Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lost Private Key after sysprep #129

Open
mattbowes opened this issue Apr 19, 2018 · 5 comments · Fixed by #130
Open

Lost Private Key after sysprep #129

mattbowes opened this issue Apr 19, 2018 · 5 comments · Fixed by #130
Assignees
@PlagueHO
Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.

Comments

@mattbowes
Copy link

Details of the scenario you tried and the problem that is occurring:

After syspreping a server, the certificate is left in the cert store but the private key is removed during the sysprep process. xPfxImport only checks to ensure the thumbprint is present. It does not check to see if the certificate has a private key so it never imports the pfx file and the certificate.

The DSC configuration that is using the resource (as detailed as possible):

xPfxImport Wildcard
{
Thumbprint = $wildcardthumbprint
Path = $certificatepath
Location = 'LocalMachine'
Store = 'My'
Exportable = $true
Credential = $Credential1
Ensure = 'Present'
DependsOn = "[xDSCDomainjoin]JoinDomain"
}

Version of the Operating System and PowerShell the DSC Target Node is running:

DSC running in Azure
OS version: 2012R2

Version of the DSC module you're using, or 'dev' if you're using current dev branch:

xCertificate 3.2.0.0
@PlagueHO PlagueHO added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels May 1, 2018
@PlagueHO
Copy link
Member

PlagueHO commented May 1, 2018

Hi @mattbowes - ah, this is a great catch.

We should be able to fix this by changing the Test-TargetResource to check the Private Key with something like this:

(Get-ChildItem -path Cert:\LocalMachine\My\498F1F592D3E56A7124BBCD65AE70C1FD615BDE5).HasPrivateKey

Might have a look at this tonight.

@PlagueHO PlagueHO added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels May 1, 2018
PlagueHO added a commit to PlagueHO/CertificateDsc that referenced this issue May 1, 2018
@PlagueHO
Fixed dsccommunity#129, dsccommunity#125, dsccommunity#127
2183890
@PlagueHO PlagueHO mentioned this issue May 1, 2018
Merged
5 tasks
PlagueHO added a commit that referenced this issue May 3, 2018
@PlagueHO
Merge pull request #130 from PlagueHO/Issue-129
5e79917 
PfxImport - Enable Re-import if Private Key not installed - Fixes #129
@joeyaiello joeyaiello removed the in progress The issue is being actively worked on by someone. label May 3, 2018
@mattbowes
Copy link
Author

@PlagueHO checking .hasPrivateKey still wont work after a sysprep. It returns true even though the private key is gone.
If you run something like
(gci cert:\localmachine\my | where thumbprint -eq $thumb).HasPrivateKey
(gci cert:\localmachine\my | where thumbprint -eq $thumb).PrivateKey.CspKeyContainerInfo
you will see that .hasPrivateKey returns true but CSPKeyContainerInfo returns nothing. The private key file on the file system does not exist.

Could the check be changed to
if ($certificate.hasprivatekey -and $certificate.PrivateKey.CspKeyContainerInfo)

@PlagueHO PlagueHO reopened this May 24, 2018
@PlagueHO
Copy link
Member

Great info @mattbowes - I'll make the change this weekend. Seems that sysprep doesn't do a great job here!

@mattbowes mattbowes mentioned this issue May 24, 2018
Closed
5 tasks
@mattbowes
Copy link
Author

mattbowes commented May 24, 2018
edited

I updated MSFT_PfxImport.psm1 and created a pull request. I think that will fix it

@johlju johlju added the in progress The issue is being actively worked on by someone. label May 25, 2018
@SteveL-MSFT SteveL-MSFT added this to In progress in powershell/dscresources May 14, 2019
@gaelcolas gaelcolas changed the title xPfxImport does not import after sysprep Lost Private Key after sysprep Jul 1, 2019
@gaelcolas
Copy link
Member

Simplified from this excellent post: http://paulstovell.com/blog/x509certificate2
The Public key is (usually) written to registry, and the Private key written to file (never stored together, unless exported to PFX), either with system/machine files or User data. The point is that it's only 'linked' by the .Net object, but not really the same thing at all, and stored differently.

When the cert request is still stored with all info, a /repairstore can fix that issue.
But sysprep destroys personal data to generalise the machine, hence probably why I think it's lost.
Even if the file is still there, it can be inaccessible, because of permissions.

Anyhow, up until .Net 4.8 (with GetRSAPrivateKey()) there's no easy way to get the Private key, and I'm yet to find a nice way to find if the Private key is actually available on the system or not (something quick we can run every 15min).
Until then, there's not much we can do on the resource side.

@SteveL-MSFT SteveL-MSFT removed this from In progress in powershell/dscresources Nov 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PlagueHO PlagueHO

Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.
Projects
None yet
Milestone
No milestone
5 participants
@joeyaiello @johlju @PlagueHO @gaelcolas @mattbowes