Deploying SSL Certificates in Windows with Puppet

January 08, 2019 Security and Compliance, MOVEit

Chances are if you are managing servers in an organization, you have also had a lot of experience managing SSL certificates. Practically any web server should be communicating over HTTPS to clients if you want to make it secure, which means you have to deploy an SSL certificate to the server itself.

While installing an SSL certificate on Windows is somewhat trivial, having to do this on many web servers manually is time consuming. This is the perfect task for a configuration management solution such as Puppet. With Puppet, we can write a configuration that will allow us to quickly install an SSL certificate on many Windows servers. What happens when that certificate expires and you need to deploy a new one? Just update the configuration code in Puppet (thumbprint, PFX file etc.) and we are on our way.

Windows SSL Certificate Using Puppet

The Puppet SSLCertificate module handles pfx, cer, der and p7b on Windows. In this article, I will be showing how to use it with PFX, which is a common way of installing a certificate on Windows.

The SSLCertificate class has several different parameters; name, password, location, thumbprint, store_dir, root_store, scripts_dir and exportable. If you are familiar with SSL certificate, these should be self-explanatory.

Here is a simple example of using it in a Puppet manifest:

sslcertificate { "Install-PFX-Certificate" :

  name       => 'mycert.pfx',

  password   => 'MyCertPassword1',

  location   => 'C:\',

  thumbprint => '17R341AF7F5223CB975CC29B5455642F5570798B'

}

The name parameters is the name of the actual PFX file, the password is the password specified when you created the PFX file, the location is where the PFX is located on the machine it will be installed on, and of course the thumbprint of the certificate.

Deploying an SSL Certificate Example

The above code in our manifest is file for importing the PFX certificate, but how do we actually get the PFX file on the remote machine? For this, we turn to the Puppet “file” resource. Using this resource in a manifest, we can copy over a PFX file from our Puppet master to a node.

In our example manifest, we will start by defining the file we want to copy over:

file { 'C:\mycert.pfx':

     ensure => present,

     source => "puppet:///modules/ssl_certificate/mycert.pfx",

     owner  => "DOMAIN\Dan",

     group  => ["administrators","everyone"],

     mode   => "1777",

} ->

Our resource title “C:\mycert.pfx” is the actual path that the resource will be downloaded to on our node. The other attributes include “source” which is the path on our Puppet master to the PFX file, the owner of the file, the group, and the mode, which is the file permissions.

From here, I just create a class with the file resource and SSLCertificate:

class my_wildcard {

file { 'C:\mycert.pfx':

     ensure => present,

     source => "puppet:///modules/ssl_certificate/mycert.pfx",

     owner  => "DOMAIN\Dan",

     group  => ["administrators"],

     mode   => "1777",

} ->

sslcertificate { "Install-PFX-Certificate" :

  name       => 'mycert.pfx',

  password   => 'MyCertPassword1',

  location   => 'C:\',

  thumbprint => '17R341AF7F5223CB975CC29B5455642F5570798B'

  }

}

Now there is one issue with this manifest as it stands. Do we want to keep that PFX file on the node after we import the certificate? Of course not. For this, I will turn to the PowerShell Puppet resource and add this code to my manifest, which will delete that file after it is imported:

exec { 'Remove_Cert':

  command => '$(Remove-Item -Path C:\mycert.pfx -Force)',

  provider => powershell,

  logoutput => true,

}

On my Puppet node, I run puppet apply to first copy over the PFX file to C:\, then import the certificate into the default store, and finally delete the wild.pfx file.

PS C:\> puppet agent --test

Info: Retrieving pluginfacts[0m

Info: Retrieving plugin[0m

Info: Loading facts[0m

Info: Caching catalog for Test-1[0m

Info: Applying configuration version '1521476318'[0m

Notice: /Stage[main]/ssl_certificate/File[C:\mycert.pfx]/ensure: defined content as '{md5}a1b8fcf1bbc5662aee9241fae934aa85'[0m

Notice: /Stage[main]/ ssl_certificate /Exec[Remove_Cert]/returns: executed successfully[0m

Notice: Finished catalog run in 27.59 seconds[0m

As you can see using Puppet to manage and install a Windows SSL certificate is easy. With a few lines of code we can manage SSL certificate on many Windows servers at once.

Dan Franciscus

Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog (http://www.winsysblog.com/) or Twitter at @dan_franciscus.

Read next Install Free Let’s Encrypt SSL Certificate for Single-Domain IIS Web Sites