Install Certs on Nanoserver

  • Post category:Nanoserver

Source Code

What is Nanoserver?

Nanoserver is a light-weight Windows Docker container, great for containerizing Windows applications.

What is a Certificate?

A certificate is a way for a server to verify that the client making the request is legitimate.

Here we will be using a .pfx certificate generated through Azure Key Vault

The Code

The code for this can be found in the below NanoserverInstallCert.ps1 file and Dockerfile.

param(
    [Parameter(Mandatory,Position=0)]
    [string]$PfxFile,
    [securestring]$PfxPass,
    [string]$StoreName = 'LocalMachine',
    [string]$StoreLoc = 'My'
)

Write-Host ("Installing cert file {0} to Cert:\{1}\{2}" -f $PfxFile, $StoreName, $StoreLoc)
$pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2($PfxFile, $PfxPass)
$store = New-Object Security.Cryptography.X509Certificates.X509Store($StoreLoc,$StoreName)
$store.Open("MaxAllowed")
$store.Add($pfx)
$store.Close()
# Use Nanoserver as a base image (with powershell installed)
FROM mcr.microsoft.com/powershell:lts-nanoserver-1809

# Run as admin
USER ContainerAdministrator

# Make default shell powershell
SHELL ["pwsh", "-command"]

# Make a directory to store copy of cert
WORKDIR C:\\certs

# Copy cert to container
COPY certsonnanoserverkv-dummycert-20220730.pfx .

# Copy cert installation script to container
COPY NanoserverInstallCert.ps1 .

# Run cert installation script in container
RUN .\NanoserverInstallCert.ps1 -PfxFile .\\certsonnanoserverkv-dummycert-20220730.pfx -StoreName """LocalMachine""" -StoreLoc """My"""

# Verify that the cert was installed on the container
RUN Get-Childitem Cert:\LocalMachine\My

# Remove copy of cert from container
RUN Remove-Item certsonnanoserverkv-dummycert-20220730.pfx

Running the code

On a Windows machine with Docker installed, run the following to actually do the demo:

docker build -t cert:test -f .\Dockerfile .
Successful installation of a dummy cert on Nanoserver

This Post Has 2 Comments

  1. Chethan S

    While everything works as outlined in this post, how does one perform the SSLBinding? Without this at least my ASP .NET Core application does not work.

    On a Windows server core image, it could be done using
    Set-Location IIS:\SslBindings
    $pfx | New-Item 0.0.0.0!443

    1. Coolster

      Hi Chethan,
      What’s the error message you see from your application?
      I have an application using this same install script and the app listens on 443 using https, so I’m thinking the cert is bound but I honestly haven’t done an sslbinding explicitly before.

Leave a Reply