FriendlyName now defaults to a cert's primary name rather than an emp…

…ty string to work around Windows edge case issues with cert installing (#157)
rmbolger · Sep 12, 2019 · ba7b7d8 · ba7b7d8
1 parent 3c3d245
commit ba7b7d8
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 7 deletions.
diff --git a/Posh-ACME/Private/Export-CertPfx.ps1 b/Posh-ACME/Private/Export-CertPfx.ps1
@@ -8,7 +8,7 @@ function Export-CertPfx {
         [Parameter(Mandatory,Position=2)]
         [string]$OutputFile,
         [string]$ChainFile,
-        [string]$FriendlyName='',
+        [string]$FriendlyName,
         [string]$PfxPass=''
     )
 
@@ -21,11 +21,20 @@ function Export-CertPfx {
     $key  = Import-Pem $KeyFile     # [Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair]
     $cert = Import-Pem $CertFile    # [Org.BouncyCastle.X509.X509Certificate]
 
+    # BouncyCastle won't let use use a null value for a cert/key alias in the PFX file and Windows
+    # in some cases doesn't like the empty string default we were using previously. So we'll
+    # use the subject CN value unless something non-empty was passed in.
+    if ([String]::IsNullOrWhiteSpace($FriendlyName)) {
+        $FriendlyName = $cert.Subject.GetValueList([Org.BouncyCastle.Asn1.X509.X509Name]::CN)[0]
+    }
+
     # create a new Pkcs12Store
     $store = New-Object Org.BouncyCastle.Pkcs.Pkcs12Store
 
     # add the private key
-    $store.SetKeyEntry($FriendlyName, $key.Private, @($cert))
+    try {
+        $store.SetKeyEntry($FriendlyName, $key.Private, @($cert))
+    } catch { throw }
 
     # add the chain certs if specified
     if ('ChainFile' -in $PSBoundParameters.Keys) {
@@ -41,7 +50,9 @@ function Export-CertPfx {
                 $caName = $ca.SerialNumber
             }
 
-            $store.SetCertificateEntry($caName, $ca)
+            try {
+                $store.SetCertificateEntry($caName, $ca)
+            } catch { throw }
         }
     }
 

diff --git a/Posh-ACME/Public/New-PACertificate.ps1 b/Posh-ACME/Public/New-PACertificate.ps1
@@ -25,7 +25,7 @@ function New-PACertificate {
         [Parameter(ParameterSetName='FromScratch')]
         [switch]$OCSPMustStaple,
         [Parameter(ParameterSetName='FromScratch')]
-        [string]$FriendlyName='',
+        [string]$FriendlyName,
         [Parameter(ParameterSetName='FromScratch')]
         [string]$PfxPass='poshacme',
         [Parameter(ParameterSetName='FromScratch')]
@@ -128,6 +128,11 @@ function New-PACertificate {
                     $orderParams.PfxPass = $oldOrder.PfxPass
                 }
             }
+
+            # Make sure FriendlyName is non-empty
+            if ([String]::IsNullOrWhiteSpace($orderParams.FriendlyName)) {
+                $orderParams.FriendlyName = $Domain[0]
+            }
         }
 
         # and force a new order
@@ -285,7 +290,7 @@ function New-PACertificate {
         If specified, the certificate generated for this order will have the OCSP Must-Staple flag set.
 
     .PARAMETER FriendlyName
-        Set a friendly name for the certificate. This will populate the "Friendly Name" field in the Windows certificate store when the PFX is imported. Defaults to an empty string.
+        Set a friendly name for the certificate. This will populate the "Friendly Name" field in the Windows certificate store when the PFX is imported. Defaults to the first item in the Domain parameter.
 
     .PARAMETER PfxPass
         Set the export password for generated PFX files. Defaults to 'poshacme'.

diff --git a/Posh-ACME/Public/New-PAOrder.ps1 b/Posh-ACME/Public/New-PAOrder.ps1
@@ -15,7 +15,7 @@ function New-PAOrder {
         [Alias('NewCertKey')]
         [switch]$NewKey,
         [Parameter(ParameterSetName='FromScratch')]
-        [string]$FriendlyName='',
+        [string]$FriendlyName,
         [Parameter(ParameterSetName='FromScratch')]
         [string]$PfxPass='poshacme',
         [Parameter(ParameterSetName='FromScratch')]
@@ -125,6 +125,11 @@ function New-PAOrder {
         $order.authorizations[$i] = $auth.location
     }
 
+    # make sure FriendlyName is non-empty
+    if ([String]::IsNullOrWhiteSpace($FriendlyName)) {
+        $FriendlyName = $Domain[0]
+    }
+
     # add additional members we'll need for later
     $order | Add-Member -MemberType NoteProperty -Name 'MainDomain' -Value $Domain[0]
     $order | Add-Member -MemberType NoteProperty -Name 'SANs' -Value $SANs
@@ -222,7 +227,7 @@ function New-PAOrder {
         If specified, the certificate generated for this order will have the OCSP Must-Staple flag set.
 
     .PARAMETER FriendlyName
-        Set a friendly name for the certificate. This will populate the "Friendly Name" field in the Windows certificate store when the PFX is imported. Defaults to an empty string.
+        Set a friendly name for the certificate. This will populate the "Friendly Name" field in the Windows certificate store when the PFX is imported. Defaults to the first item in the Domain parameter.
 
     .PARAMETER PfxPass
         Set the export password for generated PFX files. Defaults to 'poshacme'.