From 760802b6299c6029574b98fae7ccf99f5ecd4612 Mon Sep 17 00:00:00 2001
From: James Ruskin <james@chocolatey.io>
Date: Fri, 8 Nov 2024 10:20:19 +0000
Subject: [PATCH] (#281) Prevents Creation Of Unrequired Self-Signed
 Certificate

The Chocolatey-Management-Service package generates a self-signed certificate to use if no thumbprint is specified as a parameter.

Regardless of if a certificate was specified, we were installing it without a thumbprint and then setting the certificate later.

This resulted in an unused self-signed certificate being generated and stored.

This change ensures the package gets the appropriate parameter in order to not generate unneeded certificate(s).
---
 Start-C4bCcmSetup.ps1 | 29 +++++++++++++----------------
 Start-C4bSetup.ps1    | 12 +++++-------
 2 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/Start-C4bCcmSetup.ps1 b/Start-C4bCcmSetup.ps1
index 277549c..71e426f 100644
--- a/Start-C4bCcmSetup.ps1
+++ b/Start-C4bCcmSetup.ps1
@@ -17,8 +17,9 @@ param(
     [System.Management.Automation.PSCredential]
     $DatabaseCredential = (Get-Credential -Username ChocoUser -Message 'Create a credential for the ChocolateyManagement DB user (document this somewhere)'),
 
-    #Certificate to use for CCM service
+    # Certificate to use for CCM service
     [Parameter()]
+    [Alias('Thumbprint')]
     [String]
     $CertificateThumbprint
 )
@@ -116,31 +117,27 @@ process {
     $hostName = [System.Net.Dns]::GetHostName()
     $domainName = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().DomainName
 
-    if(-Not $hostName.endswith($domainName)) {
+    if (-not $hostName.EndsWith($domainName)) {
         $hostName += "." + $domainName
     }
 
     Write-Host "Installing Chocolatey Central Management Service"
-    if($CertificateThumbprint){
+    $chocoArgs = @('install', 'chocolatey-management-service', "--source='ChocolateyInternal'", '-y', "--package-parameters-sensitive=`"/ConnectionString:'Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User ID=$DatabaseUser;Password=$DatabaseUserPw;'`"", '--no-progress')
+    if ($CertificateThumbprint) {
         Write-Verbose "Validating certificate is in LocalMachine\TrustedPeople Store"
-        if($CertificateThumbprint -notin (Get-ChildItem Cert:\LocalMachine\TrustedPeople | Select-Object -Expand Thumbprint)){
+        if (-not (Get-Item Cert:\LocalMachine\TrustedPeople\$CertificateThumbprint) -and -not (Get-Item Cert:\LocalMachine\My\$CertificateThumbprint)) {
             Write-Warning "You specified $CertificateThumbprint for use with CCM service, but the certificate is not in the required LocalMachine\TrustedPeople store!"
             Write-Warning "Please place certificate with thumbprint: $CertificateThumbprint in the LocalMachine\TrustedPeople store and re-run this step"
-            throw "Certificate not in correct location....exiting."
-        } 
-        else {
+            throw "Certificate not in correct location... exiting."
+        } elseif ($MyCertificate = Get-Item Cert:\LocalMachine\My\$CertificateThumbprint) {
+            Write-Verbose "Copying certificate from 'Personal' store to 'TrustedPeople'"
+            Copy-CertToStore $MyCertificate
+        } else {
             Write-Verbose "Certificate has been successfully found in correct store"
-            $chocoArgs = @('install', 'chocolatey-management-service', '-y', "--package-parameters-sensitive='/ConnectionString:Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User Id=$DatabaseUser;Password=$DatabaseUserPw'")
-            & Invoke-Choco @chocoArgs
-
-            Set-CcmCertificate -CertificateThumbprint $CertificateThumbprint
         }
+        $chocoArgs += @("--package-parameters='/CertificateThumbprint=$CertificateThumbprint'")
     }
-
-    else {
-        $chocoArgs = @('install', 'chocolatey-management-service', "--source='ChocolateyInternal'", '-y', "--package-parameters-sensitive=`"/ConnectionString:'Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User ID=$DatabaseUser;Password=$DatabaseUserPw;'`"", '--no-progress')
-        & Invoke-Choco @chocoArgs
-    }
+    & Invoke-Choco @chocoArgs
 
     Write-Host "Installing Chocolatey Central Management Website"
     $chocoArgs = @('install', 'chocolatey-management-web', "--source='ChocolateyInternal'", '-y', "--package-parameters-sensitive=""'/ConnectionString:Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User ID=$DatabaseUser;Password=$DatabaseUserPw;'""", '--no-progress')
diff --git a/Start-C4bSetup.ps1 b/Start-C4bSetup.ps1
index dd31323..0caba78 100644
--- a/Start-C4bSetup.ps1
+++ b/Start-C4bSetup.ps1
@@ -150,16 +150,14 @@ try {
 
     # Kick off unattended running of remaining setup scripts.
     if ($Unattend) {
+        $Certificate = @{}
+        if ($Thumbprint) {$Certificate.Thumbprint = $Thumbprint}
+
         Set-Location "$env:SystemDrive\choco-setup\files"
         .\Start-C4BNexusSetup.ps1
-        .\Start-C4bCcmSetup.ps1 -DatabaseCredential $DatabaseCredential
+        .\Start-C4bCcmSetup.ps1 @Certificate -DatabaseCredential $DatabaseCredential
         .\Start-C4bJenkinsSetup.ps1
-        if ($Thumbprint) {
-            .\Set-SslSecurity.ps1 -Thumbprint $Thumbprint
-        }
-        else {
-            .\Set-SslSecurity.ps1
-        }
+        .\Set-SslSecurity.ps1 @Certificate
     }
 } finally {
     $ErrorActionPreference = $DefaultEap