search

microsoft / SDN

This repo includes PowerShell scripts and VMM service templates for setting up the Microsoft Software Defined Networking (SDN) Stack using Windows Server 2016
Other
486 stars 541 forks source link

SDNExpress - Deployment fails when computer certificate auto-enrollment is in place #557

Open MassimoPascucci opened 1 year ago

MassimoPascucci commented 1 year ago

Our Active Directory environment includes an Enterprise Certification Authority. Certificate auto-enrollment is enabled for all computers: each machine in the domain automatically obtains a computer certificate from the internal CA. Please note that the default Computer certificate template doesn't allow the private key to be exported.

This creates a lots of troubles with the SDN Express deployment.

When a computer is joined to the domain, it automatically receives a Computer certificate with the machine FQDN as its subject; these certificates are detected and deemed usable by the SDN Express deployment scripts, however they are actually not: when the scripts try to export them and move them around, they crash when the private keys export fails. This applies to all SDN VMs, but also to the host certificates on the physical servers managed by SDN.

The only workaround we found to allow SDN Express deployment to proceed is to disable certificate auto-enrollment and remove all offending certificates from all involved systems.

MassimoPascucci commented 1 year ago

As a side note, I'm wondering why are private keys being exported all around in the first place.

In the SDN context, certificates are used by systems to authenticate each other; they are exported from one system and imported into the trusted roots store in another. Only public keys should be needed (and used) in this process.

The only certificate that actually requires an export of the private key is the main network controller cluster certificate, which must be installed with its private key on all network controller nodes.

MassimoPascucci commented 1 year ago

Was anybody able to have a look into this issue?

AnirbanPaul commented 1 year ago

Acknowledging the issue. SDN Express scripts currently have some issues with CA signed certificates. We are working to improve the experience. Note that we have recently published scripts to rotate certificates. So, you can change the self-signed certificates to CA based certs post deployment: https://github.com/microsoft/SdnDiagnostics/wiki/CertificateRotation

MassimoPascucci commented 1 year ago

Acknowledging the issue. SDN Express scripts currently have some issues with CA signed certificates. We are working to improve the experience. Note that we have recently published scripts to rotate certificates. So, you can change the self-signed certificates to CA based certs post deployment: https://github.com/microsoft/SdnDiagnostics/wiki/CertificateRotation

This is good to know. But the actual problem here is, the scripts as they currently work just crash if any of the involved servers already has a CA computer certificate when you run them.

AnirbanPaul commented 1 year ago

We are looking into this.

MassimoPascucci commented 1 year ago

Hello,

any news on this issue?

Also, it would be useful to be able to use your own certificate at deployment, instead of having to replace them afterwards.