The Great Change

Here, at work, I am currently going through a change in my Virtualization platform.  I began with Hyper-V (see older posts) and after doing research I found that the cost of VMM was quite high.  So, I convinced the folks with the money to go with VMware.  We are starting out our deployment with VMware ESXi 5.0 Essentials.  We are doing it without vMotion and that stuff for now. Down the road (2013) we plan on updating our storage solution, and will move up to vSphere 5.0 Essentials Plus, and keep moving up as we get more mission critical applications.

I’m currently blown away with the capabilities and ease of vSphere 5.0, compared to Hyper-V.  So, since I’m right in the middle of my deployment, I will be updating my blog regularly with problems, troubles, and solutions I find.

Hopefully everyone is finding some of this information helpful.  I’m excited to learn new technologies, and pursue my VCP in 2012.

Deploying Certificate with Group Policy

This post is still regarding my old post, I just felt that it was getting a little long, and was being taken in a different direction.

Now that I have put my certificate on the CA, I am going to push it out via Group Policy.  So, here at the steps.

  1. Open ‘Group Policy Management’
  2. Create a new GPO, mine is named ‘PowerShellCertificate’
  3. Right click on new GPO and select ‘Edit’
  4. Naviate to: Computer Configuration\Windows Settings\Security Settings\Public Key Policies
  5. Select ‘Trusted Root Certification Authorities’ and then import the certificate by using the wizard.
  6. Select ‘Trusted Publishers’ and then import the certificate by using the wizard.
  7. Deploy the policy.

Certificate to Sign PowerShell Scripts

I recently decided that I needed to create a script to run automatically one morning a week.  Once I got the script written of:

Restart-Computer -ComputerName XXX -Force

Simple huh?

Well, when I tried to run it I got: “The file cannot be loaded…. *.ps1 is not digitally signed.”  After changing my execution polity to all signed by:

Set-ExecuttionPolicy AllSigned I went to find how to make a certificate for PowerShell.  After finding this article I thought I had it in the bag.  Well, I didn’t.

Given that it is almost 2012, I’m using Windows 7 and tried this command:

makecert -n “CN=PowerShell Local Certificate Root” -a sha1 -eku -r -sv root.pvk root.cer -ss Root -sr localMachine

Then found out apparently ‘makecert’ isn’t included in Windows 7.  So, fear not, I went back to Google, and found out that I needed to download the “Microsoft Windows Software Development Kit” – Okay

After downloading that, being the tester that I am, I installed it on a virtual machine.  When I went to run it, I got an error that I needed .NET 4.0, so I went out and downloaded that and installed it.  Once that was installed I figured I would give the ‘makecert’ command another shot.  Wrong again.

Since I was worried I would forget where the Software Development Kit would save, I copied the location during the installation.  Which is: “C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin” and there it was!

Once you have gone to that folder you can now run (in CMD):

makecert -n “CN=PowerShell Local Certificate Root” -a sha1 -eku -r -sv root.pvk root.cer -ss Root -sr localMachine

Enter the password a couple of times.  Then run this command:

makecert -pe -n “CN=PowerShell User” -ss MY -a sha1 -eku -iv root.pvk -ic root.cer

After that verify that the above steps have worked correctly by going back to PowerShell and running:

PS C:\>Get-ChildItem cert:\CurrentUser\My -codesign


Once this has been verified, you are now ready to run:

PS C:\>Set-AuthenticodeSignature C:\RestartComputer.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

Execute the script once you have done this and you will get the options to: ‘Never Run’ ‘Do not run’ ‘Run once’ ‘Always run’ ‘Help’.  By selecting A (Always Run) the script will run from then on.

Once the script is tested I exported the Certificate.

I did this by going to ‘Control Panel’ then ‘Internet Options’.  Once that was opened you need to select the ‘Content’ tab and select ‘Certificates’


Select ‘Export’ and ‘Next’.  On the following menu I selected ‘Yes, export the private key’ and then ‘Next’.

After that I selected the ‘Personal Information Exchange – PKCS #12(.PFX)’ and the sub options of ‘Include all certificates in the certification path if possible’ and ‘Export all extended properties’ and selected ‘Next’  Then inserted the password that I created earlier.  Once that was done, I selected the path, and saved the certificate.

The certificate was then copied to the computer that I was testing the script on, and imported it per the instructions above.  Once that worked I signed the script with:

PS C:\>Set-AuthenticodeSignature C:\RestartComputer.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

and ran the script.  Everything worked as planned.  Once the server turned back on (since the script is to restart the server) I simply clicked on the script and the machine restarted again.

Now I have added the script to my CA, and I did this by opening mmc.exe and adding the certificate option.  Make sure that all of the subfolders read “CertSvc\…” so that you know you are on the certificate portion.  The certificate was then imported into the ‘CertSvc\Personal’, ‘CertSvc\Trusted Root Certification Authorities’ and ‘CertSvc\Trusted Publishers’.