SDNExpress - Deployment fails when computer certificate auto-enrollment is in place

Question

SDNExpress - Deployment fails when computer certificate auto-enrollment is in place

MassimoPascucci opened this issue 2 years ago · 6 comments

Our Active Directory environment includes an Enterprise Certification Authority.
Certificate auto-enrollment is enabled for all computers: each machine in the domain automatically obtains a computer certificate from the internal CA. Please note that the default Computer certificate template doesn't allow the private key to be exported.

This creates a lots of troubles with the SDN Express deployment.

When a computer is joined to the domain, it automatically receives a Computer certificate with the machine FQDN as its subject; these certificates are detected and deemed usable by the SDN Express deployment scripts, however they are actually not: when the scripts try to export them and move them around, they crash when the private keys export fails.
This applies to all SDN VMs, but also to the host certificates on the physical servers managed by SDN.

The only workaround we found to allow SDN Express deployment to proceed is to disable certificate auto-enrollment and remove all offending certificates from all involved systems.

Answer 1 · 2023-02-09T18:32:40.000Z

As a side note, I'm wondering why are private keys being exported all around in the first place.

In the SDN context, certificates are used by systems to authenticate each other; they are exported from one system and imported into the trusted roots store in another. Only public keys should be needed (and used) in this process.

The only certificate that actually requires an export of the private key is the main network controller cluster certificate, which must be installed with its private key on all network controller nodes.

Answer 2 · 2023-02-17T08:45:00.000Z

Was anybody able to have a look into this issue?

Answer 3 · 2023-02-18T01:06:39.000Z

Acknowledging the issue. SDN Express scripts currently have some issues with CA signed certificates. We are working to improve the experience.
Note that we have recently published scripts to rotate certificates. So, you can change the self-signed certificates to CA based certs post deployment: https://github.com/microsoft/SdnDiagnostics/wiki/CertificateRotation

Answer 4 · 2023-02-20T21:43:20.000Z

Acknowledging the issue. SDN Express scripts currently have some issues with CA signed certificates. We are working to improve the experience. Note that we have recently published scripts to rotate certificates. So, you can change the self-signed certificates to CA based certs post deployment: https://github.com/microsoft/SdnDiagnostics/wiki/CertificateRotation

This is good to know. But the actual problem here is, the scripts as they currently work just crash if any of the involved servers already has a CA computer certificate when you run them.

Answer 5 · 2023-02-23T01:16:42.000Z

We are looking into this.

Answer 6 · 2023-05-12T14:52:39.000Z

Hello,

any news on this issue?

Also, it would be useful to be able to use your own certificate at deployment, instead of having to replace them afterwards.