How To Automate a PKI configuration for an existing Azure VM

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi friends this is preston again and in this video we're going to talk about configuring pki on an existing active directory domain joined windows virtual machine and microsoft azure by configuring active directory certificate services as an enterprise certificate authority in your test and development environment you can conveniently reproduce scenarios that require secure web server certificates certificates for document encryption or code signing among others as you develop and test your solutions before staging and deploying them to production you can even consider using the solution to integrate certificate services in your lab environment for training in topics like powershell desired state configuration or any other certificate dependent technologies that you plan to learn the requirements for building this lab are an azure subscription an existing environment with an available windows server 2019 virtual machine an internet connection windows powershell version 5.1 in this demo i'll run the script for my windows 10 laptop using the windows terminal membership in the local administrators group on the machine on which you execute the powershell script and during execution you will be asked to upgrade the azure rm modules in case you haven't already done so and replace them with the newer az modules the password required must be at least 12 characters and meet complexity requirements ie 3 out of 4 of uppercase lowercase numeric and special characters so now we're ready to start the demo this is going to simulate what jessica has already done and the first thing we need to do is open powershell as an administrator so i will open the windows terminal version of powershell as administrator the first thing we do at this point is to create a new project folder where the script will be downloaded to so we'll do new item path [Music] and we'll call this folder project 06067 specify that the item type is a directory and we'll get some verbose output so now that we have created that new directory we can navigate to the github location we can accomplish that with start process specify the file path as the url of https github.com auto cloud arc 0067 configure pki and this will open that project up for us at which point we can clone the project or download the zip file i'm going to select the code button and then download zip and i'm going to place it right inside of the project 006 folder that i've just created so i'll click on save and then i'm going to immediately open the zip archive so that i can navigate to the powershell script that i'd like to execute inside of this folder and that script is right here it's called configure dash pki on vm in azir dot ps1 so i'll copy this and i'll place it at the root of our project zero zero six seven folder because we've obtained these files from an online source and my powershell execution policy is remote signed i need to unblock this file so i'll right click and go to properties and select the on block checkbox now i can close my file system and the browser and go back to my powershell session i'm going to navigate to the project zero zero six seven folder i'll just set the location set location specify the path as c project zero zero six seven and confirm and now i can use dot sourcing to run the script which is configure pki on vm in xero.ps1 i need to specify a couple of parameters as well one is going to be the automation account name and to get the automation account name i need to look at my i need to find my azure subscription where the environment is already created has already been created and i'm going to copy this automation account name and as you can see my resource group name is rg10 right here so that's going to be my resource group which is the other parameter i will require so for the automation account name that's my automation account name my other parameter i need to specify is my resource group so my resource group name is as we just saw rg10 i'll add the verbose switch to get some extra output and when i hit return it's going to import commandlets from the package provider from uget and the next thing we should expect it to do is to prompt us to [Applause] upgrade the azure rm modules and replace them with the newer az modules now if you have the legacy as your rm modules and you select y or yes then those modules will be upgraded but if you already have the az modules it will just check to see if you have the latest versions and if you do then nothing happens otherwise it will update the latest versions of your currently installed ac modules so once we get prompted here i will specify why to accept that we will update the ac modules or upgrade the to the ac modules if necessary and here's the prompt so i'll say yes next the new git package provider will be used to remove the legacy as your rm module if necessary in my case that won't be necessary and it may just update modules the next prompt will be a notification that we should enter our credentials for our azure subscription now this may open in a separate browser-based authentication window so remember to switch to that window in order to log in and here is the prompt and i'll specify my account that i use to log into my subscriptions so one account may be associated with multiple subscription i'm going to select the second subscription on the list because that's where my environment currently is with the pki server that we want to configure at this point we're going to shortly be presented with the list of virtual machines in the target resource group which is rg10 and we'll be prompted to specify one of these virtual machines the one that we want to configure as a pki server so if you notice the last item in the list azrpki1001 that will be the name or that is the name of our pki server we just haven't configured it yet so i'm going to specify that server i'm going to select that server from the list here azr pki1001 and now it's asking me to enter a username for the pki server configuration this must actually be an enterprise administrator account in the domain as well as the domain administrator for the root domain in our case it's only one domain and the name of this account is adm dot infra dot user at dev dot a datum dot com and it will also ask me for a password so i need to supply the password here as well [Music] so at this point we know that the automation account contains the configuration the configuration data and the necessary desired state configuration resource modules the last of which is the x storage resource module being imported now and it should be completing here in just a moment maybe a couple minutes it has to be sent to the to a queue and then picked up by the worker on the desired state configuration pull server to perform the compilation so we'll pause again for just a minute and resume shortly okay so the compilation is finished and now it's checking for the node registration of the target vm which is azrpki 1001 so that the configuration can be applied to it and that machine will become configured to a pki server when it's finished this in progress status will change to compliant so i'll continue to pause and i'll resume when the status changes to compliant all right so we see now that our the status has changed to compliant and even the color coding is green before it was blue when it was in progress so what we can do as a final verification is to log into that machine so i'm going to go back to my resource group list and sort all of my resources i want to find my pki server which is azrpki1001 and this environment uses azure bastion so it's a secure way of doing rdp to log into that virtual machine i'm going to specify my credentials to login here adm.info.user at dev.a.datum adatum.com and log in and if i just type s rv or cert srv.msc should be the certificate services manager or the certificate authority mmc console and if i expand this you'll see it says certificate authority local i know it's small but there we go we have pkio1 which is the name of the certificate authority so here's what we've done so far we've downloaded and executed a script to retrieve and import artifacts and modules to configure a target domain join virtual machine and azure as a certificate server as a certificate authority server all does faster than you can say very similitude well okay maybe not quite that fast but still more automated simplified and repeatable so you get a simplified exp experience and it's more infrastructure as code friendly than manually using the windows with the windows or the add windows feature in server manager so thanks for watching this video if you really enjoyed it and want to see more of these tutorials make sure to like this video and subscribe to this channel doing so helps us grow the channel to continue producing great content for even more it professionals i'd love to hear from you too so together we can all improve the content send any feedback on what you liked or what i can do to make these productions even better for everyone thanks again for watching and happy automating you

Info

Channel: AutoCloudArc

Views: 130

Rating: 5 out of 5

Keywords: PKI, Azure, Automation, PowerShell, DSC, ARM, GitHub, Preston K. Parsard, AutoCloudArc

Id: m1lA_RsPe-w

Channel Id: undefined

Length: 14min 8sec (848 seconds)

Published: Wed Sep 02 2020