My Profile Photo

duffney.io


DevOps Engineer | Pluralsight Author | Speaker | Blogger | PowerShell Advocate


Build Active Directory Certificate Services with DSC

Applies to: Windows PowerShell 5.0, Windows Server 2012r2+

Today we will be standing up a Public Key Infrastructure (PKI) with Active Directory Certificate Services, but not the manual click click way. We’ll be applying a desired state configuration that will set it up for us! The end result will be a standalone PKI server, perfect for lab environments. This post won’t be to helpful if you’re looking to stand up a production ready PKI environment. Before we begin lets talk about some prerequisites to this blog post, see below. Some of the DSC resources are optional, I chose to include them to configure thing such as IP address, Default Gateway and timeZone, xAdcsDeployment is the only required resource to configure ADCS.

Prerequisites

Active Directory Domain

2 Windows Servers 2012R2+ (1 Domain Controller, 1 PKI)

PowerShell v5

DSC Resources

1. xAdcsDeployment
2. xNetworking
3. xComputerManagement
4. xTimeZone

Downloading Resources & Pushing the ADCS Config

Download the required custom DSC resources from the PowerShell Gallery.

Generate the .mof file by executing the configuration and push the configuration to the node. Modify the below code to match your environment. Things like the domain name, ip address and user name might be different.

After executing the configuration you should see output similar to the one displayed below.

verboseCertconfig

Verifying the Config

There are a few cmdlets worth mentioning for DSC, first off is Test-DscConfiguration. This cmdlet will return a true or false value, letting us know if the target node is in it’s desired state. The next one is Get-DscConfigurationStatus, which provides more detailed information about the configuration.

TestCertConfig

We can also verify if the ADCS install properly and is operational by opening the Certification Authority tool included in RSAT and connecting to our new certificate authority.

CAGUI01

CAGUI02