1

I'm working on a script that export certificate from Server A to PFX, copy it to Server B and import the PFX to the server. I'm using the following code to encrypt the password from plain text to secure string:

$pfxPass = "PassW0rd"
$File = "D:\backup_conf\Password.txt"
[Byte[]] $key = (1..16)
$pfxSecure = $pfxPass | ConvertTo-SecureString -AsPlainText -Force
$pfxSecure | ConvertFrom-SecureString -key $key | Out-File $File
dir Cert:\LocalMachine\my | Where-Object { $_.NotAfter -clike "*2019*"} | % { certutil.exe -f -exportPFX -p $pfxSecure $_.Thumbprint D:\backup_conf\certificates\$($_.Thumbprint).pfx }

PFX created and I can see that Password.txt contains the hash string. The PFX and the Password.txt were copied over to new server and I've used the following code for import:

$file = "D:\backup_conf\Password.txt"
[Byte[]] $key = (1..16)
$pfxSecure = Get-Content $File | ConvertTo-SecureString -Key $key
$certs = (Get-ChildItem -recurse -Path  "D:\backup_conf\certificates" -Include *.pfx)|%{Import-PfxCertificate $_.FullName -Exportable -Password $pfxSecure -CertStoreLocation Cert:\LocalMachine\My }

This one fails with the error:

Import-PfxCertificate : The PFX file you are trying to import requires either a different password or membership in an Active Directory principal to which it is protected.

Any idea why it's not working?

Samoth
  • 25
  • 2
  • 1
    You're using `SecureString` object here: `certutil.exe -f -exportPFX -p $pfxSecure`. Password will be literally `System.Security.SecureString`. For cmd `SecureString` is not something it can process. – Robert Dyjas Jun 13 '18 at 08:10
  • Thanks. I understand, however, I cannot pass plain text to certutil.exe. I'm forced to convert it to SecureString. Any idea on how I can do it properly? Thanks in advance – Samoth Jun 13 '18 at 08:16
  • From what I know `certutil.exe` will not accept `SecureString` so you'll have to convert it back to plain text before running it ([here an example](https://stackoverflow.com/questions/28352141/convert-a-secure-string-to-plain-text)). – Robert Dyjas Jun 13 '18 at 08:29
  • Thanks, I ended up removing the SecureString as suggested from Server A and used certutil to import the pfx without converting to SecureString on Server B. Worked. – Samoth Jun 13 '18 at 08:35
  • Glad to hear! I'll convert it to an answer then and if you want, you can [mark this as answered](https://stackoverflow.com/help/someone-answers) if you don't mind. – Robert Dyjas Jun 13 '18 at 08:39

1 Answers1

1

As you're using SecureString object here: certutil.exe -f -exportPFX -p $pfxSecure it's not properly recognized by certutil.exe. Password will be literally 

System.Security.SecureString

For cmd applications SecureString is not something it can process so you'll have to convert it to plain text and then pass it to certutil.exe.

Example how you can convert SecureString to plain text (source):

$SecurePassword = ConvertTo-SecureString $pfxPass 
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Robert Dyjas
  • 4,979
  • 3
  • 19
  • 34