将PFX证书导入单独的CurrentUser-个人存储（PowerShell） [英] Import PFX Certificate into separate CurrentUser - Personal store (PowerShell)

问题描述

我一直在致力于自动化执行此任务的方法：

我们为客户部署Windows Server 2008 R2映像。我们使用PowerShell（版本2）部署我们的专有软件，并在发货前对系统进行各种其他更改。此PowerShell进程将在本地Administrator帐户下运行，直到完成并禁用本地Administrator帐户为止。

现在，这个问题-我正在尝试安装.PFX客户端证书发送给单独用户的CurrentUser certificate我的证书存储。让我们称该用户为 SQL。

现在，该证书已安装在LocalMachine\我的证书存储下，但是我们的开发团队之一对此位置和想复制原始设置。

现在，我知道如何通过在我们的部署脚本中添加重新启动步骤并在 SQL用户，但我想避免这种情况，因为似乎必须有一种方法可以在另一个帐户下完成此操作。这是我们现在用来将证书安装到LocalMachine\我的商店的基本代码。假设$ certPath是.pfx的路径，$ pfxPass是.pfx的密码。

  function Import-PfxCertificate {
 param（[string] $ certPath，[string] $ pfxPass）
 
 $ pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 
 $ pfx.Import（[string ] $ certPath，[string] $ pfxPass， Exportable，PersistKeySet）
 
 $ store =新对象System.Security.Cryptography.X509Certificates.X509Store（ My， LocalMachine）
 $ store.open（ MaxAllowed）
 $ store.add（$ pfx）
 $ store.close（）
} 
  

解决方案

由于您具有凭据，因此我将开始使用 Start-Job 来做。您可以使用 -Credential 参数来控制作业运行的用户。

<前置类= lang-powershell prettyprint-override> $ cred = Get-Credential

$ scriptBlock = [ScriptBlock] :: Create（（ Import-PfxCertificate）。定义）

$ job =开始作业-ScriptBlock $ scriptBlock -ArgumentList $ path，$ password-凭证$ cred
$ job |等待工作
$ job |接收作业＃如果您想要输出
$ job | Remove-Job


由于您已经定义了可以执行所需功能的函数，因此我正在创建脚本阻止该功能，并将其用于 Start-Job 。 -ArgumentList 是如何传递PFX路径和PFX密码的参数的方法。我正在使用 Get-Credential 提示您输入runas用户，但是您可以根据需要提供凭据对象。

我认为最简单的方法是运行以下命令：

  Get-Credential | Export-Clixml -C路径：到credentials.xml的路径
  

这将存储凭据对象以一种加密的方式，并且只能由对其进行加密的同一台计算机上的同一用户解密。要重新阅读，请执行以下操作：

  $ cred = Import-Clixml -Path C：\path \to\credentials.xml 
  

返回其他代码段， Wait-Job 等待它完成。 接收作业是可选的，以防万一您从函数中返回有用的东西。

Remove-Job 将其从作业列表中删除（否则，它会停留在周围，您可以在 Get-Job 中看到）。

I've been wrapping my head around automating a way to perform this task:

We deploy Windows Server 2008 R2 images for our customers. We use PowerShell (version 2) to deploy our proprietary software and make various other changes to the system before shipping. This PowerShell process is run under the local Administrator account until it finishes and disables the local Administrator account.

Now, to the issue - I'm trying to install a .PFX client certificate to a SEPARATE user's CurrentUser\My certificate store. Let's call that user "SQL".

Right now the certificate is getting installed under the LocalMachine\My certificate store but one of our development teams have concerns on that position and would like to replicate the original setup.

Now, I know how to get this done dirty by adding in a reboot-step to our deployment script and having this performed under the "SQL" user but I would like to avoid that as it seems like there has to be a way to get this done while under another account. Here's the basic code we're using now to install the certificate to the LocalMachine\My store. Assume $certPath is the path to the .pfx and $pfxPass is the .pfx's password.

function Import-PfxCertificate {
param([string] $certPath, [string]$pfxPass)

$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import([string]$certPath, [string]$pfxPass, "Exportable,PersistKeySet")

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
}    

解决方案

Since you have the credentials, I would start use Start-Job to do it. You can use the -Credential parameter to control what user the job runs as.

$cred = Get-Credential

$scriptBlock = [ScriptBlock]::Create((Get-Item Function:\Import-PfxCertificate).Definition)

$job = Start-Job -ScriptBlock $scriptBlock -ArgumentList $path,$password -Credential $cred
$job | Wait-Job 
$job | Receive-Job # if you want the output
$job | Remove-Job

Since you've already defined a function that does what you want, I'm creating a script block out of the function and using that for Start-Job. -ArgumentList is how you pass the parameters for the PFX path and the PFX password. I'm using Get-Credential to prompt you for the runas user, but you can provide the credential object however you want.

I think the easiest way is to run something like this:

Get-Credential | Export-Clixml -Path C:\path\to\credentials.xml

This will store the credential object in a way that is encrypted, and can only be decrypted by the same user on the same computer that encrypted it. To read it back in:

$cred = Import-Clixml -Path C:\path\to\credentials.xml

Back to the other code snippet, Wait-Job waits for it to finish. Receive-Job is optional, in case you're returning anything useful from your function.

Remove-Job removes it from the job list (otherwise it sticks around, which you can see with Get-Job).

这篇关于将PFX证书导入单独的CurrentUser-个人存储（PowerShell）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！