Justin, I did some extensive digging into your blog and repos when I was learning DSC so thanks for all that info, would love an update for WMF 5 and even WMF 5.1 .
Bjørn, I’ve experimented with 2 different methods. One method is having a unique cert on each node (generated by a GPO auto-enrollment policy). Another method is having one single DSC cert, which is then distributed to any node needing to use encryption.
For the most part, I’ve decided on the latter, because the former (unique certs) requires you to import and keep track of every thumbprint for every node. This is not ideal if you plan on having hundreds of nodes, or even machines that you plan on killing and rebuilding often.
I currently handle encryption certs in one of 2 ways, depending on the circumstance.
If the node already exists, I can invoke the ‘Import-PfxCertificate’ cmdlet on a node or list of nodes, passing the .pfx password in as a SecureString:
$pwd = Read-Host -AsSecureString -Prompt “Enter cert password to import”
$nodes = “NODE1”,“NODE2”,“NODE3”
Invoke-Command -ComputerName $nodes -ScriptBlock {Import-PfxCertificate -FilePath “PATHTOPFX.pfx” -CertStoreLocation “Cert:\LocalMachine\My” -Password $pwd}
But if I am creating a new virtual machine, or a VM template, and I want it to automatically have the cert for encryption without having to touch it outside of creating it, I have set up an unattend.xml answer file. This answer file has 2 RunSynchronous commands which will each run a file (preloaded in a tmp directory) at the time of VM creation. The first RunSynchronous command calls a file called importcert.cmd which contains one line:
certutil -f -p “PFXPASSWORD” -importpfx “LOCAL\TMP\PATH\TO\PFX”
The second RunSynchronous command calls a file called metaInject.cmd which deletes both the importcert.cmd and the .pfx file, and then copies a .meta.mof file (also preloaded in the same tmp directory) to C:\Windows\System32\Configuration\MetaConfig.mof, which sets the LCM to pull a config from my pull server. The answer file will restart the node after the second command runs, ensuring the LCM gets enacted and the configuration is pulled. The configuration also includes the File resource to delete the tmp folder it sort of cleans itself up.
There may be a better way to do this, but this is the method I’ve come up with as I’ve been learning DSC…