I'm trying to use powershell DSC for a few things. I wanted to have the passed credentials encrypted per the instructions at http://technet.microsoft.com/en-us/library/dn781430.aspx it all seems to work fine until I run start-DscConfiguration on the target node and i get the error:
The private key could not be acquired. + CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException + FullyQualifiedErrorId : MI RESULT 1 + PSComputerName : DmitriyDev
Going back I checked to see that the mof contains the credentials encrypted and the meta.mof contains the matching thumbprint, etc.
going back to the original article i see the example code:
# Get the certificate that works for encryption function Get-LocalEncryptionCertificateThumbprint { (dir Cert:\LocalMachine\my) | %{ # Verify the certificate is for Encryption and valid if ($_.PrivateKey.KeyExchangeAlgorithm -and $_.Verify()) { return $_.Thumbprint } } }
When I test my certificate using this code (on the target node) I see that the PrivateKey of the certificate is null. I'm not sure how the certificate is null. Trying a few things with certutil and the technique mentioned http://blogs.technet.com/b/vishalagarwal/archive/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store.aspx it seems that I do indeed have a private key, however Powershell see it only as null.
On the target node, I even exported the public private key manually and reimported them, with no luck as outlined in another dsc tutorial.
I also tried using procmon to see what the problem was on the target node. I see the wmiprvse process and see that it runs as System (as expected), and I checked to make sure that the permissions on the private key allowed for system (all on the target node)
So my question is how do I get my private key to be used by DSC specifically the LCM on the target node? Or how do I diagnose the problem more?
I had a similar error when using New-SelfSignedCertificate to create my certificates. For anyone with similar issues, I suspect the problem is related to the storage provider used by New-SelfSignedCertificate (see http://blogs.technet.com/b/vishalagarwal/archive/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store.aspx, which talks about a problem with the Microsoft Software Key Storage Provider and .NET classes). There's a powershell script available on technet that creates self-signed certificates, and defaults to using a different storage provider, which solved the problem for me.