Sometimes things doesn’t go as expected. One of my customers was using puppet to maintain not only their linux machine, but also their Windows machines. So one of the things that we wanted to configure using puppet was WinRM to use encryption. Who runs anything cleartext these days? So in the puppet plugin database there is a module that is written to assist with this, winrmssl. I found an issue with the module, if there exists multiple certificate.

IF these two are true, then the module will have issues:

  • Certificate does not have the EKU Server Authentication
  • Is the certificate that the longest life left

So I wrote a small change that I now will try to get inserted into the module.

I started with Powershell 5 version. Then I realized that my change would need to support any Powershell. So I rewrote it for Powershell 2 or higher.

Powershell 2.0

Get-ChildItem Certificate::LocalMachine/My |Where-Object {(($_.Extensions|Where-Object{$_.gettype().Name -eq 'X509EnhancedKeyUsageExtension'}).EnhancedKeyUsages|?{$_.value -eq '1.3.6.1.5.5.7.3.1'}) -ne $Null}

Powershell 5

Get-ChildItem certificate::localmachine/my | Where-Object { $_.EnhancedKeyUsageList.Contains([Microsoft.PowerShell.Commands.EnhancedKeyUsageRepresentation]::new('Server Authentication','1.3.6.1.5.5.7.3.1'))}

So the EnhancedKeyUsageList is much more exposed with Powershell 5. I would say that the Powershell 5.0 version is easier to read, even if it is a bit longer.