1

I'm currently using the CertificateDSC CertReq resource to generate a certificate request within a DSC configuration. I'm pretty new to DSC, I'm checking it out using a push approach and my workflow consists of generating the mof and either running Start-DscConfiguration or Update-DscConfiguration afterwards.

Whenever I run the DSC configuration or update it a new certificate is being requested from the CA. Obviously that's not really what my intention is. How would you add a PowerShell DSC block that's evaluated on the node and dynamically check whenever a resource block needs to be applied?

The idea is to have block that checks for a suitable certificate and generates some kind of flag that's evaluated before the CertReq block.

In pseudo code it would be similar to the following. Doing that in a DSC doesn't seem to work.

Configration X {
    Import-DscResource -ModuleName CertificateDSC

    if((Get-ChildItem Cert:\LocalMachine\My | Where $condition).count -gt 0){
        CertReq psCert {
            # Data
        }
    }

}
Seth
  • 247
  • 2
  • 14

1 Answers1

1

So first, the idea that you want to do a conditional check before executing the resource is counter to the idea of using DSC idempotently. That code executes during compliation time to generate the MOF but it's frozen at that point (as you've found out).

I've looked at the code for this DSC module and from that I can tell that it's already doing this check for whether or not should be making a new request.

What you should be doing then is just use CertReq with the parameters needed, and the module should handle all of the conditionals.

If it's still generating duplicate requests at that point then edit your question to include those details, and/or debug the DSC execution yourself.

briantist
  • 2,545
  • 1
  • 19
  • 34
  • 1
    Our internal configuration has a, maybe, somewhat special case. The display name and CN for the template are different. The check in the module happens to compare the CN (which is what it seems to need for certificate creation) and the display name (which is part of the cert) and that doesn't work for us. Thanks for taking your time! – Seth Jan 30 '19 at 06:18
  • @Seth ah that's unfortunate. I'd raise an issue on the github for it and explain your use case. You could also modify it yourself for your own use and if you're feeling adventurous you could even submit a PR. – briantist Jan 30 '19 at 06:33
  • Thanks for the encouragement @briantist I was planning on opening an issue. For now I've modified the module to account for it. Submitting a PR seems kind of daunting as the Microsoft repos do have to seem quite an involved process for it. I'll check it out regardless, coming up with a proper fix shouldn't be that hard ... I hope. Have a good day! – Seth Jan 30 '19 at 08:00