Install-PACertificate now imports associated chain certs to the inter…

…mediate cert store if they don't already exist (#397)
rmbolger · Oct 25, 2021 · d0aeeb6 · d0aeeb6
1 parent c96fac3
commit d0aeeb6
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 2 deletions.
diff --git a/Posh-ACME/Private/Export-PACertFiles.ps1 b/Posh-ACME/Private/Export-PACertFiles.ps1
@@ -45,7 +45,7 @@ function Export-PACertFiles {
                 $response = Invoke-ACME $header ([String]::Empty) $acct -EA Stop
             } catch { throw }
 
-            $pems = Split-PemChain -ChainBytes $response.Content
+            $pems = @(Split-PemChain -ChainBytes $response.Content)
 
             # Do some basic validation to make sure we got what we were expecting.
             $cert = Import-Pem -InputString ($pems[0] -join "`n")
@@ -91,7 +91,7 @@ function Export-PACertFiles {
                 try {
                     $response = Invoke-ACME $header ([String]::Empty) $acct -EA Stop
                 } catch {throw}
-                $pems = Split-PemChain -ChainBytes $response.Content
+                $pems = @(Split-PemChain -ChainBytes $response.Content)
 
                 # write additional chain files as chain1.cer,chain2.cer,etc.
                 $altChainFile = Join-Path $Order.Folder "chain$($i+1).cer"

diff --git a/Posh-ACME/Private/Import-WindowsChain.ps1 b/Posh-ACME/Private/Import-WindowsChain.ps1
@@ -0,0 +1,56 @@
+function Import-WindowsChain {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory)]
+        [string]$ChainFile,
+        [ValidateSet('LocalMachine','CurrentUser')]
+        [string]$StoreLocation = 'LocalMachine'
+    )
+
+    if (-not (Test-Path $ChainFile -PathType Leaf)) {
+        Write-Error "Chain file not found: $ChainFile"
+        return
+    }
+
+    $pems = @(Split-PemChain -ChainFile $ChainFile)
+
+    try {
+        # open the LocalMachine\CA store for writing
+        $store = [Security.Cryptography.X509Certificates.X509Store]::new('CA',$StoreLocation)
+        $store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
+
+        # loop through the returned intermediates
+        $pems | ForEach-Object {
+
+            # decode the lines into the cert's byte array
+            $certBase64 = $_[1..($_.Count-2)] -join ''
+            $certBytes = [Convert]::FromBase64String($certBase64)
+
+            try {
+                # create the cert object we can import
+                $cert = [Security.Cryptography.X509Certificates.X509Certificate2]::new($certBytes)
+
+                # add the cert if it doesn't already exist
+                if ($cert.Thumbprint -notin $store.Certificates.Thumbprint) {
+                    Write-Verbose "Adding chain cert '$($cert.Subject)' with thumbprint $($cert.Thumbprint) to $StoreLocation\CA store."
+                    $store.Add($cert)
+                } else {
+                    Write-Verbose "Chain cert '$($cert.Subject)' with thumbprint $($cert.Thumbprint) already exists in $StoreLocation\CA store."
+                }
+            }
+            finally {
+                # cleanup
+                if ($null -ne $cert) { $cert.Dispose() }
+            }
+
+        }
+
+        # close the store
+        $store.Close()
+    }
+    finally {
+        # cleanup
+        if ($null -ne $store) { $store.Dispose() }
+    }
+
+}
diff --git a/Posh-ACME/Public/Install-PACertificate.ps1 b/Posh-ACME/Public/Install-PACertificate.ps1
@@ -35,5 +35,8 @@ function Install-PACertificate {
             NotExportable = $NotExportable.IsPresent
         }
         Import-PfxCertInternal @importArgs
+
+        Import-WindowsChain -ChainFile $PACertificate.ChainFile -StoreLocation $StoreLocation
+
     }
 }