Install Certs on Nanoserver

  • Post category:Nanoserver

Source Code

What is Nanoserver?

Nanoserver is a light-weight Windows Docker container, great for containerizing Windows applications.

What is a Certificate?

A certificate is a way for a server to verify that the client making the request is legitimate.

Here we will be using a .pfx certificate generated through Azure Key Vault

The Code

The code for this can be found in the below NanoserverInstallCert.ps1 file and Dockerfile.

param(
    [Parameter(Mandatory,Position=0)]
    [string]$PfxFile,
    [securestring]$PfxPass,
    [string]$StoreName = 'LocalMachine',
    [string]$StoreLoc = 'My'
)

Write-Host ("Installing cert file {0} to Cert:\{1}\{2}" -f $PfxFile, $StoreName, $StoreLoc)
$pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2($PfxFile, $PfxPass)
$store = New-Object Security.Cryptography.X509Certificates.X509Store($StoreLoc,$StoreName)
$store.Open("MaxAllowed")
$store.Add($pfx)
$store.Close()
# Use Nanoserver as a base image (with powershell installed)
FROM mcr.microsoft.com/powershell:lts-nanoserver-1809

# Run as admin
USER ContainerAdministrator

# Make default shell powershell
SHELL ["pwsh", "-command"]

# Make a directory to store copy of cert
WORKDIR C:\\certs

# Copy cert to container
COPY certsonnanoserverkv-dummycert-20220730.pfx .

# Copy cert installation script to container
COPY NanoserverInstallCert.ps1 .

# Run cert installation script in container
RUN .\NanoserverInstallCert.ps1 -PfxFile .\\certsonnanoserverkv-dummycert-20220730.pfx -StoreName """LocalMachine""" -StoreLoc """My"""

# Verify that the cert was installed on the container
RUN Get-Childitem Cert:\LocalMachine\My

# Remove copy of cert from container
RUN Remove-Item certsonnanoserverkv-dummycert-20220730.pfx

Running the code

On a Windows machine with Docker installed, run the following to actually do the demo:

docker build -t cert:test -f .\Dockerfile .
Successful installation of a dummy cert on Nanoserver
Tags: , , ,

This Post Has 2 Comments

  1. Chethan S October 24, 2022 Reply

    While everything works as outlined in this post, how does one perform the SSLBinding? Without this at least my ASP .NET Core application does not work.

    On a Windows server core image, it could be done using
    Set-Location IIS:\SslBindings
    $pfx | New-Item 0.0.0.0!443

    1. Coolster October 24, 2022 Reply

      Hi Chethan,
      What’s the error message you see from your application?
      I have an application using this same install script and the app listens on 443 using https, so I’m thinking the cert is bound but I honestly haven’t done an sslbinding explicitly before.

Leave a Reply