Automated Setup of a Secure Project Honolulu

25 Shares

I recently learned about the CAO replacing the more commonly know CIO title. I hereby declare myself as a Chief Automation Officer.

Project Honolulu

The future of Windows Server GUI management, Project Honolulu (Windows Admin Center) was just released and presented at Ignite 2017. Check this link to watch two deep dive presentations about Project Honolulu. All I can say, IT IS AMAZING.

In this post I’m going to show you how to automatically deploy and install Project Honolulu using an internal wildcard certificate to secure the deployment.

If you don’t already have an internal wildcard certificate you can use the following script created by CTA Martin Therkelsen to do so automatically. I have customized it on Line 62 to also write the ThumbPrint to a text file. Check his blog post for more.

With a wildcard certificate at hand you’ll need to import it before running the Project Honolulu installation.

The final part is to automatically download and install Project Honolulu using the wildcard certificate.

25 Shares

3 Responses to Automated Setup of a Secure Project Honolulu

  1. hi eric, i make today this honululu setup. i am not always a friend of wildcard certificates. i like san certificates much more. so for people who want make it with a named certificate, and to be sure, that google chrome like your certificate, you need to add a subject alternative name in the ssl.ini. so i try today some parameters, and on the end, when you want make a san certificate who is also trusted by chrome i create this ssl.ini:

    [Version]
    Signature=”$Windows NT$”

    [NewRequest]
    Subject = “CN=test.example.com,OU=IT,O=test,L=seatle,S=US,C=US” ; For a wildcard use “CN=*.CONTOSO.COM” for example
    ; For an empty subject use the following line instead or remove the Subject line entierely
    ; Subject =
    Exportable = TRUE ; Private key is not exportable
    KeyLength = 4096 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
    KeySpec = 1 ; AT_KEYEXCHANGE
    KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
    MachineKeySet = True ; The key belongs to the local computer account
    ProviderName = “Microsoft Enhanced RSA and AES Cryptographic Provider”
    ProviderType = 12
    SMIME = FALSE
    RequestType = PKCS10
    HashAlgorithm=Sha256

    ; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below

    [Strings]
    szOID_SUBJECT_ALT_NAME2 = “2.5.29.17”
    szOID_ENHANCED_KEY_USAGE = “2.5.29.37”
    szOID_PKIX_KP_SERVER_AUTH = “1.3.6.1.5.5.7.3.1”
    szOID_PKIX_KP_CLIENT_AUTH = “1.3.6.1.5.5.7.3.2”

    [RequestAttributes]
    CertificateTemplate= Your Template
    SAN=”dns=test.example.com&dns=test2.example.com&IP=192.168.1.1″

  2. some tip failures in ssl.ini, here are the tested ini

    [Version]
    Signature=”$Windows NT$”

    [NewRequest]
    Subject = “CN=test.yourcompany.int,OU=IT,O=yourcompany,L=yourlocation,S=yourstate,C=yourcountry”
    ; For a wildcard use “CN=*.CONTOSO.COM” for example
    ; For an empty subject use the following line instead or remove the Subject line entierely
    ; Subject =
    Exportable = TRUE ; Private key is not exportable
    KeyLength = 4096 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
    KeySpec = 1 ; AT_KEYEXCHANGE
    KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
    MachineKeySet = True ; The key belongs to the local computer account
    ProviderName = “Microsoft Enhanced RSA and AES Cryptographic Provider”
    ProviderType = 12
    SMIME = FALSE
    RequestType = PKCS10
    HashAlgorithm=Sha256

    ; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below

    [Strings]
    szOID_SUBJECT_ALT_NAME2 = “2.5.29.17”
    szOID_ENHANCED_KEY_USAGE = “2.5.29.37”
    szOID_PKIX_KP_SERVER_AUTH = “1.3.6.1.5.5.7.3.1”
    szOID_PKIX_KP_CLIENT_AUTH = “1.3.6.1.5.5.7.3.2”

    [RequestAttributes]
    CertificateTemplate= WebServerSAN5Years
    SAN=”dns=test.yourcompany.com&dns=honululu.yourcompany.com&dns=localhost&ipaddress=192.1.1.4″

Leave a reply