Implement a resource to Configure NDES

[paule96]

Description

I have currently the problem I must implement NDES in my CA to let Linux devices request certificates. But I don't find any resources on how to automate this doing.

The UI steps what are todo to configure NDES can find here

Proposed properties

That are only the properties for the installation of NDES. For the configuration see the linked article. The list with the registry keys is maybe the easy step to implement.

Name	Type	Description	Sample
ndesServiceAccount	string	A domain user account that is a member of the local IIS_USERS on the NDES Service server	contoso\ndesService
caNameForNdes	string	the CA that creates the certificates that are requested by the NDES service.	-
ndesRegistrationAuthorityInformation	object, hashtable	An Object that has a Name, Country, E-Mail, Company, Department, City, and State property. That Object configures the Registration Authority Information on the CA	-
ndesCryptography	object, hashtable	Configure the cryptography provider for the signature key and the encryption key.	-

Special considerations or limitations

[PlagueHO]

Hi @paule96 - this resource would be gratefully accepted.

I'd suggest you align the parameter names to be the same as the PowerShell cmdlet parameter names as this will simplify the code somewhat and also align to what Microsoft use: https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcsnetworkdeviceenrollmentservice?view=win10-ps

I'd generally recommend keeping the properties as closely aligned to the cmdlet parameters as possible. For example, I'd recommend against using object/hashtable for the RA info. Instead using the same parameters as the cmdlets:
-RAName
-RAEmail
-RACompany
-RADepartment
-RACity
-RAState
-RACountry

The same would go for the ndesCryptogtaphy.

I'd also recommend against including things like "NDES" in the property names because it is redundant information because it is part of the NDES resource.

Finally, you'll want to use the IsSingleInstance resource pattern here too (as only a single NDES instance can be installed per node). See the other ActiveDirectoryCSDsc resources for examples there.

Would be very keen to get this in! So thank you for contributing!

[paule96]

I have started a little bit of investigating in that issue. The currently working code is this:

Script ActiveNetworkDeviceEnrollmentService{
            SetScript = {
                $secureStringPassword = ConvertTo-SecureString $Using:UserPassword -AsPlainText -Force
                Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName $Using:UserDomainName -ServiceAccountPassword $secureStringPassword -CAConfig $Using:CaConfigName -RAName $Using:RaName -RACountry "DE" -RACompany $Using:DomainName -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096
            }
            GetScript={

            }
            TestScript = {
                # stolen from https://github.com/microsoftgraph/powershell-intune-samples/blob/958cb9990fa3ab5a3eafd3f44e2284ef5b7e9774/CertificationAuthority/Validate-NDESConfiguration.ps1#L908
                return Test-Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP
            }
        }

Currently, I don't know how to get a complete Test or Get method implemented because of the registry HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP only return this:

Name                           Property
----                           --------
CAInfo                         Configuration : ca01.side01.local\Side01 Root CA
CAType                         CAType : 1
CertsInMYStore                 CertsInMYStore : 1
EnforcePassword                EnforcePassword : 1
PasswordVDir                   PasswordVDir : CertSrv/mscep_admin
UseSinglePassword              UseSinglePassword : 0

But I don't know where I can find the Ra* information.

So maybe I know more tomorrow. :) So I can start with a real DSC resource in this project.

[paule96]

Okay the information I was searching for are included in the ndes certificate.

[PlagueHO]

Cool! Good stuff @paule96

[paule96]

update of my script wich I currently use:

        Script ActiveNetworkDeviceEnrollmentService{
            SetScript = {
                $secureStringPassword = ConvertTo-SecureString $Using:UserPassword -AsPlainText -Force
                Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName $Using:UserDomainName -ServiceAccountPassword $secureStringPassword -CAConfig $Using:CaConfigName -RAName $Using:RaName -RACountry "DE" -RACompany $Using:DomainName -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096
            }
            GetScript={

            }
            TestScript = {
                $validNdesCertificates = 0;
                $allCerts = Get-ChildItem "Cert:\LocalMachine\My" | select Thumbprint, Subject,Extensions -ExpandProperty Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2" -or $_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"} | Sort-Object Thumbprint -Unique;
                
                foreach($cert in $allCerts) {
                    $extension = $cert.Extension | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2" -or $_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"} | Select -First 1;
                    $templateName = $extension.Format(0);
                    # Todo: That is also not very stable because we need both certificates types. Not 2 of one.
                    if($templateName -eq "CEPEncryption" -or $templateName -eq "EnrollmentAgentOffline"){
                        # Todo: this is maybe wrong because if I set an Email thats wrong
                        # that will be fix if we have a real DSC resource with parameters
                        # then I can check the things by it self
                        if($cert.Subject -eq ("CN=" + $Using:RaName + ", O=" + $Using:DomainName  + ", C=DE") ){
                            $validNdesCertificates += 1;
                        }
                    }
                }
                # stolen from https://github.com/microsoftgraph/powershell-intune-samples/blob/958cb9990fa3ab5a3eafd3f44e2284ef5b7e9774/CertificationAuthority/Validate-NDESConfiguration.ps1#L908
                return ($validNdesCertificates -eq 2) -and (Test-Path HKLM:SOFTWARE\Microsoft\Cryptography\MSCEP);
            }
        }

I think I have now enough know how to start a real implementation of that DSC resource.

[paule96]

Cool! Good stuff @paule96

Thanks @PlagueHO 👍