Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SqlSecureConnection: Unable to specify certificate by using friendly name #1941

Open
claudiospizzi opened this issue May 8, 2023 · 5 comments
Open

SqlSecureConnection: Unable to specify certificate by using friendly name #1941

claudiospizzi opened this issue May 8, 2023 · 5 comments
Labels
enhancement The issue is an enhancement request. good first issue The issue should be easier to fix and can be taken up by a beginner to learn to contribute on GitHub help wanted The issue is up for grabs for anyone in the community.

Comments

@claudiospizzi
Copy link
Contributor

Problem description

When using the CertificateDsc module with the CertReq resource, an internal signed certificate can be issued on the fly. This certificate is not usable for the SqlSecureConnection, as the resource currently does not accept anything else than the thumbprint to specify the certificate. But the thumbprint is not available during compile time.

Suggestion: Add the option to use the friendly name to specify the certificate.

I can provide a PR.

Verbose logs

Not available, as this is a new feature.

DSC configuration

SqlSecureConnection "Solution Option 1"
{
    InstanceName    = 'MSSQLSERVER
    Thumbprint      = 'Certificate for MSSQLSERVER'   # Thumbprint accept a friendly name
    ForceEncryption = $false
    Ensure          = 'Present'
    ServiceAccount  = 'sa-sql'
}

SqlSecureConnection "Solution Option 2"
{
    InstanceName    = 'MSSQLSERVER
    Thumbprint      = ''
    FriendlyName    = 'Certificate for MSSQLSERVER'
    ForceEncryption = $false
    Ensure          = 'Present'
    ServiceAccount  = 'sa-sql'
}

Suggested solution

Option 1:
The thumbprint parameter should accept the friendly name of a certificate. In the code, the thumbprint will be dynamically detected.

Option 2:
Leave the thumbprint empty and add a new DSC property called FriendlyName to specify the friendly name. If specified, the thumbprint will be overwritten.

SQL Server edition and version

SQL Server 2022

SQL Server PowerShell modules

Name      Version    Path
----      -------    ----
SqlServer 22.0.59    C:\Program Files\WindowsPowerShell\Modules\SqlServer\22.0.59\SqlServer.psd1

Operating system

OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version

Name                           Value
----                           -----
PSVersion                      5.1.20348.1366
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.1366
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

SqlServerDsc version

Name         Version  Path
----         -------  ----
SqlServerDsc 16.3.1   C:\Program Files\WindowsPowerShell\Modules\SqlServerDsc\16.3.1\SqlServerDsc.psd1
@johlju
Copy link
Member

johlju commented May 9, 2023
edited
Loading

Suggest adding a new parameter FriendlyName and use the command Assert-BoundParameter so the resource throws and exception if both parameters are provided in the configuration. Thumbprint should no longer be required. But one of Thumbprint or FriendlyName should be passed otherwise the resource should also throw an exception. Assert-BoundParameter can be used for that verification too. Though, saw that there were a bug in the docs, says the wrong command name for that parameter set. Fixed.

@johlju johlju added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. good first issue The issue should be easier to fix and can be taken up by a beginner to learn to contribute on GitHub labels May 9, 2023
@bozho
Copy link
Contributor

bozho commented Jun 1, 2023

I'd suggest adding CommonName parameter instead of FriendlyName. In some cases (e.g. Let's Encrypt), we may not control/know exact certificate's friendly name.

Alternatively, have the resource allow matching the friendly name against a pattern.

In case of multiple certificate matches (with either solution), use the certificate with the latest expiration date.

@claudiospizzi
Copy link
Contributor Author

What about adding the FriendlyName as @johlju suggested but also the CommonName as @bozho mentioned. But for this the Assert-BoundParameter can't validate mutual exclusion of 3 parameters, right?

@johlju
Copy link
Member

johlju commented Jul 8, 2023

We should use only common name as @bozho suggests.

@russellhart
Copy link

This will also solve the issue of certificate auto-rotation. Instead of hard pinning the thumbprint the next installed certificate can be used as soon as it's available.
As mentioned choose the latest ValidTo, if ValidFrom and ValidTo are current.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request. good first issue The issue should be easier to fix and can be taken up by a beginner to learn to contribute on GitHub help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bozho @claudiospizzi @johlju @russellhart