search

dataplat / dbatools

🚀 SQL Server automation and instance migrations have never been safer, faster or freer
https://dbatools.io
MIT License
2.39k stars 787 forks source link

Ability to import full certificate chain with with Add-DbaComputerCertificate #9331

Open bilodeauj opened 2 months ago

bilodeauj commented 2 months ago

Summarize Functionality

When importing a certificate with the full certificate chain including the intermediate certificate authority, it would be good if the Add-DbaComputerCertificate would have an option to import all of it instead of just the server cert.

Is there a command that is similiar or close to what you are looking for?

Yes

Technical Details

When importing a certificate from let's encrypt using the the Add-DbaComputerCertificate cmdlet, it only imports the cert and not the full chain including the intermediate root cert. If I then try to assigne the cert using Set-DbaNetworkCertificate it fails to assign read permissions to the cert, and I get the following error

WARNING: Read-only permissions could not be granted to certificate, unable to determine private key path.

$CertificatePath = "C:\cert\fullchain.pfx"
$Password = Read-Host "Enter the SSL Certificate Password" -AsSecureString
Add-DbaComputerCertificate -ComputerName $ComputerName -Path $CertificatePath -SecurePassword $Password

Get-DbaComputerCertificate -ComputerName $ComputerName | Where {$_.Name -eq 'cert name'} | Set-DbaNetworkCertificate -SqlInstance $SQLInstance -RestartService

If i import the certificate using the Import-PfxCertificate cmdlet like shown below, it imports the server cert and intermediate root cert (the full chain), then when using Set-DbaNetworkCertificate i don't get the read-only permission error like i previously did.

$CertificatePath = "C:\cert\fullchain.pfx"
$Password = Read-Host "Enter the SSL Certificate Password" -AsSecureString
Import-PfxCertificate -FilePath $CertificatePath -Password $Password -CertStoreLocation 'Cert:\LocalMachine\My'