Windows PFX install into LocalMachine\TrustedPublisher issue


#1

I’ve been trying to use Chef 12.6.0 to install a password protected pfx into Windows 2012 R2. I tried the Windows cookbook with the windows_certificate Chef module from the supermarket and it doesn’t seem to be able to install into localmachine\trustedpublisher (correct me if I’m wrong please).

Instead I tried to run a powershell script which just runs the cmdlet import-pfxcertificate. I can see the cert in the Certificate console, and if I browse “certs:\localmachine\trustedpublisher” I see the cert. However, a IIS hosted .net 4.5.1 webapp that is looking in localmachine\trustedpublisher keeps throwing a crypto exception: System.Security.Cryptography.CryptographicException: The system cannot find the file specified

If I browse through Windows Explorer to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys I do not see the cert.

If I install the cert manually by hand through Certificate console everything works fine; I can see the file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and the .net webapp does not throw the crypto exception.

This is the full powershell script I am running:
#start ps
$securepw1 = convertto-securestring “xxxx” -asplaintext -force

import-pfxcertificate c:\chef\cache\thecert.pfx -CertStoreLocation “cert:\LOCALMACHINE\TrustedPublisher” -Exportable -Password $securepw1

& ‘C:\Program Files (x86)\Windows Resource Kits\Tools\winhttpcertcfg.exe’ -g -a “my_iis_pool” -c “LOCAL_MACHINE\TrustedPublisher” -s “thecert”

#end ps


#2

There is a bug with import-pfxcertificate where it does not import the private key. Certutil is the tool you’ll need, though I don’t have the exact incantation handy.


#3

$certout=certutil -f -importpfx -p $certpassin $certnamein
$certout=($certout | select -first 1).replace(’" added to store.’,"").replace(‘Certificate "’,"")

:smiling_imp:
But, you have to fish out the thumbprint to automate anything, so you might end up tossing it into a node[] or run_state - https://docs.chef.io/recipes.html#node-run-state