Clever Geek Handbook

Remote PFX Cert and Private Key Press with .NET and Powershell

The challenge is to route the certificate from the central server to the recipient servers. I can use the x509certificate2 methods to perform the certificate installation. Even the repository flags direct the add () method to set the private key, it doesn't install it on the remote machine. In the code below, please make sure that $CertObj

- x509certificate2 object created with storage flags Exportable

, MachineKeySet

and PersistKeySet

.

Function Import-CertificateObject
{
    Param
    (
        [parameter(mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]
        $Computer
    )

    $CertStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList "\\$($Computer)\$Location",$Store
    $CertStore.Open("ReadWrite")
    $CertStore.Add($CertObj)
    $CertStore.Close()

}

Using powershell to isolate the installed certificate object, I can see that the property is HasPrivateKey

set to true. This is the case when the installed certificate is verified locally on the server and from the remote server that installed it. Then if you check the property PrivateKey

on the server where the certificate is installed it is empty. However, when checking from the server that installed it, powershell returns the object data for the private key.

Using ProcMon I could see that when the certificate installs the regkey for the private key, it does so on the server that does the installation on the remote server. I need .Net to install the private key of a certificate on a remote machine. I've read the x509certificate2 docs but it doesn't touch remote installations at all and there is no detailed explanation of what these methods do.

I hope this is as easy as changing the environment variable before the method add()

, or maybe I just completely approached this from the wrong angle. So how do I install it in order to install the private key on the remote server and not the server by pushing the certificate?

+3


source to share


2 answers


The solution here was to use it Invoke-Command -ScriptBlock{}

to execute the code on the machine locally.



0


source


You cannot move / copy certificates with associated private keys over the network. With your code, you just copy the public part of the certificate. The private key remains on the original server and is not moved / copied anywhere.

HasPrivateKey

property is a store-attached property and has little to do with the fact that a private key exists and is not a reliable way to determine if a private key has been set for that certificate.

The only correct way to copy the certificate with the private key on all machines is:



  • Export the certificate and private key using this: Export (X509ContentType, SecureString) or this: Export (X509ContentType, String) overload.
  • copy the PFX file to the destination servers and use one of these overloads to import the private key certificate into the object X509Certificate2

    and use the X509Store

    object to install it to the store.

However, keep in mind that if the private key was not marked as exportable during key generation or installation, your task will not be possible because the private key is protected by the CSP / KSP and you will not be able to export the key from the provider.

+1


source






More articles:


All Articles