Reputation: 1323
Encryption certificates must contain Data Encipherment or Key Encipherment
After upgrading to Windows Management Framework 5.0, I have started to receive the following exception when sourcing a DSC configuration.
ConvertTo-MOFInstance : System.ArgumentException error processing property 'Password' OF TYPE 'MSFT_Credential': Certificate
'---HIDDEN-CERTIFICATE-THUMPRINT-VALUE---' cannot be used for encryption. Encryption certificates must contain the Data Encipherment or Key
Encipherment key usage, and include the Document Encryption Enhanced Key Usage (1.3.6.1.4.1.311.80.1).
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:303 char:13
+ ConvertTo-MOFInstance MSFT_Credential $newValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
The certificate being is used on each node is a self-signed certificate that is generated using the following certificate request.
[NewRequest]
Subject = CN=[computer-name-here].dsc
KeyLength = 2048
MachineKeySet = true
RequestType = Cert
KeySpec = AT_KEYEXCHANGE
This request file is then fed to the certreq command line utility to generate the cert and load it into cert:\LocalMachine\My certificate store.
I have tried adding the following to my certificate request file, based on the documentation for the certreq tool, but I still am getting the same failure.
KeyUsage = 0x30
[Strings]
szOID_ENHANCED_KEY_USAGE = "1.3.6.1.4.1.311.80.1"
Setting KeyUsage to 0x30 enables both key encipherment and data encipherment. However I am cannot seem to find details about the enhanced key usage in the generated certificate. Perhaps I'm setting this value incorrectly in the request.
Please help.
Upvotes: 3
Views: 5506
Answers (2)
Reputation: 739
You can use the New-SelfSignedCertificate cmdlet to generate the self signed certificate as well. I wrote this module which will help generate a certificate as required by DSC https://github.com/nanalakshmanan/xDSCUtils
Upvotes: 5
Reputation: 1323
I found the blog post PowerShell V5 New Feature: Protect/Unprotect-CmsMessage by Keith Hill, which doesn't directly relate to this issue but it does show how to define a certificate request file that contains the Document Encryption key usage.
I now generate a self signed certificate using the following request inf:
[Version]
Signature = "$Windows NT$"
[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"
[NewRequest]
Subject = "CN=test.dsc"
KeyLength = 2048
MachineKeySet = true
RequestType = Cert
KeySpec = AT_KEYEXCHANGE
KeyUsage = CERT_KEY_ENCIPHERMENT_KEY_USAGE
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"
Upvotes: 3
Related Questions
- How to create .pfx file from certificate and private key?
- Convert .pem to .crt and .key
- Invalid provider type specified one more time
- Trusting all certificates using HttpClient over HTTPS
- How are ssl certificates verified?
- Credentials in Desired State Configuration
- curl: (60) Certificate type not approved for application where wget works
- Certificate requirements for IdentityServer3?
- DSC - client error - The private key could not be aquired
- Code Signing vs. Encryption