It's SSL certificate replacement time, and while I could, for my Windows servers, do this the tedious way (Certificates mmc, import manually), I'm looking for something I can automate via some PowerShell scripting.
I know about Import-PfxCertificate, and to import a .pfx I'd do something like:
$pwd = ConvertTo-SecureString -String "PrivateKeyPasswordGoesHere" -AsPlainText -Force
Import-PfxCertificate -Password $pwd -FilePath "\\path\to\pfxfile\pfxfile.pfx" -CertStoreLocation Cert:\LocalMachine\My -Exportable # optional if i want the private key to be exportable
This is all well and good, but unlike the manual tedious way it only brings in the entity certificate itself; it doesn't bring in any other certificates in the full chain (root, intermediates, etc).
It looks as if I may be able to do something with Get-PfxData, which "extracts the content of a Personal Information Exchange (PFX) file into a structure that contains the end entity certificate, any intermediate and root certificates", but Import-Certificate has a mandatory FilePath parameter, so I can't pipe the output of Get-PfxData to it.
I've used Get-PfxData to verify that the PFX does indeed contain the full chain.
I've also tried the following approach:
- Import manually to the Certificates mmc.
- Use Export-PfxCertificate to export the full chain (which one must assume does so in a format that's consumable by Import-PfxCertificate).
- Use Import-PfxCertificate to import the exported certificate.
But again, Import-PfxCertificate does not bring in the full chain.
Any other options for cracking this nut?
If the full certificates chain is part of the PFX file,
Import-PfxCertificatewill import all related certificates as well and place them into the appropriate folder.There is nothing else you need to do.
I ended up doing this manually, using the Certificates mmc.
Ultimately there does not appear to be sufficient assurance that the PowerShell method can reproduce the same behaviour as the mmc, and for business-critical applications the assurance from using the mmc was important enough to take the hit in time and effort.
I tested this as well and the
Import-PfxCertificatedoes import the chain, but if the chain certs already exist (which was my case) they don't show up in personal certificates. I was able to bind my pfx to my website and everything works fine.