DSC LCM https pull Certificate ID

Hi All,

Looking at the DSC book and getting re-acquainted with DSC again. I just want to double check what looks to me to be slightly confusing information. The DSC book says that for the LCM when setting it up to connect to a Secure Pull Server

CertificateID. This is the GUID (thumbprint) of a local certificate, which the node will send to the pull server to authenticate the node to the server.

Elsewhere i am finding alternative information saying:

CertificateID. This is the GUID (thumbprint) of the Secure Pull Server certificate, which the node will use to encrypt the traffic to and from the pull server. (BTW this is the same thumb print that is used by the Pull Server in that configuration)

See https://msdn.microsoft.com/en-us/powershell/dsc/securemof - it describes what CertificateId is used for, and even goes into specifics on the kind of certificate that must be used - and what purposes that certificate cannot be enabled for.

There is no lower-level encryption for the pull server. It’s entirely plain-text unless it’s HTTPS, in which case it’s the server’s SSL certificate doing the encrypting. And very specifically, as noted in the above, the certificate referenced in CertificateId must not be usable for client authentication, which is the only other thing the node uses a certificate for. Just as your web browser doesn’t need a copy of a certificate in order to shop at Amazon.com, the node doesn’t need one to encrypt communications with the Pull server.

The DSC Book is actually less-than-clear - I’ll look into that now.

Mmm, I’m sorry - we’re talking two different setting areas. I was above referencing the main CertificateId from the LCM configuration.

You’re referring to the ConfigurationRepositoryWeb section, I assume. This is for authentication to the server, not for encryption. Encryption is handled by SSL - which is the server’s certificate. So, everything I said above, except where I questioned The DSC Book ;).

And it’s worth noting that the native pull server doesn’t actually support client certificate auth, although Azure Automation does, and you can technically set up a local IIS instance to do so.

Thanks for the quick response Don. The Certificate id part i am looking at is under the section “Specifying Configuration Pull Servers” not the mof password decryption part. The part that ends in (“This is nothing fancier than good old IIS certificate-based authentication.”).
The other online source i am looking at says the certificate thumb print when setting up the pull server on the LCM is the same thumb print as the pull server’s ssl certificate thumb print.
So question is: When setting up the LCM config for grabbing its mof from the secure pull server by setting up the “ConfigurationRepositoryWeb” is the "CertificateID: the Local pcs cert to authenticate against the Secure Pull server or is it the pull server’s Cert thumprint to encrypt the traffic. I am leaning more to the LCMs cert as why would you have to specify a particular cert on a web server to be able to connect to it?

i spent all that time writing a response and you have answered it before i could post lol thanks champ.

So the other source was using a V1 pull server hence the confusion on my part. Thanks again.