Cannot Export PFX certificate with key marked as exportable. #12081
Comments
wightsci
added
the
Issue-Question
|
/cc @anmenaga for information |
|
Looks like this is run on a system with an older version of PS C:\> $PSVersionTable.PSVersion.ToString()
5.1.14393.3471
PS C:\> $s = New-PSSession localhost
PS C:\> # original X509Certificate2 in remote session has PrivateKey
PS C:\> icm $s {(New-SelfSignedCertificate -Subject 'TestCertFromWinPS' -KeyExportPolicy 'Exportable').HasPrivateKey}
True
PS C:\> # deserialized local copy does Not have PrivateKey
PS C:\> $TestCertificate = icm $s {New-SelfSignedCertificate -Subject 'TestCertFromWinPS' -KeyExportPolicy 'Exportable'}
PS C:\> $TestCertificate.HasPrivateKey
False
PS C:\> # attempt to export deserialized local copy of X509Certificate2 will fail
PS C:\> Export-PfxCertificate -Cert $TestCertificate -FilePath .\TestCertificate.pfx -Password (ConvertTo-SecureString 'Test
Password' -AsPlainText -Force)
Export-PfxCertificate : Cannot export non-exportable private key.
At line:1 char:1
+ Export-PfxCertificate -Cert $TestCertificate -FilePath .\TestCertific ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Export-PfxCertificate], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.CertificateServices.Commands.ExportPfxCertifi
cateAs a workaround in PS 7 the entire operation can be done in WinCompat session: PS C:\A> $PSVersionTable.PSVersion.ToString()
7.0.0
PS C:\A> Import-Module PKI -UseWindowsPowerShell # this will create WinPSCompatSesion PS Remoting session
WARNING: Module PKI is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell Core please use 'Import-Module -SkipEditionCheck' syntax.
PS C:\A> $s = Get-PSSession -Name WinPSCompatSession
PS C:\A> icm $s {$TestCertificate = New-SelfSignedCertificate -Subject 'TestCertificate' -KeyExportPolicy 'Exportable'}
PS C:\A> $pass = ConvertTo-SecureString 'TestPassword' -AsPlainText -Force
PS C:\A> icm $s {Export-PfxCertificate -Cert $TestCertificate -FilePath .\TestCertificate.pfx -Password $using:pass | Out-Null}@PaulHigin can you please confirm that this is expected behavior of private keys for de/serialized certificate objects? Thank you. |
|
Yes, looking at the code, PowerShell remoting rehydrates the dotNet certificate object but without the private key. |
|
@anmenaga I am wondering if you know of an alternative approach to the workaround using the WinCompat session you provided. That workaround works great, but it is a little painful. I'm hoping we can just get the private key to be kept intact without having to Invoke-Command to another PSSession. Any idea? |
|
If you run task from Azure DevOps change script type to PowerShell (Not PowerShell Core) |
Steps to reproduce
The following steps work on Windows PowerShell 5.1. This issue is present on both x86 and x64 versions and can be reproduced on multiple machines.
I can export the certificate successfully using X509 .Net classes in PowerShell 7.
Expected behavior
Creation of PFX file.
Actual behavior
Environment data
The text was updated successfully, but these errors were encountered: