2

I'm trying to import a PFX file into the local certificate store. However, Import-PfxCertificate just does nothing at all. No return value, no error, nothing:

enter image description here

I can double click on the PFX file in Explorer and import it with the same password, which works. Something about the PowerShell CmdLet isn't working. I've also tried other stores, such as Cert:\LocalMachine\My and TrustedPeople. Running it with -Verbose -Debug doesn't show anything extra. Nothing in the Application or Security event logs either. I'm also running as an admin. Ideas?

Mike Christensen
  • 88,082
  • 50
  • 208
  • 326
  • Figured this out. It's because the PFX doesn't have a private key. It seems certificates installed on a Service Fabric cluster are not exportable, thus when you share them with a Docker container, their private key gets stripped out. – Mike Christensen May 22 '19 at 00:52
  • I had the same problem. It was caused by the certificates in the chain were stored in numerous locations (duplicates). I exported the certificate with its chain, deleted all duplicates, imported, then ran my script to install the new certificate. I then got output. It seems that no output is an error. – AMissico Nov 14 '19 at 22:18

1 Answers1

1

The Pfx file might have a cert chain. Treating it as a collection would be a better way of handling the certificate store. See installing cert chain for the C# this was based off;

[string] $certPath = '.\test.pfx';
[string] $certPass = 'MyPassword';

# Create a collection object and populate it using the PFX file
$collection = [System.Security.Cryptography.X509Certificates.X509Certificate2Collection]::new();
$collection.Import($certPath, $certPass,  [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet);

try {
    # Open the Store My/Personal
    $store = [System.Security.Cryptography.X509Certificates.X509Store]::new('My');
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite);

    foreach ($cert in $collection) {
        Write-Host ("Subject is: '{0}'" -f  $cert.Subject  )
        Write-Host ("Issuer is:  '{0}'" -f  $cert.Issuer  )

        # Import the certificate into an X509Store object
        # source https://support.microsoft.com/en-au/help/950090/installing-a-pfx-file-using-x509certificate-from-a-standard-net-applic

        if ($cert.Thumbprint -in @($store.Certificates | % { $_.Thumbprint } )) {
            Write-Warning "Certificate is already in the store"
            # Force the removal of the certificate so we have no conflicts, not required if this is the first install    
            $store.Remove($cert)
        }
        # Add in the certificate 
        $store.Add($cert);
    }
} finally {
    if($store) {
        # Dispose of the store once we are done
        $store.Dispose()
    }
}
lloyd
  • 1,683
  • 2
  • 19
  • 23