Create a Certificate to Encrypt MOF Passwords that’s Compatible with DSC in PowerShell version 5.0

I've previously written a blog article titled Use a certificate with PowerShell DSC to add a server to Active Directory without hard coding a password where I had created a certificate that was used to encrypt the password in a PowerShell version 4 DSC (Desired State Configuration) MOF file.

The same procedure in PowerShell v5 generates an error stating the certificate cannot be used for encryption:

dsc-cert-error1a.jpg

 1ConvertTo-MOFInstance : System.ArgumentException error processing property Password OF TYPE MSFT_Credential:
 2Certificate ‘6EBFB5C88AB4B8C9E3B8E30E88A5D071D6735464 cannot be used for encryption. Encryption certificates must
 3contain the Data Encipherment or Key Encipherment key usage, and include the Document Encryption Enhanced Key Usage
 4(1.3.6.1.4.1.311.80.1).
 5At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:303
 6char:13
 7+ ConvertTo-MOFInstance MSFT_Credential $newValue
 8+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 9+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
10+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
11Write-NodeMOFFile : Invalid MOF definition for node SQL01: Exception calling ValidateInstanceText with “1”
12argument(s): Syntax error:
13At line:11, char:1
14Buffer:
15T_Credential1ref
16{
17}^;
18in
19
20At
21C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2275
22char:21
23+  Write-NodeMOFFile $Name $mofNode $Script:NodeInstanceAlia 
24+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
25+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
26+ FullyQualifiedErrorId : InvalidMOFDefinition,Write-NodeMOFFile
27
28Errors occurred while processing configuration test.
29At
30C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3705
31char:5
32+ throw $ErrorRecord
33+ ~~~~~~~~~~~~~~~~~~
34+ CategoryInfo : InvalidOperation: (test:String) [], InvalidOperationException
35+ FullyQualifiedErrorId : FailToProcessConfiguration

The solution to this problem is contained in the error message. "Encryption certificates must contain the Data Encipherment or Key Encipherment key usage, and include the Document Encryption Enhanced Key Usage".

As used in the previously referenced blog article, the PowerShell self-signed certificate generator function that Fellow Microsoft MVP Vadims Podans wrote is used to create a certificate on the target node:

1New-SelfSignedCertificateEx -Subject 'CN=SQL01' -StoreLocation LocalMachine -StoreName My -KeyUsage DataEncipherment, KeyEncipherment -EnhancedKeyUsage 'Document Encryption'

dsc-cert-error2a.jpg

Notice in the previous example that the KeyUsage and EnhancedKeyUsage parameters are specified along with the values from the previously referenced error message so this certificate is generated with the necessary requirements to be used for encryption with DSC in PowerShell version 5.0.

Determine the thumbprint of the certificate (it's the only one that's been created in the past two days):

1Get-ChildItem -Path  Cert:\LocalMachine\My\ |
2Where-Object NotBefore -gt (Get-Date).AddDays(-2)

dsc-cert-error3a.jpg

Export the certificate to a file:

1Export-Certificate -Cert Cert:\LocalMachine\My\3652E4B2C9C885B4A93E81A07407008780D48356 -FilePath C:\tmp\sql01cert.cer

dsc-cert-error4a.jpg

The exported certificate has been copied to the computer used for authoring the configuration.

Both the MOF and meta.MOF files now generate without a problem:

1test -ConfigurationData $ConfigData -Credential (Get-Credential)

dsc-cert-error5a.jpg

The password is indeed encrypted:

1Get-Content -Path C:\test\SQL01.mof |
2Select-String -Pattern 'Password'

dsc-cert-error6a.jpg

If you've found an easier way to accomplish this task, I'd love to hear about it.

µ