My current solution is as follows:
- Place the PFX file in an Azure File Storage and obtain the SAS token.
- Add the credentials to the PFX file as an Azure Automation Asset
- Use the following DSC configuration to ensure the certificate is installed:
Import-DscResource -ModuleName xPSDesiredStateConfiguration
Import-DscResource -ModuleName CertificateDsc
$MyServerCertPfxCred = Get-AutomationPSCredential -Name MyServerCert
Uri = "https://***.file.core.windows.net/***"
DestinationPath = "$env:TEMP\MyServerCert.pfx"
Ensure = "Present"
DependsOn = "[xRemoteFile]GetMyServerCertPfx"
Thumbprint = "***"
Path = "$env:TEMP\MyServerCert.pfx"
Location = "LocalMachine"
Store = "My"
Credential = $MyServerCertPfxCred
There is, however, a problem - the certificate is left on the target machine. I would like to avoid it.
One idea could be instead of copying the certificate to share the Azure File Storage container having the PFX file and install it from the share, but then the share remains permanently mounted on the target machine - essentially the same problem.
I am looking for a way to ensure the certificate is present without leaving a trace.
I thought I could add a File resource with Ensure = “Absent” and make it depend on the PfxImport resource, but then how will it work? Will it constantly download the certificate, ensure it is installed (it would be) and then delete it again? Doing this every 30 minutes? Is this the right approach?