It's SSL certificate replacement time, and while I could, for my Windows servers, do this the tedious way (Certificates mmc, import manually), I'm looking for something I can automate via some PowerShell scripting.
I know about Import-PfxCertificate, and to import a .pfx I'd do something like:
$pwd = ConvertTo-SecureString -String "PrivateKeyPasswordGoesHere" -AsPlainText -Force
Import-PfxCertificate -Password $pwd -FilePath "\\path\to\pfxfile\pfxfile.pfx" -CertStoreLocation Cert:\LocalMachine\My -Exportable # optional if i want the private key to be exportable
This is all well and good, but unlike the manual tedious way it only brings in the entity certificate itself; it doesn't bring in any other certificates in the full chain (root, intermediates, etc).
It looks as if I may be able to do something with Get-PfxData, which "extracts the content of a Personal Information Exchange (PFX) file into a structure that contains the end entity certificate, any intermediate and root certificates", but Import-Certificate has a mandatory FilePath parameter, so I can't pipe the output of Get-PfxData to it.
I've used Get-PfxData to verify that the PFX does indeed contain the full chain.
I've also tried the following approach:
- Import manually to the Certificates mmc.
- Use Export-PfxCertificate to export the full chain (which one must assume does so in a format that's consumable by Import-PfxCertificate).
- Use Import-PfxCertificate to import the exported certificate.
But again, Import-PfxCertificate does not bring in the full chain.
Any other options for cracking this nut?
Best Answer
If the full certificates chain is part of the PFX file,
Import-PfxCertificatewill import all related certificates as well and place them into the appropriate folder.There is nothing else you need to do.