PowerShell script for export/import SSL certificates

This topic contains 2 replies, has 3 voices, and was last updated by  Daniel Krebs 8 months, 2 weeks ago.

  • Author
  • #63040


    Hi Everyone,

    I'm trying to write a PowerShell script to export/import SSL certificates. I've two questions/issues around it :

    Export :

     QUESTION IS--> Although it is exporting fine,how come i make sure to include password in it ?


    Import-Module -Name WebAdministration
    Get-ChildItem -Path IIS:SSLBindings | ForEach-Object -Process `
        if ($_.Sites)
            $certificate = Get-ChildItem -Path CERT:LocalMachine/My |
                Where-Object -Property Thumbprint -EQ -Value $_.Thumbprint
                Sites                        = $_.Sites.Value
                CertificateFriendlyName      = $certificate.FriendlyName
                CertificateDnsNameList       = $certificate.DnsNameList
                CertificateNotAfter          = $certificate.NotAfter
                CertificateIssuer            = $certificate.Issuer
        dir cert:\localmachine\my | Where-Object { $_.hasPrivateKey } |   Foreach-Object { [system.IO.file]::WriteAllBytes("c:\$($_.Subject).pfx",($_.Export('PFX', 'secret')) ) }

    IMPORT :

    Question2:  The code is below which is giving me this error :
    Cannot find an overload for "Import" and the argument count: "2".
    At line:11 char:1
    + $pfx.Import($CertPath,"Exportable,PersistKeySet")
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodException
        + FullyQualifiedErrorId : MethodCountCouldNotFindBest
    Exception calling "Add" with "1" argument(s): "pCertContext is an invalid handle."
    At line:14 char:1
    + $store.Add($pfx)
    + ~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : CryptographicException


    $CertPath = 'c:\Test.pfx'
    $SiteName = "DefaultAPP"
    $HostName = "localhost"
    $SiteFolder = Join-Path -Path 'C:\inetpub\wwwroot' -ChildPath $SiteName
    Write-Host 'Import pfx certificate' $certPath
    $certRootStore = “LocalMachine”
    $certStore = "My"
    $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore) 
    $certThumbprint = $pfx.Thumbprint
    Write-Host 'Add website' $SiteName
    New-WebSite -Name $SiteName -PhysicalPath $SiteFolder -Force
    $IISSite = "IIS:\Sites\$SiteName"
    Set-ItemProperty $IISSite -name  Bindings -value @{protocol="https";bindingInformation="*:443:$HostName"}
    if($applicationPool) { Set-ItemProperty $IISSite -name  ApplicationPool -value $applicationPool}
    Write-Host 'Bind certificate with Thumbprint' $certThumbprint
    $obj = get-webconfiguration "//sites/site[@name='$SiteName']"
    $binding = $obj.bindings.Collection[0]
    $method = $binding.Methods["AddSslCertificate"]
    $methodInstance = $method.CreateInstance()
    $methodInstance.Input.SetAttributeValue("certificateHash", $certThumbprint)
    $methodInstance.Input.SetAttributeValue("certificateStoreName", $certStore)
  • #63492

    Don Jones

    On the first, I'm not sure there's an exposed way to specify a password. That's deliberate, as including one in a text file – which is what the script is – would be pointless.

    On the second, looking at the docs at https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2(v=vs.110).aspx, the Import() method only accepts one argument, but you're passing two.

  • #63504

    Daniel Krebs

    A password for the import method can be specified using this overload – https://msdn.microsoft.com/en-us/library/ms148442(v=vs.110).aspx

    $pfx.Import($CertPath, 'secret', 'Exportable,PersistKeySet')

    If you're using Windows Server 2012 or later you can make your scripts simpler with the built-in Import-PfxCertificate and Export-PfxCertificate cmdlets that also support a secure string.

You must be logged in to reply to this topic.