Certificate
DCoates-InnovateLtd opened this issue · 1 comments
Hi All,
So i have been digging around and i have found an issue with certificates. my issue is this function fails when installing network controller using SCVMM with and AzureHCI VHDX. this function is found in the Helper.ps1 (for reference).
The Issue i have is when i pass a cert to the function it does not have a property of PrivateKey and so I get an error where path cannot be null. What i have also found is that the machine keys folder is not always written to on import. when they are the ACL permissions do not include an ACE for builtin\Administrators so when it does have a machinekey administrator doesnt have permissions to it.
Has anyone else had this issue or have a work around?
The Error:
The script command exit code 2148734209 matched the failure policy setting "Match any value other than zero." Standard output log data: "directory. 'C:\NCInstall\certificate-ssl'
[2024-02-09T10:34:27.3107130+00:00]Found certificate at path: C:\NCInstall\certificate-ssl\XC10NCCL02.c9core.com.pfx
[2024-02-09T10:34:27.3107130+00:00]Adding certificate to personal store..
[2024-02-09T10:34:27.4357166+00:00]Saving SSL thumbprint to registry: 53929272AF0029B9F55F92DB366866E77637BEAD.
[2024-02-09T10:34:27.4669669+00:00]Retrieved SSL thumbprint from registry: 53929272AF0029B9F55F92DB366866E77637BEAD.
[2024-02-09T10:34:27.7482169+00:00]Checking if subject name of the provided certificate matches Rest End Point
[2024-02-09T10:34:27.7482169+00:00]Adding read permission to NetworkService account
[2024-02-09T10:34:27.8263407+00:00]Caught an exception:
[2024-02-09T10:34:27.8263407+00:00] Exception Type: System.Management.Automation.ParameterBindingValidationException
[2024-02-09T10:34:27.8263407+00:00] Exception Message: Cannot bind argument to parameter 'Path' because it is null.
The Function
Function GivePermissionToNetworkService($targetCert)
{
$targetCertPrivKey = $targetCert.PrivateKey
$privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys*" | where {$_.Name -eq $targetCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
$privKeyAcl = (Get-Item -Path $privKeyCertFile.FullName).GetAccessControl("Access")
$networkServiceAccountName = [string] (New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")).Translate([System.Security.Principal.NTAccount])
$permission = $networkServiceAccountName,"Read","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$privKeyAcl.AddAccessRule($accessRule)
Set-Acl $privKeyCertFile.FullName $privKeyAclHi Al
}
Found the issue to be with the certificate template it needs to be set to support legacy certificates. once this was done the exported certificate did include the property .PrivateKey.