search

PowerShell / WindowsCompatibility

Module that allows Windows PowerShell Modules to be used from PSCore6
Other
137 stars 33 forks source link

Unable to use Export-PFXCertificate one a certificate whose key IS marked exportable #76

Open scott1138 opened 4 years ago

scott1138 commented 4 years ago

Installed WindowsCompatibility module and imported PKI module.

Created certificate as follows: $cert = New-SelfSignedCertificate -Subject 'test' -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My

When exporting (and yes $pw is a securestring) I get an error that the key is not exportable: `Export-PfxCertificate -Cert $cert -Password $pw -FilePath c:\temp\test.pfx Cannot export non-exportable private key.

If I retrieve the cert by thumbprint in PS 5 and then export, it works fine: `$cert = ls 'Cert:\CurrentUser\My\FD5D219C9245E09C4EFA72110E6C03997C3CDC76' Export-PfxCertificate -Cert $cert -Password $pw -FilePath c:\temp\test.pfx

Directory: C:\temp

Mode LastWriteTime Length Name

-a---- 8/21/2019 11:53 AM 2630 test.pfx `

Any help would be appreciated!

wightsci commented 4 years ago

Still seeing this with PowerShell 7...

gc435 commented 4 years ago

I also see this with PowerShell Core 7.0.0.

iSazonov commented 4 years ago

Is the issue in Windows PowerShell?

WeirdSilence commented 4 years ago

This seems to be a problem with Powershell 7, I get the following results when I run a script that that use Export-PfxCertificate

Powershell Version : 7.0.0 Export-PfxCertificate: Cannot export non-exportable private key.

Powershell Version: 5.1.18362.628 No error and everything is fine.

huguesBouvier commented 4 years ago

Same issue in powershell 7.0.0

iSazonov commented 4 years ago

/cc @anmenaga for information

anmenaga commented 4 years ago

May be related to https://github.com/PowerShell/PowerShell/issues/12081

anmenaga commented 4 years ago

Original issues was opened in August of last year. Since then we've added builtin WinCompat functionality. It may be worth trying this in a fresh recent version PS Core without using WindowsCompatibility module:

PS C:\> $PSVersionTable.PSVersion

Major  Minor  Patch  PreReleaseLabel BuildLabel
-----  -----  -----  --------------- ----------
7      1      0      preview.1

PS C:\> $cert = New-SelfSignedCertificate -Subject 'mytest' -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My
PS C:\> $cert

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
8ABA70B6FAB7EEB0D6ACED618B2DC77EFF32FF1E  CN=mytest            {Client Authentication, Server Authentication}

PS C:\> Get-Module PKI

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     1.0                   PKI                                 {Add-CertificateEnrollmentPolicyServer, Export-Certificate, Export-PfxCertificate, Get-Ce…

PS C:\>
anmenaga commented 4 years ago

I get the following results whenI run a script that that use Export-PfxCertificate

Does the script first retrieves the certificate object before exporting it like in PowerShell/PowerShell#12081 ? That would explain the error.