Overview of Scripts Signing
Note: This feature is in Public Preview.
Nerdio Manager can automatically sign all VM extensions and scripted actions with a selected certificate so that they comply with configured PowerShell execution policies.
The feature currently supports script signing for the following resources:
Session hosts
Configured at the host pool level.
Supports all extensions for ARM AVD.
Desktop images
Configured individually for each desktop image (stored in NMW_SIGNING_CERTIFICATE_ID tag).
Supports all extensions in Set as image and Run script operations. However, Add from Azure VM and Add from Azure library operations are not supported.
Requirements
-
The Artifacts:Mode app service setting must be set to Local or Offline. Otherwise, the signing settings is ignored and scripts are not signed. If at least one certificate is linked, and Artifacts:Mode are not configured, we show a warning in the settings tile.
The certificate must be suitable for code signing. See Certificate Details for more information.
Nerdio Manager's main Service Principal must have the following permissions in a Key Vault:
Resource |
Operation |
Description |
---|---|---|
Secret |
Get |
Required to get the certificate's private key when signing scripts. |
Certificate |
Get |
Required to get the certificate details. Used only when managing linked certificates. |
Certificate |
List |
Required to display list of a Key Vault certificates in linking dialog. |
Certificate |
Create |
Required for the self-signed certificate generation function. |
Certificate |
Import |
Required for the certificate import function. |
Certificate |
Delete |
Required when "Remove from Key Vault" check box is checked when unlinking a certificate. |
Configuration Process
The configuration process consists of the following steps:
-
Manage an existing certificate or create a new one:
-
Install the certificate on the VMs:
-
Configure the linked certificate:
Certificate Details
The following are the certificate requirements:
KeyUsage: DigitalSignature
Extended Key Usage: 2.5.29.37 = 1.3.6.1.5.5.7.3.3
Basic Constraints: 2.5.29.19 = <empty>
Must contain both public and private parts (exportable)
Subject must start with CN=
Notes:
-
Expiration Warning: 60 days before the certificate expires, we start showing a warning icon in the settings tile and the selector.
-
Certificate Versions: In Key Vault, a certificate can have different versions. In fact, each version is a separate certificate. When linking in Nerdio Manager, we save a reference to the latest version, and there is a function to change the version of certificate. For example, when renewing an expiring certificate, you should create a new version in Key Vault, install this version on all VMs, and then change the linked version.
Link a Certificate
Nerdio Manager allows you to link a certificate that you already have in the Key Vault.
To link a certificate:
Navigate to Settings > Nerdio environment.
-
In the Linked signing certificates tile, select Link.
-
Enter the following information:
Key Vault: From the drop-down list, select the Key Vault.
Certificate: From the drop-down list, select the certificate.
Once you have entered all the desired information, select Link.
Import a Certificate File
Nerdio Manager allows you to import a certificate file.
To import a certificate file:
Navigate to Settings > Nerdio environment.
-
In the Linked signing certificates tile, select Import.
-
Enter the following information:
Key Vault: From the drop-down list, select the Key Vault to which you want to import the certificate.
Certificate Name: Type the certificate's display name.
Certificate File: Select Choose File and select the certificate file.
Password: Type the certificate's password, if it has one.
Once you have entered all the desired information, select Import.
Create a Self-Signed Certificate
You may create a self-signed certificate using PowerShell, the Azure Portal, or Nerdio Manager, as shown below.
Create a Self-Signed Certificate using PowerShell
The most flexible way to create a self-signed certificate is by using PowerShell.
To create a self-signed certificate using PowerShell:
-
Run the following PowerShell command, changing Subject and FriendlyName if required.
New-SelfSignedCertificate `
-Type Custom `
-Subject "CN=Nerdio Manager, O=Nerdio Corporation, C=US" `
-KeyUsage DigitalSignature `
-FriendlyName "Certificate for Nerdio Manager" `
-CertStoreLocation "Cert:\CurrentUser\My" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
-
Export the certificate that was created:
Select CTRL + R.
Type certmgr.msc and select OK.
Navigate to Personal > Certificates.
Locate the certificate and open it.
In the Details tab, select Copy to File.
Select Yes, export the private key and then select Next.
Select Password and type the password, which is requried for import.
Select set Encryption to AES256-SHA256 and then select Next.
Select a location to save the file and complete the process.
In Nerdio Manager, import the certificate that was generated. See Import a Certificate File for details.
Create a Self-Signed Certificate using the Azure Portal
This method uses the Azure portal to generate a certificate.
To create a self-signed certificate using the Azure portal:
In the Azure portal, navigate to Key Vaults.
Select the desired Key Vault.
In the Objects blade, select Certificates.
-
Select +Generate/Import.
-
Enter the following basic information:
Certificate Name: Type the certificate's display name.
Subject: Type the subject of the certificate file, starting with CN=. For example, CN=Nerdio Manager.
Validity Period: Select the number of months for the validity period or leave it blank.
-
Advanced Policy Configuration: Select Not configured.
-
Enter the following advanced information:
Extended Key Usages: 1.3.6.1.5.5.7.3.3
X.509 Key Usage Flags: From the drop-down list, select only Digital Signature.
Once you have entered the advanced information, select OK.
Once you have entered the basic and advanced information, select Create.
Wait for the process to complete, which usually takes about a minute.
In Nerdio Manager, link the certificate that was generated. See Link a Certificate for details.
Create a Self-Signed Certificate using Nerdio Manager
This method uses the Key Vault to generate a certificate. Using the same function as described above, but Nerdio Manager automatically sets all the required policies and automatically links the generated certificate.
To create a self-signed certificate using Nerdio Manager:
Navigate to Settings > Nerdio environment.
-
In the Linked signing certificates tile, select Generate.
-
Enter the following information:
Key Vault: From the drop-down list, select the Key Vault to which you want to import the certificate.
Certificate Name: Type the certificate's display name.
Subject: Type the subject of the certificate file.
Validity Period: Select the number of months for the validity period.
Once you have entered all the desired information, select Create.
Export a Self-Signed Certificate
Nerdio Manager allows you to export a self-signed certificate in PKCS #12 or X.509 format.
To export a self-signed certificate:
Navigate to Settings > Nerdio environment.
-
In the Linked signing certificates tile, locate the certificate you wish to export, and select export.
In the Export Format drop-down, select the export format.
-
Once you have selected the format, select Export.
The certificate is downloaded to your browser's default download folder.
Install a Certificate on a Virtual Machine Manually
You may install a certificate on a VM manually.
To manually install a certificate on a VM:
Export the self-signed certificate in PFX (PKCS #12) format. See Export a Self-Signed Certificate for details.
Copy the exported PFX file to the VM.
-
Open the file and the Certificate Import Wizard starts.
-
In Store Location, select Local Machine and then select Next.
-
On the File to Import window, leave the defaults and select Next.
-
On the Private key protection window, leave the defaults and select Next.
-
On the Certificate Store window, enter the following information:
Select Place all certificates in the following store.
Select Browse and then select Trusted Root Certification Authorities.
-
Once you have entered all the required information, select Next.
On the Completing the Certificate Import Wizard window, review the settings and select Finish.
Install a Certificate on a Virtual Machine using a Scripted Action
You may install a certificate on a VM using a scripted action.
To install a certificate on a VM using a scripted action:
Export the self-signed certificate in .CER (Base-64 encoded X.509) format. See Export a Self-Signed Certificate for details.
-
Run the following scripted action on all required VMs, pasting the contents of exported CER file in the Base-64 encoded X.509 certificate parameter.
param (
[ComponentModel.DisplayName('Base-64 encoded X.509 certificate')]
[Parameter(Mandatory)]
[string] $certificate
)
$tempFile = New-TemporaryFile
Write-Output "Created temp file: $tempFile"
try {
$certificate | Out-File -FilePath $tempFile.FullName
Write-Output "Saved certificate to temp file"
Import-Certificate -FilePath $tempFile.FullName -CertStoreLocation 'Cert:\LocalMachine\Root'
Write-Output "Imported certificate to Trusted Root Certification Authorities store"
Import-Certificate -FilePath $tempFile.FullName -CertStoreLocation 'Cert:\LocalMachine\TrustedPublisher'
Write-Output "Imported certificate to Trusted Publishers store"
}
finally {
$tempFile.Delete()
Write-Output "Deleted temp file"
}
Install a Self-Signed Certificate on a Host Pool
Nerdio Manager allows you install a self-signed certificate on a host pool.
To install a self-signed certificate on a host pool:
Locate the host pool you wish to work with.
From the action menu, select Properties > Certificates.
-
Enter the following information:
Enable Scripts Signing: Toggle this option On.
Signing Certificate: From the drop-down list, select the certificate.
Once you have entered the desired information, select Save or Save & close.
Install a Self-Signed Certificate on a Desktop Image
Nerdio Manager allows you install a self-signed certificate on a desktop image.
To install a self-signed certificate on a desktop image:
Locate the desktop image you wish to work with.
From the action menu, select Manage certificates.
-
Enter the following information:
Enable Scripts Signing: Toggle this option On.
Signing Certificate: From the drop-down list, select the certificate.
Once you have entered the desired information, select OK.
Comments (0 comments)