Finally! Create, Permission, and Publish an AD CS Certificate Template with PowerShell
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 60 | |
Author | ||
License | CC Attribution - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
Identifiers | 10.5446/37381 (DOI) | |
Publisher | ||
Release Date | ||
Language | ||
Producer | ||
Production Year | 2018 |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
Template (C++)Public key certificateTwitterParity (mathematics)SCSIInformation securityPhysical systemInformationRead-only memoryServer (computing)Group actionData storage devicePublic key certificateService (economics)Directory serviceServer (computing)Computer animationXMLUML
00:43
Template (C++)Public key certificateCone penetration testComputer programModul <Datentyp>Server (computing)Module (mathematics)WindowCodeTemplate (C++)Service (economics)Public key certificateGroup actionGame controllerDirectory serviceDomain namePerpetual motionComputer animation
01:22
Public key certificateTemplate (C++)Identity managementPower (physics)Execution unitForceAbsolute valueLatent class modelMIDIMaxima and minimaHill differential equationModule (mathematics)Installation artTemplate (C++)Directory serviceInternetworkingEncryptionPublic key certificateData managementMereologyInheritance (object-oriented programming)MathematicsGreatest elementRadical (chemistry)Service (economics)Latent heatMusical ensembleAdventure gameCuboidImplementationGroup actionMobile appConfiguration spaceInformationCodePerpetual motionGame controllerDomain namePasswordSystem administratorComputer animation
04:07
Public key certificateTemplate (C++)Physical lawGoodness of fitTouchscreenBootingTemplate (C++)File formatService (economics)Order of magnitudePublic key certificateCodeEncryptionMultiplication signCodeScripting languageWeb 2.0Module (mathematics)Parameter (computer programming)MechatronicsProcess (computing)Building
07:01
Windows ServerPublic key certificateTemplate (C++)Server (computing)Group actionAddressing modeData storage deviceComputer fileData managementParity (mathematics)Local GroupLocal ringSource codeRepeating decimalData managementServer (computing)Directory serviceService (economics)Public key certificate2 (number)Direct numerical simulationGraphical user interfaceModule (mathematics)Template (C++)Computer animation
07:52
Plateau's problemMaxima and minimaConvex hullUniform boundedness principleDigital filterPublic key certificateTemplate (C++)SineDecision tree learningService (economics)Letterpress printingSocial classMereologyStructural equation modelingComputer iconPunched cardInternationalization and localizationElectronic data processingHydraulic jumpSummierbarkeitDependent and independent variablesACIDMass storagePublic-key infrastructureManufacturing execution systemOvalFunction (mathematics)Wechselseitige InformationComputing platformSanitary sewerMultitier architectureExecution unitServer (computing)Identity managementTwin primeInstallable File SystemUser interfaceObject (grammar)Category of beingUniqueness quantificationString (computer science)Graphical user interfaceRight angleFilm editingNumberForestAlgorithmDomain nameConnected spaceComputer fontRadical (chemistry)Module (mathematics)Service (economics)Directory serviceState observerObject (grammar)Communications protocolFirst-person shooterCategory of beingData conversionConfiguration spaceMereologyDot productReverse engineeringTemplate (C++)CodeString (computer science)Public-key cryptographyEmailLatent heatHexagonPower (physics)Hash functionProduct (business)CASE <Informatik>Public key certificateWeb 2.0Different (Kate Ryan album)Workstation <Musikinstrument>Touch typingVirtual machineServer (computing)IdentifiabilityElectronic mailing listRandomizationUniqueness quantificationFunctional (mathematics)Partition (number theory)ChainHacker (term)BitMinimal surfaceSoftware developer.NET FrameworkExpert systemData recoveryMultiplication signXMLComputer animation
16:43
Link (knot theory)Public key certificateTemplate (C++)CAN busMaxima and minimaNormed vector spaceDigital filterDean numberServer (computing)ForceSlide rulePlateau's problemGamma functionElectronic visual displaySocial classFlagFunction (mathematics)FunktorExecution unitNetwork topologyService (economics)Internet service providerEmulatorFreewareWechselseitige InformationComputer iconAnnulus (mathematics)Coma BerenicesMathematicsEmpennageAnalog-to-digital converterExponential functionPhysical lawAdditionInterior (topology)12 (number)WindowData Encryption StandardChi-squared distributionDesign of experimentsVotingData typeConfiguration spaceRootMereologyDirectory serviceService (economics)Public key certificateSocial classForestObject (grammar)Electronic visual displayTemplate (C++)Attribute grammarModule (mathematics)Functional (mathematics)Context awarenessSystem administratorView (database)Category of beingServer (computing)Public-key cryptographyTable (information)InformationPartition (number theory)String (computer science)Identity managementRight angleArray data structureElectronic mailing listFlagWeb 2.0ResultantHash functionWordBitParameter (computer programming)Latent heatFreewareDifferent (Kate Ryan album)Group actionDomain nameQuicksortCanadian Mathematical SocietySpacetimeVideo gameType theoryFile formatWave packetVideoconferencingComputer animation
25:06
MechatronicsFlagElectronic signaturePower (physics)Public key certificateTemplate (C++)Inclusion mapCryptographyNormed vector spaceVacuumSynchronizationConfiguration spaceStrutWindowSatelliteSineIdentity managementComputerGame controllerAnalog-to-digital converterComputerBit error rateExecution unitMaxima and minimaComa BerenicesLocal ringTwin primeFluxEncryptionContent (media)Convex hullHill differential equationPublic key certificateTemplate (C++)String (computer science)Configuration spaceCuboidMessage passingGroup actionZoom lensRing (mathematics)EncryptionComputer fileDirectory serviceProduct (business)Local ringAuthorizationSampling (statistics)Web 2.0Real numberModule (mathematics)Domain nameNeuroinformatikDemo (music)2 (number)Hash functionPhysical systemTable (information)Type theoryReverse engineeringData typeCryptographyServer (computing)Attribute grammarFrequencySquare numberBuildingPoisson-KlammerInterface (computing)Binary fileGame controllerDemosceneElectronic visual displayCheat <Computerspiel>Data storage deviceCategory of beingCanadian Mathematical SocietyObject (grammar)TrailProcess (computing)Data managementService (economics)Key (cryptography)CoroutineComplex (psychology)Multiplication signCommon Information Model (computing)MassEvent horizonDefault (computer science)Sheaf (mathematics)XML
33:27
Data typeQuery languageLocal GroupServer (computing)Active DirectoryComputerTemplate (C++)Public key certificateHill differential equationVisual systemBuildingTask (computing)Game theoryService (economics)Public key certificateGroup actionDampingInformation securityMessage passingCryptographyTemplate (C++)Computer animation
34:11
ComputerPublic key certificateTemplate (C++)Dependent and independent variablesSanitary sewerInterior (topology)EmulationAsynchronous Transfer ModeInformation securityAttribute grammarCategory of beingObject (grammar)CodeGame controllerNeuroinformatik.NET FrameworkDrop (liquid)Reverse engineeringTemplate (C++)Domain nameMoving averagePublic key certificate
35:29
FingerprintSanitary sewerClient (computing)Server (computing)View (database)WindowPauli exclusion principleDirectory servicePhysical systemCryptographyPublic key certificateTemplate (C++)ComputerLocal ringRootDenial-of-service attackEmailSynchronizationPower (physics)Wechselseitige InformationLocally compact spaceArc (geometry)Inclusion mapEmulationExpert systemQuicksortProgrammable read-only memoryElectronic visual displayRadiusService (economics)Electronic mailing listPublic key certificateDomain nameGroup actionTouch typingDirectory serviceCanadian Mathematical SocietyBitComputer fileString (computer science)Template (C++)Electronic visual displayCuboidGraphical user interfaceView (database)Identity managementServer (computing)Category of beingFlagCodeMultiplication signSystem callInformation securityObject (grammar)Demo (music)Default (computer science)SpacetimeGoodness of fitNumberLine (geometry)Integrated development environmentReverse engineeringRight angleVideoconferencingXMLComputer animation
39:56
Template (C++)Power (physics)Public key certificateSineInclusion mapLocally compact spaceInformation managementConvex hullHill differential equationGroup actionCodeTemplate (C++)Public key certificateGroup actionElectronic visual displayMathematicsObject (grammar)Canadian Mathematical SocietyCalculusComputer animation
41:47
CodeInstallation artModule (mathematics)Public key certificateTemplate (C++)Public key certificateSingle-precision floating-point formatLink (knot theory)Electronic mailing listModule (mathematics)Hash functionCodeImplementationServer (computing)Right angleTemplate (C++)Parameter (computer programming)Directory serviceSoftware testingMultiplication signScripting languageRevision controlEnterprise architectureOnline helpMusical ensembleUniversal product codeStandard deviationDefault (computer science)Computer animation
47:08
Coma BerenicesJSONXML
Transcript: English(auto-generated)
00:10
Good morning welcome to the certificate stuff session and as we get started I'm going to go ahead and dive straight in and show you that I have nothing up my sleeve
00:21
this is a 2012 R2 yes 2012 R2 VM has wmf5 and I want you to notice that there are no Administrative tools installed here, and there are no services running on this server. No active directory no certificate services None of that this is basically a vanilla out-of-the-box 2012 R2
00:44
I've just added wmf5 to it and what I did was I went ahead and pre-staged some modules Under the Windows PowerShell modules folder So we've got the ADCS template module what you're going to learn about today X active directory and X ADCS deployment
01:03
we want to build a full domain controller with ou's users and groups and certificate services on that domain controller So that we and then populate custom templates That's the whole thing of this session is custom templates from code So what I'm going to do is I've downloaded this from the gallery
01:24
Install module ADCS template. I'm going into the examples folder, and there's a build ADCS PS1 And this is the code I'm going to Hide the terminal and I'm gonna drop down at the bottom of the DSC configuration
01:44
We're gonna come back and look at this in just a second, but I want to kick this off now So we have a lab to play with so I'm just gonna change the name to go t2 dot lab Got my super secret admin password right there So everybody can see it in plain text, and then I'm just gonna hit f5 to run this bad boy
02:02
And so now we are building a domain controller With ou's and users and groups and all that good stuff, so while that's rolling. I'm going to explain to you the backstory here You guys know I used to work for Microsoft for about eight years and When DSC came out about three years ago
02:21
I was traveling all over the country and doing basically helping customers get DSC proof-of-concept labs set up and One of the challenges was with DSC I Guess I should introduce myself first. I'm my name is Bubba. I'm from Ohio My name is Ashley McGlone. I used to work for Microsoft now I work for Tanium anyway my contact information is in the deck at the end, and it's in your little app thing
02:46
so I used to travel from Microsoft doing DSC implementations and The the sticky part was when I had to teach people how to do credential management in DSC I'd rather jab like a hot poker in my eye, right? It's just really
03:01
Awkward and difficult to do all this certificate dance with encrypting credentials for DSC and that used a custom template For a document encryption and that custom template means It's not there by default in Active Directory certificate services when you go look at your templates How many have used 80 certificate services? All right, how many have done a little dance right-click duplicate template, right?
03:25
Then you check all the boxes you go through a five-page document with all kinds of screenshots from the vendor Here's how you make our custom template. I hate that. It's not PowerShell. You're clicking stuff, right? We don't click stuff in PowerShell. And so here's the adventure then I
03:42
I work for Microsoft and I was actually in Oakland California for a customer a little internet music company you've probably heard of and It was late at night in the hotel, and I think I'm just gonna do this and so You may or may not be aware. There's the Microsoft
04:02
Protocol specifications are out there for free on the internet. Everybody can read them because of some EU lawsuit years ago It's gonna reboot here That's cool. It means it's working It's not a blue screen. I promise So what happened? We'll see what my VM. Yeah, okay. We're good So I'm a Mac using VMware fusion. I'm totally outside the Microsoft bubble now. Sorry
04:26
So What happens I Sit there and I'm reading the doc just like two in the morning on the bloodshot eyes I should be sleeping like I got to do this and I get this code working for one-off Module I published in the gallery before I left Microsoft
04:42
So the code was public and I couldn't so I couldn't take good with me So I just dumped everything before I left Microsoft dumped it to the web So now the codes all public so out there I went ahead and published a module in the gallery that all it did was a one-off script module that would create that encryption certificate for ADCS or in the
05:00
document encryption to do the certificate encryption stuff for credentials in DSC and I always knew I'd come back to that and Make it where I could run any Certificate template through that but I knew it was gonna take some some clever coding and I didn't have time for it So ain't nobody got time for that. So I put it off and then I came to Tanium
05:21
It's like wait a minute. Okay teams another one of those vendors that has a custom template that's not there by default and they've got the five-page paper screenshots click click click It's like oh you gotta be kidding me. So I got to automate this, right? So what I did was I went back and I said, okay I want to retool this now and refactor this code. I'm gonna make it so I could take any template
05:41
So here's here's the process What you're going to do is you're going to go into 80 certificate services and you're going to do the right-click duplicate dance once for the template because I'm not about to try to Code by hand all those little checkboxes and all those little tabs and the certificate stuff That's just you know orders of magnitude of difficulty that I'm not going there
06:04
But what I am gonna do though, I'm gonna give you a way once you do it once You're done. I'm gonna show you we're gonna export that template then to JSON Which is a handy interchangeable file format And then we're gonna import that and anytime we I did this for lab builds
06:22
Right because I get all the way through an automated lab build that I get stuck at this certificate template problem How do I make a custom template? So I kept getting stuck there so that I'm gonna fix this and now I can do a fully automated DC with 80 certificate services and it's all ready to go I can even publish that to the CA the issuer and then I can even permission it set it for enroll or auto enroll
06:45
All that with and you just specify a couple parameters and you're good to go So let's log in now and take a look remember there was nothing in here nothing up my little Tron t-shirt sleeve All right, so let's go take a look and now if I fire up
07:05
Server manager and give it a chance to refresh here and what you'll notice over here on the left Is there's 80 certificate services active directory directory services and DNS and IIS because we have the cert enrollment I'm going there and
07:24
Then if I go over here, you'll see that I'm lazy and I installed all the GUI RSAT tools for AD and DNS and everything else All right. So let's go take a look at how this works We're just gonna drive right down to the modules folder
07:41
ADCS template and I'm gonna zoom this all up here in a second and Here's the module And what I've got There we are, all right Tell you what, let's go on a little tour
08:00
Let's fire up Adsi edit I'm gonna do this with the GUI first and then I'm going to show you from the command line So an as I edit right click Connect to the current domain and then the middle you pick configuration This is the forest wide partition for domain for the forest configuration and inside there is a
08:25
Little spot called services and under services is public key services I'm going to zoom in so you can see this. All right. So what we've got is I've got a laser pointer in here. Never mind. So public key services this this is where your templates live in active directory
08:45
So if I go into the active directory or the certificate services console and I create a new template it shows up down under here We got public key services and then we have the oid oid Reminds me that Domino's pizza commercial avoid the oid you remember that one
09:03
anyway Noid. Yeah, so then we got enrollment services, which is where the CAs live and Then we got certificate templates. So I'm at Mike. I know a little bit about ad I know a little bit about PowerShell and
09:21
Really? I don't know anything about certificates. You guys should not trust anything I say about certificates All right I'm not a certificate expert but I'm a hacker and I know I can figure this out in reverse engineering and What I'm about to show you is completely not endorsed by Microsoft because the story where I forgot to say the rest of story so so I wrote this code to do this and
09:41
There's this PM at Microsoft or I think he actually just left after like 30 years at Microsoft and I email him I say look you're the certificate services guy, you know I kind of went through the chain and found the guy and I said, here's this module I wrote to do what people are struggling with in the GUI with me. They can't do that in PowerShell
10:05
He's like use the API I Think well, I tried that I'm not a developer. I work for Microsoft. I'm not a developer. All right, so I Looked at the API I gave it my best and this was I think this would be incomprehensible even for a dotnet veteran developer
10:23
I mean just the API was impossible. So I waited a month. I went back to the same guy I said hey, I got this module. Would you look at it at least you know see is this doing what it's supposed to? Do and he's like use the API I Did that like three times and I gave up but then as I was going out the door at Microsoft
10:42
I published the code for everybody. So Anyway, so these objects are what we're gonna be working with reverse engineering in PowerShell So what happens when I create these certificates first off Under the Oids Well, let's go look at the easy stuff. So here's certificate templates. This list should look kind of familiar
11:06
Alright, there's the EFS recovery. There's machine certificate template There's user workstation web server all those things that they tell you to go click in the GUI All right, so I look there and then I look under enrollment services and all this is right here is
11:22
Just the publishing the issuer CA is listed here and then under OID Right here if I look at the there's an OID list OID object identifier and This was the thorny part. It's like, okay
11:43
Where are those numbers come from? Do we just pick up the scrabble bag and dump all the little characters out? Just make up a number here. What do we do? Well turns out Because I did this in multiple forests to specifically because if you look under the properties of this OID Item here this container what you'll find
12:04
Right here is a Forest specific PKI cert template OID Big long number with lots of dots in it Okay, and there are RFCs that explain what every one of those little numbers mean and I'm not going there today
12:20
But this is unique to every forest So I figured that out when I was reverse engineering it and so I knew that when I created a template then I have to Begin the OID with that forest specific and then add some other stuff after it Well getting that other stuff after it got really weird. I went through all the public protocol documentation couldn't find anything
12:42
So what I ended up doing was I wrote a function called get random hex. I just made it up All right, so I just made up then I got this hex string I just returned how many how many characters of random hex do you want pass at a length? And then I got a little function once it generates the OID it checks just to make sure it's unique
13:02
It's highly random that it would ever create a duplicate But then I've got this new template OID and this is where it gets kind of really Sci-fi, so what I discovered was that there are two components. You can't just go create a template You have to create the OID and then the template references that OID
13:25
So there's there's two steps there and then you publish the template to the CA So there's three different touches and AD to make one of these templates in the GUI show up So what I did then was I took this OID MSPK I cert template OID property and that's composed of that forest base OID
13:47
plus some long number followed by some other long number Then the and so that's the OID object in the directory and then on top of that there's you take the same last little number and then you put this 32 hex characters after it and
14:07
That's what I was able to Discern just with my powers of observation from looking at ADSI edit Well a couple weeks ago. I knew this session was coming up and so I kicked it out to GitHub
14:21
I put the module out there and I said hey anybody want to help check this out before my session make sure nobody else sees something I'm doing wrong and There's this MVP out of Latvia. I can't pronounce his name Vadim Yeah, but he is Amazing. This dude is a really sharp shooter and he's all about PKI
14:43
So Vadim says hey, you know that PM at Microsoft Yeah I had this conversation with him back in like and he actually posted a screenshot of the email From this and I'm just not gonna I'm gonna leave his name out out of respect for this guy And so he posted and says yeah those numbers those aren't random numbers. That's actually an MD 5 hash
15:07
32 and I was like, oh, yeah, that makes sense 32 characters hex. It's a hash. Okay So it's a hash over like this OID string everything that comes before it. I Haven't fixed that yet
15:21
Figured that out because that was just two weeks ago. I haven't had a chance to update the code wink wink. It still works just fine But it's not to the spec that the API would generate so I'm telling you this up front So, you know, this guy is half-baked and you shouldn't trust this in production But it works great in my lab
15:40
You can use it in production if you want but my use case is rapidly building labs over and over, right? I just want to build up my lab get my template out there so I can register it and everything works and Really people could care less what those little numbers are. They stuck way back in the directory somewhere So what I did then was I created this little algorithm
16:01
It says all right cut or oid part number one oid part number two or oid part number three And then we just jam those together and we say we've read out of Active Directory that forest oid So we get we take the forest oid plus oid part one and oid part two And then the name is going to be oid part two and oid part three
16:22
So that's it. It's just some string stuff, right? And so that then generates the stuff that goes into the template Get ADCS template all it does is Oh, I should mention there's a little trick. So in Active Directory
16:42
Let me just pull this up. I didn't change my font size there. Let's do it down here in the terminal. So get dash AD forest All right. There's my forest info but get AD root DSC Has some really cool attributes on it, which includes the naming context for the
17:05
configuration partition so the configuration because no matter what the The path is the same except for the little domain part at the end so what you do programmatically is you just say give me the ADDS root DSC configuration naming context and
17:23
Then you append on that this path here certificate templates public key services services Plus the config naming context and so that's how I generate the Active Directory path where these objects are going to live So get AD certificate template what it does is just a function I call over and over throughout the module
17:46
That's going to go look in that path and give me a list of templates And then if I want the specific one that'll do the display name Otherwise, it's going to give me all of them where the object class is PKI certificate template This is really pretty basic Active Directory
18:02
commandlet stuff It's just doing it with really weird objects that aren't users and groups Okay, but it's really just basic AD commandlet stuff Does anybody watch my AD MBA AD PowerShell MBA video? Okay, if you're not aware go out to Microsoft Virtual Academy comm I have six hours of free training on
18:23
Active Directory PowerShell So it's me and Jason helmet the loud guy up front really funny speaker running around this week Me and Jason did six hours on Active Directory PowerShell And so if you're not familiar with some of this stuff go watch that video. It'll really help so
18:41
So where's the magic happen then? How do we get these stuff in and out of the directory? Let's go scroll down here Actually, let's go watch this stuff work. Let's let's play for a little bit so down here What I want to show you is that I can do things like this. So
19:03
Get dash AD CS template. So this is one of the commandlets in the module And so there's a basically dumping all the ad attributes of all the templates that are in the directory So that gets to be kind of long. So then let's pipe that to format table name Actually, let's sort by name pipe to ft name
19:22
So here's a list of the certificate templates that are in the certificate services instance. That doesn't mean they're published Those are just the certificate templates Alright, so then I can say Watch this new dash AD CS Drive Oh CD AD CS colon
19:43
DIR and now I'm in what we were looking at and a DS I edit from the command line All right, so you can map like the ad colon drive letter you get All we did was just instead map it down to the configuration Partition and because I'm running as a forest admin with like every permission in the world. Nobody cares about permissions here
20:03
So so now I'm in there and I can do CD space You always use tab complete here because you don't want to type all this mess certificate templates DIR There's the certificate templates CD dot dot DIR I can go to CD tab to enrollment services DIR. There's my
20:27
server now what I want to show you is Let's do this say get item I'll grab this item here and
20:40
Put around parentheses and I always as long as I've typed Distinguished name it's painful after all these years still type that much There's the distinguished name and then what I'm going to do is because the drive doesn't expose all the properties on the object I want you to see a specific property here. So let's do get ad object dash
21:03
Identity oops Dash identity There we go, and then we're gonna say dash property star Friends don't let friends use filter star property star and then FL star All right, what I want you to see is right here
21:21
so on the certificate server The publishing server there's a property for the CA that says here's a list of The CN properties the names of all the templates that this issuer is allowed to give out So there's two different certificate services views
21:43
There's the template view But then you actually browse to the CA itself and you go to that one where it's like here's all the published Certificates, this is the list So it's a multi-value attribute and ad and all I have to do all I have to do to publish a template is To add one entry on the multi-value entry here for that CA I
22:07
See some wheels turn in people going. Oh, this is cool. All right. I'm glad you think this cool because my life could care less So now What we can do then is
22:21
Let's say let's go back to the C Drive. It doesn't really matter where I am I'm gonna go to the root of C here. All right So now let's do get command dash module ADCS template So I've got export get new drive new template remove and then set the ACL. So now let's do
22:46
Export ADCS template dash display name web server template wait a minute Did I what
23:00
What's going on here? All right, that was weird. Let's do this. Let's do get ADCS template and pipe that to name For sure, there's a web server in there. Yeah, is it
23:21
Web server. Yeah, did I not spell that right export? ADCS template dash display name Web server try it again and get the same result. All right, let's do PC CMS PS There we go, all right, that's why I was after so
23:41
this basically just takes the attributes that we looked at an Active Directory a second ago and dumps them out to JSON, but here's the trick JSON thinks everything's a string and I know good and well that if I pipe those Squirrelly certificate template objects to get member there's only going to be about half those things that are actually strings
24:02
They're gonna be some weird Active Directory property data type, right and there's like byte arrays. Oh, that's scary Right. So how do I do this? So what what I had to do was when I when I import that JSON To make a new template What I do
24:22
Is first off I create the new template avoid I create that object I'm using splatting here So in Active Directory when you're working with the 80 object cmdlets There's an other attributes parameter which basically takes a hash table of property values So what I did was I built a hash table that says display name
24:43
This flags one that looked like it was important and then some certificate template word that I generated and so I create the OID first And then I go in and I import that little JSON bit and I create a new Object or other attributes hash table that starts out with the OID
25:01
That I've generated because it needs to be unique in this forest But then I do this little switch dance on the names of the property values I'm reading in from the JSON and it says basically hey if you've got a property name that matches any one of these things Then dump that into the hash table of properties as a int32 value
25:24
All right, if it's a one of these Property values that's one of those funky AD types right here So what we're doing is we're bringing it into a hash table with property name Casting that string into that fancy data type on the other in the value side of the hash table
25:44
So we're building this hash table of all the properties then we're gonna go BAM and pass it into the object and it creates the object so And then the expiration period is a byte array So what happens then down here all this fancy looking square bracket JSON thing that all becomes a byte array now
26:05
The other thing like I said, there was no way I was going to try to reverse engineer every checkbox and whatever and everything So what what you need to understand in This is probably one of the least touched Interfaces and all of Microsoft Server, I think by any product team
26:24
It looks like it's still from you know, empty for or something when you pull up the empty the certificate services Let's go look there real quick. I'm gonna tool actually, let me just fire up MMC Because because that's the other joy of certificate management is building the MMC, right? So let's let's add a snap in here for
26:45
certificate templates and Certificate authority. Yes. It's this box Okay, and I know that's really tiny. I promise I'll zoom it. But what I want you to see here is That in my I'll show you the DSC config. Let's go look at the DSC config real quick
27:03
So in that examples folder There's a DSC config now, here's the challenge with DSC You know, you're limited to which data types you can pass through The MOF and I knew there was no way I could pass those fancy AD data types through the MOF
27:25
That's why I did it as one massive JSON string so I dodged a bullet I cheated the system and so what my DSC does is it brings in the AD the ADCS deployment and then my ADCS template
27:41
So this module does not have DSC in the name But there's a resource for creating these templates in there when you import it So here's the stuff that I've demoed in previous PowerShell Events on my standard routine for building a DC building a domain building. Oh use recycle bin Populating users and groups in those. Oh use and then we get down here to building the certificate server
28:04
So I've got my ADCS cert authority I think it just took this straight out of the sample for the ADCS deployment resource web enrollment RSAT for ADCS Because I'm lazy and then down here
28:21
web enrollment and then right here is My resource and so I dropped two templates in here that I wanted to create in my lab One says PowerShell CMS anybody played with the cryptographic message syntax commandlets and v5 It is so cool. It's like your orphan Annie decoder ring
28:43
I mean you can you can take any text that you get anywhere in PowerShell and pipe it through an Encrypted certificate an encryption type certificate and it just turns it into you know, gobbly goop So I'll do a demo of that just a second. So here's I've created this PowerShell Cryptographic message syntax template that's the display name. I'm going to grant domain computers and domain controllers
29:06
The ability to enroll by default and then also auto enroll Which is completely non-production, right? You would have dedicated groups for the which servers you want to get those templates and then I've got my tanium template as as well
29:21
But notice the configuration data has the JSON in it so if I scroll down to the config data section of my DSC oh look at that. Isn't that a beautiful thing? I just got a big here string and so I'm literally just feeding it a JSON template to build out that whole Certificate with all the checkboxes and all the tabs and ad certificate services, right?
29:45
I've completely obvious or abstracted all the complexity of the certificate details the template details just by taking you check the boxes one time Export it to JSON and you're done forever and then you just put this big here string in there Which you could read from a database. You could read it out of a text file
30:02
You can if any way you want to automate this is fine So I've got two big JSON strings in there and I just bring those into the DSC and The my file loves string data It's perfect. It goes right through lickety splits just like a fast pass at TSA
30:23
so So then once I get down here in my demo file, I want you to see how fun this is What you can do then And this is all in the module. You can go download today so what you can do then is let's say okay, let's look in my local certificate store and
30:44
It looks like the auto enrollment already kicked in because I have a key incitement key usage there see that it's already registered because I have group policy set the auto enroll or whatever but what I could do if I necessary is I could just do this little get certificate thing and
31:05
Then oh by the way rabbit trail squirrel. There's a commandlet add dash CA template I thought my job's done. There's an ad CA template commandlet All it does is take an existing template and publish it to the CA just tweaks that little multi-value attribute
31:22
That's it. It doesn't create templates. All right, I couldn't find anywhere else to do this. All right, so here we go We've got our template now and I can go grab my document encryption certificate Well, all right Let's let's just make sure here Let's go grab another one
31:42
Think all right. We've got a search go grab my document encryption certificate and So I'm just reading my local cert directory I've got this special certificate and now you've got this commandlet protect CMS message using this newly generated thing and It gives you an encrypted message
32:02
So Lee Holmes wrote these it was based on some RFC that he dug up and it's a Really friendly way to do encryption decryption using certificates You just have to have this special template which now you can do for for easy and for grins and in the sample Examples directory, there's a JSON export of that template already
32:22
You just import it and then you're good to go with your DSC credential encryption or your commandlets for this So you take any protect CMS message is really cool You can pipe stuff to it and give it a certificate and it just sends it through the scrambler So then you can decrypt it as well with unprotect CMS message
32:41
That technique is what we use to encrypt credentials in DSC So when you see the encrypted credential in the moth file and it's got begin CMS in CMS, that's what it is It's using this behind the scenes. Let's see if I hit enough rabbit trails yet
33:04
Let's go now to get command. Oh You know what? I didn't show you the actual stuff. Let's go look in the GUI and see what we made Again, I'm gonna cheat and use the GUI here for AD Users and computers Here's my tanium. Oh you my users and groups and I'll I'll show you real quick that I know this is really tiny
33:25
so my my DSC for the DC created the tanium Oh you the groups the users underneath of it it created the group called g tanium and Then there see the users over here and then inside that group g tanium. There are the members
33:42
So that's all done through DSC has nothing to do with today's session I've done this for previous sessions, but what I want you to see then on top of that is when I go to certificate services over here my templates It created from scratch
34:01
Using that JSON template here The PowerShell cryptographic message syntax and when you look at the security On the security tab you see that we chose domain computers domain controllers for enroll and auto enroll and there they are domain computers domain controllers checkbox and roll auto enroll
34:23
Because it's just tweaking the ACL on those 80 objects. There's nothing fancy really You're just setting the ACL and I need to update that code to make it a little cleaner But it works pretty well. It's using set dash ACL There's actually every 80 object has an NT security descriptor property which has the ACL in it
34:43
And you can work with that and you use that Squarely dotnet method of getting the ace object and you add a centuries which are kind of really scary looking until you figure them out But then once you get it figured out It's like okay You just got some template code drop that in add some you just have to Look at you just reverse engineer all this
35:00
Okay You just go look at an existing Certificate template set the permissions the way you want and then you go dump the object from that Attribute and you go see what the permissions look like and then you just recreate those in code. That's kind of how that works I know I went through that really fast. But anyway, it's all in the code. You can look at it so we did get two templates in there PFC of S and
35:22
Tanium and then over here on cert templates that are on the actual published templates on the CA You'll see there's the Tanium and the PS CMS templates right at the top of the list So we completely built an actual directory domain. Oh use users and groups certificate services enrollment services
35:42
templates with no touch no right-click No screenshots. No clicky-clicky. All right now, let's have some fun Let's that was fun. I thought in a nerdy kind of way, but
36:03
Was it Linda? Yes, they called this week nerd camp I mean, this is really what it's all about. This is this is fun stuff. So let's play with this a little bit So now let's do Get ADCS template Display name PS CMS. So here's the template that we just created
36:23
Now, you know that little right-click dance that you do what if we wanted to build another one of these? Let's say export Export that and we get a JSON string. All right, we can dump that JSON string to a file whatever
36:40
But now what I'm gonna do is I'm gonna put that in parentheses because this is PowerShell And I can do that and I'm gonna say new dash a DCS template Jason's next door Jason keep it down over there Let's see if they can hear me. All right new 80s. Sorry. I shouldn't have yelled in the mic. I'll just new ADCS template
37:04
Now we're gonna say dash display name PS CMS to You're gonna make a copy of it dash JSON We're reading right now live a JSON export of another existing template in the templates list
37:22
And we're gonna pass that JSON to a new one This is the same thing you would do with a little right-click duplicate in the GUI All right, but then at the end of this what we're gonna do is we're going to say dash We could pass a server identity. Let's do because we're living large here in the lab. Let's do domain guests
37:43
It's a quick easy demo group and then we'll say Dash Auto enroll so by default you have to have read and enroll permissions So it'll give you that automatically and then if you want this template to be auto enrolled You just say dash auto enrolled it adds that to the ACL as well. So one command line
38:04
To duplicate and create and publish Actually, I got to put dash publish on there, too What that is? I miss the space. Oh
38:20
Thank you, Jason good catch go t2 is my domain Yeah, and now it's actually that one already exists. So let's call this one. I've done this a lot of times in the lab now We're gonna call this this is good because we're gonna get a bunch of junk in there to clean up We'll call this PSC MS 3
38:42
All right that worked and that's an artifact and the the ish is an artifact and videos code We've seen plenty of those right? So now I go back over here to refresh in the view certificate templates and Here we are there's PSC MS 2 3 1 line of code just duplicated the template and
39:03
Then I drill into that one and go to security. Oh, there's okay. There's all these little check boxes and the crazy thing about every one of these little check boxes and all this stuff that looks really smart and super duper is All like bit flags in those numeric values in the properties of the object
39:22
That's why I said there's no way I'm gonna ever try to reverse engineer all that I just wanted one big dump and by the way the DSC resource for this It doesn't attempt to validate any of that It just says do I have a template with this name or not? So I want to make sure you know that We're not doing any super magic to make sure you didn't miss a checkbox somewhere on your DSC stuff
39:42
We're not doing that. We're just making sure the template name exists I go to security here and there's domain guests completely violation of any production environment Giving them enroll and auto-enroll to this template. All right So we did that all from the command line with no
40:02
Clicky-clicky. Yay. All right. So now let's do this get-ad CS template Pipe that to where display name like and let's say
40:21
PS CMS star All right, so and then pipe that to FT name So here's my three CMS templates, right? And now what we want to do is take that and We'll grab Actually, we'll say let's do a for each
40:43
Remove dash ADCS template Dash display name dollar under bar. Oh Look at that advanced functions confirmation Are you sure you really want to do this perform the action remove certificate template on this?
41:03
Thing way out there in ad land somewhere. I'm gonna hit yes Didn't like that I Cannot validate forever identity. Oh, so maybe this is something to do with the changes I made last night and published
41:20
Okay, it's supposed to remove the objects Okay, so yeah go down the code, but don't delete anything until I fix that. Yeah, you'll be good So let's go. Let's go review these certificates here. They should not if it had worked correctly No, it didn't Doesn't look like it. No, okay. I got some code to fix but that's what I get for changing code at midnight. So
41:45
anyway so this is out there on the gallery at At Installed ash module ADCS template and It's some really interesting code for you to study as you're learning PowerShell some of the techniques that I use
42:00
There's also tons of like extra comments and links and kind of this hasn't gone through the script analyzer This is not high quality module guidelines here. I'm about about half of that high quality module stuff, right? There's no there's no pester test, but it works right and that's that's what we're all after at the end of day I want some code that works so And I'm not trying to disparage my code
42:22
But just say hey, I want to set the bar appropriately here and this is not coming out of PowerShell team. All right So there it is out on github and there's documentation out there and In that I tried to put a lot of commandlet help in so there's help for every one of these Commandlets with really good examples to show you how these work and
42:44
Maybe during iron scripter. I'll get this code updated on the remove I really do need some pester tests in the module if anybody wants to write them. So anyway, so that's fully automating the creation Publishing and permissioning of ad certificate templates with no clicky-clicky
43:05
Thank you very much All right. We got time for a couple questions Yeah, you said you were generating that
43:24
Oh I've no idea. I didn't know there were such scripts. Yeah, there's a VB script out there that actually generates a base Okay Send me a link to that or just drop it like you're out on the github in the issues list
43:43
Just drop that in there and say because there's an ongoing issue thing between me and Vadim's about the oid Just drop it as a comment in there because I'd love to because actually I looked he said He said yeah, the the PM told me this is a hash and all this and I said, well, that's great It's not publicly documented anywhere. But then I thought wait a minute. This is X 509 RFC certificates
44:05
So I so I so I went out to the RFC Documentation for this certificate would think and there was no mention of MD 5 hashes or how to generate that I don't know if that's a Microsoft implementation or like standard stuff or what but good question and those templates that you're generating
44:21
They're like shot to and things like that, right? Whatever your server set to well when you your templates have to be set to sign But by default they're set to show one until you actually modify it, right? Right, yeah, so However, however, you generated it in your lab setup before you did the export that you start to import everywhere
44:43
That's what it's going to look like That's another issue on my github of setting the schema version correctly So you're not supposed to publish like a version 3 schema on a 2003 certificate server. They don't work, right? So Vadim pointed that out to me as well and I'm like no that's not in there either but if I'm I'm not ever going to
45:07
I'm not ever going back that far, right? So I'm not I'm not sweating that one because I know it's only going to get newer so it shouldn't be a problem Supposedly yeah, like I said, it works wink wink
45:29
You know, I think that's something I see you're working on that's great, but it looks like you're published just goes to all enterprise You know, I think that should be anything be safer to say do all your code, but then still use, you know
45:41
Be able to pass a parameter. Yeah, I got an offline rut. I got right he's doing this Two CAs are for that, right? I'm really glad you mentioned that because in the code If you read the comments, it says hey look guy this is going everywhere
46:00
So when I do the publish I just go enumerate that Enrollment container out there in AD and for every CA I go down and publish the cert on every one of them Which is really not what you want to do in production. Like I said, this is not production code It's for building a lab where I've got a single instant Standalone certificate server and I just need a template, right?
46:22
But yes, that's definitely on a list of things that you should take this code and change it So there's a parameter that says which CAs do you want and maybe you could query that out of the directory and say pick which CAs you want to actually publish to Sure, yeah, I would love that
46:43
No Right, right. You wouldn't do that either. Like I said, this is all wink wink nod nod I'm building a lab quickly with DSC and I couldn't get past this one roadblock. So now we can't Yeah All right. So thanks everybody. This has been a lot of fun
47:01
Hope you've had fun and I'll start the trauma music back up. All right