Install flag doesn't properly import private key in some environments

[thetrav]

As per: MicrosoftDocs/windows-powershell-docs#295

I seem to be able to use the imported certificate for IIS but not for RDS, not really sure what's up with that.

If I manually import fullchain from the GUI I can use it for RDS, but GUI is no fun

[rmbolger]

Are you using the native installation method (via the -Install parameter in the module) or manually via Import-PfxCertificate? Ultimately the native method is using that function under the hood so it shouldn't matter either way.

However, just to verify if you are doing it manually, are you giving it the PFX password in addition to the path to the file? That would be necessary in order for it to extract and import the private key.

$mycert = Get-PACertificate

Import-PfxCertificate $mycert.PfxFullChain -Password $mycert.PfxPass

Also, is this on Server 2012 or 2012 R2?

[thetrav]

I'm using the -Install parameter in the module.

Once I noticed the issues I played around with invoking Import-PfxCertificate myself with a few variations including specifying the password, finally I was able to get past it using the certutil program mentioned in the linked bug report:

certutil -f -p $certPassword -ImportPfx -enterprise $fullChainPath

Which is a bit gross, but at least it works. So yes, this isn't really a blocker for me, I just thought I'd give you the heads up

[rmbolger]

That is a super annoying bug. Was it 2012 or 2012 R2? I'd like to reproduce on my end and perhaps try to throw in some sort of workaround.

The module also has an alternate method for import on legacy OSes that don't support the Import-PfxCertificate function and PowerShell Core. You could also try that way which is slightly less gross unless the underlying problem is something .NET related rather than PowerShell. Here's an example of basically what it's doing.

try {
	$pfxBytes = [IO.File]::ReadAllBytes($fullChainPath)

	$pfx = New-Object Security.Cryptography.X509Certificates.X509Certificate2($pfxBytes,$certPassword,'Exportable,PersistKeySet')

	$store = New-Object Security.Cryptography.X509Certificates.X509Store('My','LocalMachine')
	$store.Open("MaxAllowed")
	$store.Add($pfx)
	$store.Close()
} finally {
	if ($store -ne $null) { $store.Dispose() }
	if ($pfx -ne $null) { $pfx.Dispose() }
}

[thetrav]

Oh sorry, forgot to mention, I'm using an azure 2019 image

[rmbolger]

Quick followup. You said you were able to use the cert for IIS but not RDS. How were you attempting to import into RDS? And is this a full fledged RDS setup or just remote admin mode?

[rmbolger]

Nevermind on the previous questions. I managed to reproduce this fairly reliably. I still can't figure out when MS broke Import-PfxCertificate or whether it's always been that way and I just never noticed.

In any case, the code I was using for downlevel OSes works just fine and doesn't exhibit the same problem. So I think I'm just going to change the internal function to use that everywhere.

[thetrav]

I know you said never mind, but it's a full fledged RDS setup, and I've been using powershell https://docs.microsoft.com/en-us/powershell/module/remotedesktop/set-rdcertificate?view=win10-ps