Creating a local SSL certificate hierarchy with Windows PowerShell

Often times when playing with new technologies you are required to utilize SSL certificates and not everyone has access to and enterprise Certificate Authority. Here is how you can create one with Windows PowerShell on Windows 10.

Create a simple hierarchy of certificates.

  • Local Root Certificate Authority (CA)
    • This will be used to sign the Server and Client certificate.
  • Server Certificate
    • This will be used to bind the HTTPS service to the specified port.
  • Client Certificate
    • This will be used when you access the SSL service.

Keep in mind that the purpose of these certificates is to verify that the client and server certificates have been signed by the same Certificate Authority.

Create the Root Certificate Authority

To get started here is a command to create the CA:


$rootCAparams = @{
  DnsName = 'PowerShellDemo.io Root Cert'
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-Date).AddYears(5)
  CertStoreLocation = 'Cert:\LocalMachine\My'
  KeyUsage = 'CertSign','CRLSign' #fixes invalid certificate error
}

Create and view the Certificate

$rootCA = New-SelfSignedCertificate @rootCAparams
$rootCA

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  8576D38B872A1C3E7AA363BDC1DA0300CF2E7E88 CN=PowerShellDemo.io Root Cert

Add/Import the new RootCA to the ‘Root’ Certificate Store

$CertStore = New-Object -TypeName `
  System.Security.Cryptography.X509Certificates.X509Store(
  [System.Security.Cryptography.X509Certificates.StoreName]::Root,
  'LocalMachine')
$CertStore.open('MaxAllowed')
$CertStore.add($rootCA)
$CertStore.close()

Now you can use the newly created RootCA to sign the Server and Client Certificate.

Creating the Server certificate:


$params = @{
  DnsName = 'Server.PowerShellDemo.io'
  Signer = $rootCA # <------ Notice the Signer is the newly created RootCA
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-Date).AddYears(2)
  CertStoreLocation = 'Cert:\LocalMachine\My'
}

$ServerCert = New-SelfSignedCertificate @params
$ServerCert

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  F17FD4BC4D14EF9E2CBE6A55A2D855D830FE23D0 CN=Server.PowerShellDemo.io

Creating the Client Certificate:


$params = @{
  DnsName = 'DemoClient.PowerShellDemo.io'
  FriendlyName = 'DemoClient'
  Signer = $rootCA # <------ Notice the Signer is the newly created RootCA
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-Date).AddYears(2)
  CertStoreLocation = 'Cert:\LocalMachine\My'
}
$ClientCert = New-SelfSignedCertificate @params
$ClientCert

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  B2B3497FE918666C5CCB7AEE178C8134D61E8F95 CN=DemoClient.PowerShellDemo.io

Doing ‘Stuff’ with Certificates

To view the newly created certificates use ‘Get-ChildItem’ on the Certificate Store path.


Get-ChildItem -Path Cert:\LocalMachine\My\

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  F17FD4BC4D14EF9E2CBE6A55A2D855D830FE23D0 CN=Server.PowerShellDemo.io
  B2B3497FE918666C5CCB7AEE178C8134D61E8F95 CN=DemoClient.PowerShellDemo.io
  8576D38B872A1C3E7AA363BDC1DA0300CF2E7E88 CN=PowerShellDemo.io Root Cert

Also be sure to validate that the RootCA is listed in the Root Certificate store:


Get-ChildItem -Path Cert:\LocalMachine\Root\

  PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

  Thumbprint Subject
  ---------- -------
  CDD4EEAE6000AC7F40C3802C171E30148030C072 CN=Microsoft Root Certificate Auth...
  BE36A4562FB2EE05DBB3D32323ADF445084ED656 CN=Thawte Timestamping CA, OU=Thaw...
  A43489159A520F0D93D032CCAF37E7FE20A8B419 CN=Microsoft Root Authority, OU=Mi...
  92B46C76E13054E104F230517E6E504D43AB10B5 CN=Symantec Enterprise Mobile Root...
  8F43288AD272F3103B6FB1428485EA3014C0BCFE CN=Microsoft Root Certificate Auth...
  8576D38B872A1C3E7AA363BDC1DA0300CF2E7E88 CN=PowerShellDemo.io Root Cert
  7F88CD7223F3C813818C994614A89C99FA3B5247 CN=Microsoft Authenticode(tm) Root...

# This list was cropped, expect to see additional entries.

Using Certificates as PowerShell variables/objects

To set a certificate to a variable run the following command specifying which Common Name (CN) you want, and you can specify properties of the object, such as the Thumbprint:


$ServerCert = Get-ChildItem -Path Cert:\LocalMachine\My\ |
Where-Object { $_.Subject -eq 'CN=Server.PowerShellDemo.io'}

$ServerThumbprint = $ServerCert.Thumbprint

That’s it! You now have a simple Certificate Hierarchy with a RootCA, Server and Client certificate to use in a lab!

VMworld 2018 is around the Corner

I’m always excited this time of year. We are just a few weeks away from the best Technology conference of the year! I get to see quite a few familiar faces and the community is always a very positive one.

This year I am presenting two VMware {Code} Sessions and one vBrownBag community session.

You can view them in the Content Catalog (Search for Sider) and add them as a place holder on your schedule.

PowerCLI Lint [CODE5540U] – This session will focus on writing better code, and what tools are available to help you during this process.

PowerRestCLI, A community PowerShell Module [CODE5550U] – This session is all about using the RESTful API’s with PowerShell. This is really focused on learning new things while playing with PowerShell.

Getting Started with GitHub for PowerCLI users [VMTN5605U] – This session is focused on trying to explain GitHub to new users. I will do my best to relate the terms and tools to everyone.

Lastly I am super excited to attend the ‘VMware {code} Hackathon [CODEHACK]‘ for the third straight year. It’s always a great time with great people!

If its possible, please see if you can get your company to sponsor #vGolf.

See you at VMworld! #SiderHouseRules

The PowerShell Conference Book

Hey Everyone! It’s been quite some time since I last posted on my blog. I’ve been very busy with work and extra curricular activities. One of the projects I worked on was The PowerShell Conference Book. It was a terrific experience, I am very thankful to be included. By purchasing a copy of this book, you not only get the opportunity to immerse yourself into nearly 30 different PowerShell topics, you also get to support the OnRamp scholarship program!

My chapter is titled ‘Building Secure RESTful Endpoints with PowerShell’ and is focused on my PowerShell Module RestPS, which is available in the PowerShell Gallery.

Huge thanks to Mike Robbins, Jeff Hicks, and Micheal T. Lombardi for their work in organizing and delivering this project!

Pick up your copy today!

hero

Write-LogLevel – PowerLumber – PowerShell Logging Module

Are you a lumberJack?

Ever have difficulty implementing logging for long running or large scripts? Did they take up too much space because you either log EVERYTHING, or nothing? Or did you leave the logging you were doing while writing and troubleshooting your script, in the real script, and now you are creating too much noise? I was constantly changing my logging, adding, removing, commenting things out, then back in, etc. It was a mess, not consistent and a pain in the…… Not anymore! I’ve added a new function to the PowerLumber Module ‘Write-LogLevel’ that can increase or decrease the noise based on how the messages are defined in the script/module/function. This is just like Log4j that Java uses, although my implementation is a little different.

The PowerLumber Module is available in the PowerShell Gallery, and the source code is github.


Install-Module -Name PowerLumber

Import-Module -Name PowerLumber

Using the module you define each message with an option from ‘-MsgLevel’. The Options are currently:

TRACE,DEBUG,INFO,WARN,ERROR,FATAL,CONSOLEONLY

At runtime you define ‘-RunLogLevel’, based on the relationship between the options the message will get printed to the console, written to the log file, or both. The Options are currently:

ALL,TRACE,DEBUG,INFO,WARN,ERROR,FATAL,CONSOLEONLY,OFF

You can turn all logging off (‘-RunLogLevel OFF‘), and only output to the console(‘-RunLogLevel CONSOLEONLY‘), which is great for active debugging, without having to edit all of your log commands! If you are using a loop you also have the option of pulling in the -RunLogLevel from a property file so that you can edit the noise level on the fly.

Check out my example script, the console output versus the log output to see what I’m talking about. Sorry, its a bit redundant, but I wanted to make a point. Below we run the internal function 3 times, generating quite a few “messages” and a lot of console noise, but not all message are written to file…..

Write-Warning "Setting the RunLogLevel Variable controls the level of logs written to the logfile."
Write-Warning "All Message will print to the console unless 'OFF' is specified."
$script:RunLogLevel = "ERROR"
$logfile = "c:\temp\testing.log"
$Msg1 = "This is a TRACE Message"
$Msg2 = "This is a DEBUG Message"
$Msg3 = "This is a INFO Message"
$Msg4 = "This is a WARN Message"
$Msg5 = "This is a ERROR Message"
$Msg6 = "This is a FATAL Message"
$Msg7 = "This is a CONSOLEONLY Message"
$Msg8 = "This message has a hardcoded value for -RunLogLevel of ALL"

Write-Warning "You could force a message to appear, by specifying all as the -RunLogLevel"
Write-LogLevel -Message $Msg8 -Logfile $logfile -RunLogLevel ALL -MsgLevel TRACE

function Invoke-DemoLogLevel {
    Write-Warning "See which items write to the log file as you change -RunLogLevel"
    Write-LogLevel -Message $Msg1 -Logfile $logfile -RunLogLevel $script:RunLogLevel -MsgLevel TRACE
    Write-LogLevel -Message $Msg2 -Logfile $logfile -RunLogLevel $script:RunLogLevel -MsgLevel DEBUG
    Write-LogLevel -Message $Msg3 -Logfile $logfile -RunLogLevel $script:RunLogLevel -MsgLevel INFO
    Write-LogLevel -Message $Msg4 -Logfile $logfile -RunLogLevel $script:RunLogLevel -MsgLevel WARN
    Write-LogLevel -Message $Msg5 -Logfile $logfile -RunLogLevel $script:RunLogLevel -MsgLevel ERROR
    Write-LogLevel -Message $Msg6 -Logfile $logfile -RunLogLevel $script:RunLogLevel -MsgLevel FATAL
    Write-LogLevel -Message $Msg7 -Logfile $logfile -RunLogLevel $script:RunLogLevel -MsgLevel CONSOLEONLY
}
Invoke-DemoLogLevel
$script:RunLogLevel = "WARN"
write-Warning "You could force a message to appear, by specifying all as the -RunLogLevel"
Write-LogLevel -Message $Msg8 -Logfile $logfile -RunLogLevel ALL -MsgLevel TRACE
Invoke-DemoLogLevel
$script:RunLogLevel = "FATAL"
write-Warning "You could force a message to appear, by specifying all as the -RunLogLevel"
Write-LogLevel -Message $Msg8 -Logfile $logfile -RunLogLevel ALL -MsgLevel TRACE
Invoke-DemoLogLevel
 So keep in mind this is just a sample to show you what it can do, its kinda messy and a very stupid script. Here is what the console looks like:
PowerLumber
BUT WAIT! There’s LESS, YES LESS in the log file! Check out what actually got written to file:
PowerLumberLog
It’s very clear that this function can clean up your logs, when you choose.

I’m open to feedback, I’m not sure I’m sold on the parameter names yet, but I love the functionality!

Creating PowerShell RESTFul EndPoints

Yes, you can do this. No, its not ready for prime time……  yet! So what am I really talking about here? This is the beginning of creating very useful PowerShell applications on a modern application framework. It will allow you to use the same API calls to your PowerShell scripts that you might use with other services in your infrastructure.

Quick links:

okay….  but WHY?

  • Consistency
  • Flexibility
  • Versioning
  • Scalability
  • Ease of use
  • Security (kinda, only expose Endpoints you want/need)

This is a great platform to develop a ‘PowerShell Application Server’ that you can access with other Powershell scripts and other services can now access the same information that your PowerShell scripts can generate.

Now, the Why nots…

  • While its easy, its another layer.
  • Security (no SSL yet)
  • Memory (you MUST properly remove variables, and garbage collect!)
  • No SwaggerUI (hopefully you know what this is!)

So lets Dive in with a basic use case of getting some process information off of the OS.

First, just install the module from the PowerShell Gallery:


Install-Module -Name RestPS

There is only one exported function ‘Start-RestPSListener’ which requires no parameters. I do suggest you use them!

  • -Port (default is 8080)
  • -RoutesFilePath (Default uses the built in Routes which is not recommended!)

You can copy the file ‘Invoke-AvailableRouteSet.ps1’ to ‘c:\temp’ and specify this as your Routes file path. (I also recommend adding ‘Invoke-AvailableRouteSet’ as the last line of this file). This will allow you to reload the routes with each REST API call to your server.

Now, your first endpoint can be started up like this:


Import-Module -Name RestPS

Start-RestPSListener -Port 8081-RoutesFilePath "c:\temp\Invoke-AvailableRouteSet.ps1"

From a second console you can now run web requests to this new Endpoint.


Invoke-RestMethod -Method Get -Uri "http://localhost:8081/proc"

Invoke-RestMethod -Method Get -Uri "http://localhost:8081/process?vmware-tray"

It’s that simple! The Web listener will execute any command or script defined in your Routes file. If the Route is unknown a message will be sent back ‘Invalid Command’.

To shut the Endpoint down, send the following comand:


Invoke-RestMethod -Method Get -Uri "http://localhost:8081/Endpoint/Shutdown"

Below is an image of the Calls from each console.

RestCalls

You can see this is a very easy project to get started with. You can now put a pretty simple web front end on any of your scripts. Give access to outside users to run your scripts. Just use some caution! You only have to expose endpoints/scripts you want folks to have access to. I have not started the road down SSL yet.

Check it out, have some fun, give some feedback!

Reference projects:

https://github.com/cofonseca/WebListener?files=1

http://hkeylocalmachine.com/?p=518

Got vSphere API’s? PGH little hack, WPVMUG, and Ariel – not the Mermaid

I’mmmmmmm  back!

I’ve been quite quiet since VMworld, sorry! Life has not slowed down at all. Anyway enough about the boring stuff.

This past week I got to spend 2 days up in Pittsburgh to attend a TAM round Table headlined by Kyle Ruddy, a little Hack organized by Ariel Sanchez Mora & Carl Capozza, lastly the WPVMUG.

First, let me say, the people were GREAT! I’m sure I cannot mention them all, but here are a few: AJ Kuftic, Dave Kalaluhi, Dan Barr, Doug DeFrank. All of these guys were great to hang with and were super welcoming. I cannot thank them enough for their hospitality!

At the TAM meeting, there were a lot of great conversations with wide ranging topics. It was great to be in a room with very smart folks! Not to mention the diversity in skill sets. Its amazing how everyone uses the technology, but we all use it differently. It just proves that we all have so much to learn.

The PGH Little Hack was fun! I’m not sure that anyone accomplished a specific task. But I know that we all walked away with more knowledge! Just like the larger hackathons I think keeping scope small is key. It’s way too easy to get off topic.

Lastly the WPVMUG, these events are great, we get to see presentations from experts in our field with direct access to the presenter. Additionally my favorite part is that new speakers get their time to shine. This time it was Doug DeFrank and boy did he shine. You could tell he was a bit nervous before the start of his presentation, but as soon as it started he blew me away. His passion for his topic was unprecedented, the topic hits home for me, as I got started scripting the same way he described. I’m sure that Ariel will be posting a video, if I find it I will post the link. So thank you Ariel for getting Doug to speak, and Thanks to Doug for delivering a very good presentation. The workflow diagrams were great, but the passion will keep me coming back, I hope I get to see you on stage again soon! Check out his blog here.

Lets get to some Technical stuff…

One of the problems we had with the little Hack (and I could see in future events) is that we did not know what to do. Everyone had some idea’s but we never really ironed the details out. Now I don’t think that every little detail has to exist before you start one of these events, but having a plan or general direction is always nice. One of the constant themes we had over the 2 days was hearing folks say “I want to learn more about the vSphere API’s”. But no one really knew how to get started, or a way to really have it hit home. So I am here to propose the following, at least for folks with a similar skill set to my own…..  which consists of quite a bit of PowerShell.

I’ve started a new PowerShell Module called “PowerRestCLI”, which is just a PowerShell wrapper to the vSphere API. Now, I want to be clear: THIS IS NOT A REPLACEMENT FOR POWERCLI! This is not my goal, it is not the purpose of this Module. This is just a tool for folks to learn a new skill. Honestly my goal, whether it be for the Little hacks that involve the VMwareCode community, or if someone just wants to learn a little, is for them to contribute to the Samples.

I have submitted a Pull Request that includes the Module to the vSphere-Automation-sdk-Rest project on the VMware Github site. If the folks in charge do not agree that the samples/module belongs, I will simply support the module on my personal GitHub repository. This is not new information, as I pulled stuff from the following blogs, Luk Dekens (go figure…lol), Chris Wahl (no surprise here) and Chris Bradshaw. I am just extending their work, to hopefully help others in the community.

Here are the skills that I believe folks will learn while contributing:

  • Deeper PowerShell skills
  • How Rest interfaces work
  • GitHub methodologies
  • vSphere Rest specific knowledge

I’m sure I am missing something, but these are the things that all the guys were asking about while I was in Pittsburgh.

Here is a peek at the module I started and what it includes:

  • Download the module (not available in the PowerShell Gallery yet).
  • Edit the ConnectionVariables.ps1 file to update the Name/IP of your vCenter
  • Import the Module
  • Connect to the vCenter
  • Pull the list of VM’s

Yes, I know, its not much. But its a start, and the formats are fairly similar.

Module Name – PowerRestCLI, Go ahead and import it.


Import-Module <PathToModule>\PowerRestCLI.psm1

Next, connect to your vCenter:


# This will prompt you for UN/PW
Connect-rVIServer -vCenter $vCenter
# Or specify the UN/PW
Connect-rVIServer -vCenter $vCenter -User Administrator@corp.local -Password VMware1!
# Or use a Credential already set
Connect-rVIServer -vCenter $vCenter -Credential $creds

This command returns:

Name Port User
---- ---- ----
192.168.2.220 443 administrator@corp.local

Once you are connected its easy to get the list of VM’s!

 
Get-rVM

Notice all of the commands have a lower case ‘r’, to designate this as a “REST” command vs. a normal PowerCLI command. Note, ‘Get-rVM’ does not support filtering yet! Add this to the next little hack!

All of this sounds really cool, but do we get the same information? YES! kinda.

Here is the typical formatted return of PowerCLI’s ‘Get-VM’

PowerCLI output
Name PowerState Num CPUs MemoryGB

---- ---------- -------- -------

Win_7_Test_vm PoweredOff 1 2.000

Win_10_test_vm PoweredOff 1 4.000

CentOS_6_test_vm PoweredOff 1 2.000

Embedded-vCenter-... PoweredOn 2 10.000

And here is ‘Get-rVM’ output:

name power_state cpu_count memory_size_MiB

---- ----------- --------- ---------------

Embedded-vCenter-Server-Appliance POWERED_ON 2 10240

Win_7_Test_vm POWERED_OFF 1 2048

Win_10_test_vm POWERED_OFF 1 4096

CentOS_6_test_vm POWERED_OFF 1 2048

Sorry, wordpress kinda sucks with formatting. Notice any differences?

PowerState(PowerCLI) is different than power_state(PowerRestCLI). CPU/Memory also have differences. Note that in the second example, the full name of the VCSA is displayed by default. These can be overcome with some code, but it is interesting that the returns are slightly different. I’m curious if this is something nice PowerCLI does for us in the background.

It is clear that the information is available, and that is the goal of this module! I hope that it is accepted into the Samples, and that more and more folks can learn how to use the vSphere API through PowerShell. There is also potential that at some point in the future that the vSphere API may have a setting available that PowerCLI does not, Now you have the power to make the change in PowerShell!

Thanks for reading! Hit me up on Twitter if you have any questions! @jpsider

What horse did you ride in on? VMwareCode #hackathon

HA! Tonight was a pretty rewarding and humbling experience for myself. I was fortunate enough to lead a team at the VMworld Hackathon. Only, it didn’t start out as I had planned. While I knew that signups for my team was low, I did not expect to go solo. Not one of the folks who signed up for team #SweaterVester showed. One guy even sat down and started to set up his laptop, as we were talking he learned he was at the wrong table…..  DOH! lol

The good news (I think) is that I earned a new nickname, ‘The lone Ranger”. The bad news, well there is none. I had a wonderful time. I cannot thank the organizers, participants and judges enough for all of their kind words and support during and after the event.  It’s an awesome experience and I wasn’t going to let a lack of participation from other ruin my time!

I started out with some pretty far reaching goals, but quickly adjusted them down to work I believed I could complete during the event. At the end of the night, I was able to demo a brand new working feature to my OpenSource Project XesterUI. It was very rewarding to be able to complete the work in a short amount of time, and be able to demo the work live in front of a fairly intimidating group. I also found about 5 or 6 bugs, but those will have to wait until after VMworld.

If you want to learn more about the project I was working on, you can check out XesterUI on Github. Additionally on Thursday at 11:45 I have a vBrownBag presentation (located in the VMvillage) to talk about more of the features and details that will help you understand what this tool can do for you, your organization, and your vSphere environment.

A Very special thanks to Lily Chang, William Lam, Alan Renouf, and Chris Wahl for their kind words and encouragement this evening. This is by far one of my favorite events at VMworld! Food, Friendly competition, great conversations, and Beer. What more could you ask for?

While I didn’t win 1st place……  I did get to take home two Echo Dots! Which I will put to good use!FullSizeRender

Bravo Vmware Code, Bravo.