TechQA.

Desired State Configuration credential private key not acquired

1.2k views Asked by At

I'm trying to use powershell DSC for a few things. I wanted to have the passed credentials encrypted per the instructions at http://technet.microsoft.com/en-us/library/dn781430.aspx it all seems to work fine until I run start-DscConfiguration on the target node and i get the error:

The private key could not be acquired. + CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException + FullyQualifiedErrorId : MI RESULT 1 + PSComputerName : DmitriyDev

Going back I checked to see that the mof contains the credentials encrypted and the meta.mof contains the matching thumbprint, etc.

going back to the original article i see the example code:

# Get the certificate that works for encryption 
function Get-LocalEncryptionCertificateThumbprint 
{ 
    (dir Cert:\LocalMachine\my) | %{ 
                    # Verify the certificate is for Encryption and valid 
                    if ($_.PrivateKey.KeyExchangeAlgorithm -and $_.Verify()) 
                    { 
                        return $_.Thumbprint 
                    } 
                } 
}

When I test my certificate using this code (on the target node) I see that the PrivateKey of the certificate is null. I'm not sure how the certificate is null. Trying a few things with certutil and the technique mentioned http://blogs.technet.com/b/vishalagarwal/archive/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store.aspx it seems that I do indeed have a private key, however Powershell see it only as null.

On the target node, I even exported the public private key manually and reimported them, with no luck as outlined in another dsc tutorial.

I also tried using procmon to see what the problem was on the target node. I see the wmiprvse process and see that it runs as System (as expected), and I checked to make sure that the permissions on the private key allowed for system (all on the target node)

So my question is how do I get my private key to be used by DSC specifically the LCM on the target node? Or how do I diagnose the problem more?

powershell certificate public-key dsc
Original Q&A
2

There are 2 answers

2
user5221891 On BEST ANSWER

I had a similar error when using New-SelfSignedCertificate to create my certificates. For anyone with similar issues, I suspect the problem is related to the storage provider used by New-SelfSignedCertificate (see http://blogs.technet.com/b/vishalagarwal/archive/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store.aspx, which talks about a problem with the Microsoft Software Key Storage Provider and .NET classes). There's a powershell script available on technet that creates self-signed certificates, and defaults to using a different storage provider, which solved the problem for me.

0
Karl On

Okay, i'm not sure exactly why this works, but it does. Using the Computer template seems to work. In terms of work, powershell on the target node can see it's private key from

dir cert:\LocalMachine\My | ? PrivateKey -ne $null

Once that happens it all works as expected. So long story short is don't use the workstation Auth template but the Computer template.

Related Questions in POWERSHELL

Related Questions in CERTIFICATE

Related Questions in PUBLIC-KEY

Related Questions in DSC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions