I'm trying to revoke a VPN certificate using Microsoft's byzantine Azure Powershell commands, as described here: https://blogs.technet.microsoft.com/keithmayer/2014/12/09/step-by-step-revoking-and-reinstating-client-vpn-certificates-for-azure-point-to-site-vpns/. (Don't get me started on why you should need to write a 20-line script that makes a manually-constructed REST API call to do basic user management - that's a separate issue for now.)
One of the key bits is getting the appropriate management certificate. You're supposed to use this command:
$cert = (Get-AzureSubscription -SubscriptionName BizSpark -ExtendedDetails).Certificate
One some machines this works. But on my main client machine, the one that I need to run it on, the Certificate property is always blank. I've tried re-importing my .publishsettings file, upgrading the Azure Powershell commandlets, deleting the C:\Users\user\AppData\Roaming\Windows Azure Powershell directory, and so forth, to no avail.
Any suggestions?
Related
WMF 5.1 includes new functionality to allow signing of MOF documents and DSC Resource modules (reference). However, this seems very difficult to implement in reality -- or I'm making it more complicated than it is...
My scenario is VMs in Azure and I'd like to leverage Azure Automation for Pull DSC Server; however, I see this applying on premise too. The problem is that the certificate used to sign the MOF configurations and/or modules needs to get placed on the machine before fetching and applying the configuration otherwise configuration will fail because the certificate isn't trusted or present on the machine.
I tried using Azure KeyVault to bootstrap the certificate (just the public key because that's my understanding of how signing works) and that fails using Add-AzureRmVMSecret because the CertificateUrl parameter expects a full certificate with the public/private key pair to install. In an ideal world, this would be the solution but that's not the case...
Other ideas, again in this context, would be to upload the cert to blob storage, use a CustomScriptExtension to pull down the cert and install into the LocalMachine store but that feels nasty as well because, ideally, that script should be signed as well and that puts us back in the same spot.
I suppose another idea would be to first PUSH a configuration that downloaded and installed certificates only but that doesn't sound great either.
Last option would be to rely on an AD GPO or something similar to potentially push the certificate first...but, honestly, trying to move away from much of that if/when possible...
Am I off-base on this? It seems like this should be a solvable problem -- just looking for at least one "good" way of doing it.
Thanks
David Jones has quite a bit of experiencing dealing with this issue in an on-premises environment, but as you stated the same concepts should apply for Azure. Here is a link to his blog. This is a link to his GitHub site with a PKITools module that he created. If all else fails you can reach out to him on Twitter.
While it's quite easy to populate a pre-booted image with public certificates. it's not possible (that I have found) to populate the private key.
DSC would require the private key to decrypt the passwords.
The most common tactic people blog about is to use the unattend to script the import of a PFX. issue there is you have to leave the password for the PFX in plain text. Perhaps that is ok in your environment.
The other option requires a more complicated setup. Use a simple DSC or GPO to auto enroll a unique certificate. then have the system, via first boot script or DSC custom resource, tickle an API (Like Polaris) and that triggers a DSC script that uses PKITools or other script to get the public certificate that the machine has. Then have that API push a new DSC config (or pull settings) to the machine.
I need to take regular backups of a suite of VM’s in an Azure environment. I thought the obvious solution to this would be to use PowerShell to automate the process so have written a script to do just that. I want this to run on a schedule, unattended with no manual intervention. However, the problem I have is that every few days I get the error:
Your Windows Azure credential in the Windows PowerShell session has expired. Please use Add-AzureAccount to login again.
Which means I have to re-run Add-AzureAccount and sign back in through the associated popup and everything works again. Obviously this is no good and negates the benefit of doing this automation.
Is there any way I can prevent these credentials from expiring?
Thanks
Yes, by using certificate authentication instead. One of the drawbacks of using Add-AzureAccount is that the credentials expire from time to time. You could just run Add-AzureAccount again but certificate authentication would be best for you in this scenario.
Firstly, remove the current accounts you have registered in PowerShell using the Remove-AzureAccount cmdlet. Something like:
Remove-AzureAccount -Name name#account.onmicrosoft.com
This doesn't remove your account from Azure, just the reference you hold to it in your PowerShell console (from when you used Add-AzureAccount). Then you run
Get-AzurePublishSettingsFile
this will open a browser window, ask you to authenticate to your account and you'll download a file ending in .publishsettings
Then, in Azure PowerShell you run
Import-AzurePublishSettingsFile -PublishSettingsFile <path_to_file>
which will import the certificates from the publishsettings file, allowing you to execute your scripts without using Add-AzureAccount.
You may also need to use Set-AzureSubscription -SubscriptionName <name_of_subscription> if you happen to have more than one subscription.
Additionally, the following MSDN blog describes the process just as I have above. http://blogs.technet.com/b/ricardma/archive/2014/07/04/managing-azure-subscriptions-in-powershell.aspx
I am setting up deployment of an azure website on a build server running Server 2012.
I first tried to deploy from my local machine using the following steps (and it worked):
Install Azure Powershell using WPI
Use Get-AzurePublishSettingsFile command and Import-AzurePublishSettingsFile to get access to my Azure websites etc from powershell
Run command Get-AzureWebsites and I see a list of my websites
Run Publish-AzureWebsiteProject to publish my package to the website
All the above works. However, when I follow exactly the same steps on my server, when I get to the Get-AzureWebsites step, I get nothing back. As a follow on from this, when I try and run the publish command, I get a "website does not exist" error.
If I run the Get-AzureAccount and Get-AzureSubscription commands, I get back the correct account / subscriptions.
I have no idea what is going on?!
Check if there are more than one azure subscriptions on that server. If there are more, make sure that the subscription that you need is set as default.
Use the command:
Select-AzureSubscription -Default 'subscription name'
... to set the default subscription.
Azure command is Get-AzureWebsite not Get-AzureWebsites.
Introduce the Problem
I like to manage Windows Azure Websites through PowerShell. For instance, I like to run Get-Website to view a list of all my websites. Before I do that, I need to authenticate with Windows Azure.
Research
One way to do this is via Add-AzureAccount, which prompts me to sign in with my Azure username and password, afterwhich I can run Get-AzureWebsite to view the list. At this point, I have no Management Certificates, and it doesn't seem to matter. I can run Remove-AzureAccount some#account.com to sign out.
Another way to do this is via a Management Certificate. I run Get-AzurePublishSettingsFile followed by Import-AzurePublishSettingsFile. Then I can run Get-AzureWebsite to view my list.
This seems like two ways to do the same thing.
Question
Other than allowing me to save a Management Certificate for convenience, what is the difference, if any, between the two methods?
Import-AzurePublishSettingsFile is not interactive, so I can use a batch process.
Add-AzureAccount is interactive. Since I do not require the certificate, I use Add-AzureAccount because it is easier.
I am working on automatic deployment + azure. I'm at the point where i'm adding an ssl cert to the website. Does anyone know how to use PowerShell to upload an SSL certificate to a website using the PowerShell command (Add - Get - Set based commands)? I'm able to add a certificate to a cloud service using ...
New-AzureService $Program -Location 'East US'
Add-AzureCertificate -Password Cert123! -ServiceName $Program -CertToDeploy $CertLocation
but I have no idea how to add it to an azure website.
Thanks
edit: I've found a way using the following command, but i'm not wanting to install additional libraries on my production deployment machine.
azure site cert add -k Cert123! $CertLocation $Program
Using the newly released Azure PowerShell v. 1.1.0, you can use the following command to upload a certificate to your website
New-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -CertificateFilePath PathToPfxFile -CertificatePassword PlainTextPwd -Name www.contoso.com
More information is in the following article
https://azure.microsoft.com/en-us/documentation/articles/app-service-web-app-powerhell-ssl-binding/
As far as I know the Azure PowerShell cmdlets do not offer this capability at the moment that I could find. As you point out the Cross Platform Command Line tool does. Since you don't want to add the XPlat-CLI tool to your deployment machines you can use what the XPlat-CLI tool does under the hood: a direct call against the REST api for web site management.
Note you'll need to figure out what webspace the site resides in, etc. You can use the Invoke-WebRequest to make this call so that you can verify you get that 200 response back. Or you could use the Invoke-RESTMethod as well, but that would only return an XML document (the contents of the response). The Invoke-WebRequest provides you a little more control and access to the full response object.
The Microsoft Azure Management Libraries (which the PowerShell cmdlets sit on top of) has a Web Site Management piece to it. One of the operations is an update to a site and that includes a WebSiteUpdateParameters object with a SSLCertificates property. You may check into that as well, though I've not done this myself.