New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CertificateImport fails to import certificate to ClientAuthIssuer store #161

Closed
aromano2 opened this Issue Oct 2, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@aromano2
Copy link
Contributor

aromano2 commented Oct 2, 2018

ISSUE TITLE:
Please prefix the issue title with the resource name, e.g.
'CertificateImport: fails to import certificate to ClientAuthIssuer store if the store has never been "opened"'

ISSUE DESCRIPTION (this template):
CertificateImport fails to import certificate to ClientAuthIssuer store if the store has never been "opened"

Details of the scenario you tried and the problem that is occurring

Use the CertificateImport resource to import a certificate into the Cert:\LocalMachine\ClientAuthIssuer store. This failure will only occur on a new Windows installation. If the ClientAuthIssuer store is manually opened before applying CertificateImport, it will work with no issues. I believe a certificate store has to be "opened" before the Import-Certificate cmdlet will work as intended. That's why the Import-CertificateEx function works every time, it always opens the store before adding the certificate. The exception thrown is:
Import-Certificate : The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
At line:1 char:1

  • Import-Certificate -FilePath $Certificate -CertStoreLocation $certLoc ...
  •   + CategoryInfo          : NotSpecified: (:) [Import-Certificate], Exception
      + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.ImportCertificateCommand
    

Verbose logs showing the problem

Suggested solution to the issue

The Import-Certificate cmdlet does not open the certificate store before importing. Using the Import-CertificateEx function instead resolves the issue.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

        CertificateImport RpsRootClientAuthIssuer
        {
            Thumbprint = "7A07A65168D5AEDCED3BC8313B8B61F85C39AC6D"
            Path = "C:\Root.cer"
            Location = 'LocalMachine'
            Store = 'ClientAuthIssuer'
            Ensure = 'Present'
        }

The operating system the target node is running

OsName : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 9600.17415.amd64fre.winblue_r4.141028-1500
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value


PSVersion 5.1.14409.1005
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1005
CLRVersion 4.0.30319.34014
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

4.1.0.0

@stale

This comment has been minimized.

Copy link

stale bot commented Nov 1, 2018

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

@stale stale bot added the stale label Nov 1, 2018

@PlagueHO PlagueHO added bug in progress and removed stale labels Nov 10, 2018

@PlagueHO

This comment has been minimized.

Copy link
Collaborator

PlagueHO commented Nov 10, 2018

Sorry about the delay in looking at this one @aromano2 - I've not had much time lately 😢

Do you get the same issue if you just run the Import-Certificate -CertStoreLocation cert:\localmachine\ClientAuthIssuer ... cmdet outside of DSC? This does sound like a bug in the Import-Certificate cmdlet though. Do you know if this happens in Windows Server 2016 as well?

@aromano2

This comment has been minimized.

Copy link
Contributor

aromano2 commented Nov 16, 2018

@PlagueHO Yes the import fails outside of Dsc as well. Have not had a chance to test on Server 2016

@PlagueHO

This comment has been minimized.

Copy link
Collaborator

PlagueHO commented Nov 16, 2018

Thanks for clarifying that. So it sounds like your proposed solution to use Import-CertificateEx is the best way to resolve it. I'll get a review done as soon as I can.

PlagueHO added a commit to PlagueHO/CertificateDsc that referenced this issue Dec 20, 2018

PlagueHO added a commit to PlagueHO/CertificateDsc that referenced this issue Jan 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment