I’ve been working on using DSC (Desired State Configuration) to fully automate the build of my test environment that runs as Hyper-V VM’s on my Windows 8.1 computer.

Last week in my blog article titled “Automate the installation of DSC Resource Kit Wave 9 resources with PowerShell Desired State Configuration“, I demonstrated how to do just that, automate the installation of the Microsoft created DSC resources that are part of the most recent DSC resource kit (wave 9). For more details on the current state of my test environment, see that previous blog article.

The first VM in my test environment is named Test01 and it will become the first domain controller in my test environment. That will require passwords to either be stored in clear text or a certificate to be created on Test01 that can be used to encrypt the passwords. I’ve previously written about that process in another blog article titled “Use a certificate with PowerShell DSC to add a server to Active Directory without hard coding a password”, but I needed a more automated solution.

At first, I tried using the Script resource which I used in last weeks blog article, but that ended up being a less than desirable solution so I figured I would write a DSC resource which would move the complexity from the DSC configuration to a DSC resource. That way a person who is less skilled with DSC could write the configuration if needed.

I’m not going to go into quite as much detail about all of the steps to create a DSC resource in this blog article since I’ve previously written a blog article that does that.

First, I create the skeleton of my new DSC resource with a PowerShell one-liner:


The previous step creates the directory structure, a PowerShell script module (psm1 file) and a MOF file.

There are three functions that the PSM1 file of your DSC resource must contain. Get-TargetResource which must return a hash table. Set-TargetResource which performs the action to bring whatever you’re configuring into compliance, and Test-TargetResource which must return a Boolean as shown in the following example:

I will tell you, the code you see in the PSM1 file shown in the previous example isn’t your ordinary DSC resource example because it does something brilliant or insane depending on how you look at it and whether or not your a half full or half empty kind of person.

As noted in one of my blog articles that was previously referenced, fellow PowerShell MVP Vadims Podans has a PowerShell self-signed certificate generator function that I wanted to use to simplify the process of creating the actual certificate. His function is contained in a signed PS1 file which I didn’t want to modify so my DSC resource simply downloads his function as a zip file from the TechNet script repository, extracts it, and creates a module named MrCertificate that does nothing more than dot source his PS1 script file.

I create a module manifest (psd1 file) for my new DSC resource:


Using a simple DSC configuration:


A MOF file is created:


When the configuration is applied, a self signed certificate is created on my Test01 VM which can be used to encrypt the password that is contained in the MOF file of future configurations that I plan to create:


I’ll use a PowerShell one-to-one remoting session to confirm the certificate was created:


Reapplying the configuration shows that the certificate already exists and nothing needs to be done so the set portion of the configuration is skipped:


I’ll test removing the certificate by changing Ensure in the configuration to Absent:


The MOF file has to be recreated since the configuration was changed:


As you can see, applying this new configuration does indeed remove the certificate:




  1. Stéphane E. (@serbrech)

    There is a function in powershell called New-SelfSignedCertificate that would probably simplify this 🙂

    > gcm New-SelfSignedCertificate
    CommandType Name Version Source
    ———– —- ——- ——
    Cmdlet New-SelfSignedCertificate PKI


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: