Once you have your Chocolatey for Business Azure Environment deployed, you’ll need to get clients talking to it. To do that, you’ll need to do the following on the clients:

  1. Setup DNS to allow access to the environment.
  2. Install the SSL/TLS certificate, if self-signed, so clients can access HTTPS components.
  3. Install Chocolatey components and configure the client for Chocolatey for Business (C4B) deployments.


Ensure that you have configured DNS to direct clients to your deployed environment.

Once you’ve added the required CNAME record, clients should be able to access it.

SSL Certificate


If you used an SSL certificate from an external Certificate Authority (CA), or internally trusted PKI CA, your clients will automatically trust it and you can skip this section.

If you used a self-signed certificate to deploy your Chocolatey for Business Azure Environment, you will need to import this certificate to the Trusted Root Certification Authorities store on the clients.

  1. Open the Microsoft Management Console (MMC.msc)

  2. Select File -> Add/Remove Snap-in…

  3. Select Certificates and click Add >

  4. Choose Computer account and click Next, Finish, then OK

  5. Expand Certificates (Local Computer)

  6. Right-click Trusted Root Certification Authorities, and select All Tasks -> Import

    Importing SSL Certificate in MMC

  7. Click Next

  8. Browse to the self-signed certificate file

    1. You may need to adjust the filetype so that you can see .pfx files

    Changing file type when browsing for certificate file in MMC

  9. Click Next

  10. Enter the password supplied when creating the certificate

  11. Click Next, Next, then Finish

  12. Close the Microsoft Management Console

Client Setup Script

To on-board clients, you run the ClientSetup.ps1 script provided with your Chocolatey for Business Azure Environment.

You will need the following values ready when running this script:

  • FQDN: The fully qualified domain name used to access your environment.
  • ccmClientCommunicationSalt: This is the client-side salt additive. More information about this can be found in the C4B Config Settings docs.
  • ccmServiceCommunicationSalt: This is the server-side salt additive. More information about this can be found in the C4B Config Settings docs.
  • ChocoUserPassword: The password for the chocouser account which is used by the client to access your environments’ Sonatype Nexus Repository service.

Except for the FQDN, all of these values are available in your deployed environment’s Azure Key Vault. See Accessing Services for more information about retrieving values from the Vault.

When you’re ready, run the following on the client from an elevated (Run as Administrator) PowerShell session:

# Please fill in the following values
$fqdn = 'Replace with FQDN for your Chocolatey for Business QDE Azure Environment'
$clientCommunicationSalt = 'Your ccmClientCommunicationSalt'  #This value is stored within your Azure Key Vault
$serverCommunicationSalt = 'Your ccmServiceCommunicationSalt' #This value is stored within your Azure Key Vault
$password = 'Your ChocoUserPassword' #This value is stored within your Azure Key Vault

# Touch NOTHING below this line
$user = 'chocouser'

$securePassword = $password | ConvertTo-SecureString -AsPlainText -Force
$credential = [pscredential]::new($user, $securePassword)
$downloader = [System.Net.WebClient]::new()
$downloader.Credentials = $credential

$script =  $downloader.DownloadString("https://$($fqdn)/nexus/repository/choco-install/ClientSetup.ps1")

$params = @{
    Credential      = $credential
    ClientSalt      = $clientCommunicationSalt
    ServerSalt      = $serverCommunicationSalt

& ([scriptblock]::Create($script)) @params

This script will accomplish the following on your client:

  1. Install Chocolatey CLI from the installation script hosted in your internal raw Sonatype Nexus Repository.
  2. Add the ChocolateyInternal source, and enable it for self-service
  3. Disable the default chocolatey source.
  4. Install your Chocolatey license using the chocolatey-license package.
  5. Install the Chocolatey Licensed Extension (without context menus for Package Builder).
  6. Install the ChocolateyGUI package on the endpoint, for self-service support.
  7. Install the chocolatey-agent package, which supports self-service and Chocolatey Central Management communication.
  8. Enable and disable features related to configuring self-service access on the endpoint.
  9. Setup the communication channel between the endpoint and Chocolatey Central Management, using the correct URL and salts.
  10. Enable Chocolatey Central Management Deployments.