GCESysprep - makecert.exe utility not included in sysprep package

[aaronfury]

Overview

When attempting to run GCESysprep on a Windows 7 VM, the "Import-PfxCertificate" cmdlet is not available, so the script attempts to use an alternative method to install the self-signed certificate for WinRM. This method calls the "makecert.exe" utility that should be located at "C:\Program Files\Google\Compute Engine\tools\makecert.exe".

However, this utility is not present at this location, so the certificate generation fails and the WinRM HTTPS listener is not created.

Steps to Reproduce

1. Import a Windows 7 VM using the GCE Image Import tool.
2. Run GCESysprep on the VM.
3. Power on the VM after GCESysprep completes (or create an image and a new VM).
4. Observe the Serial port 1 output to confirm that no errors are reported and the "Setup of WinRM complete." message is logged
5. Connect to the instance via RDP (or non-HTTPS remote PowerShell) and run the following PowerShell command from an elevated prompt: Get-ChildItem -Path WSMan:\localhost\Listener
6. Note that the HTTPS listener is not present.
7. Note that a self-signed certificate is not present in the Computer Certificate store.

Proposed workaround

Include the 'makecert.exe' utility in the google-compute-engine-sysprep Googet package.

[bkatyl]

Unfortuntely we can't include makecert.exe in the google-compute-engine-sysprep Googet package as that would be redistributing a Microsoft binary. To do that we would need redistribution rights.

I think a reasonable way to handle this would be to add a file existance check to instance_setup.ps1. if $script:gce_install_dir\tools\makecert.exe does not exist then call makecert.exe without a specified path. Then any customer needing this functionality only need to place makecert.exe in the system path prior to importing the image.

Would this address your use case?

[aaronfury]

Hi Brian,
Thanks for the quick response. Now knowing that this is the case, I suppose we can include a step in our build process to copy that file manually. But I couldn't find anywhere that this is documented for GCESysprep, so it might be useful to at least update the documentation to reflect this rather than having it silently fail.

Alternatively, I would propose using an alternative certificate utility like openssl, which you can build and include rather than relying on a closed-source tool. I know openssl is tricky on Windows and the legacy versions of PowerShell don't help, but that seems like the "more correct" way to resolve this :-) I'm happy to contribute some code, but it might be a few weeks until I have time to take a stab at this.