小贝子编程

无法将证书导入密钥保管库



我有以下powershell代码,需要使用这些代码将证书导入密钥库:

###############################################################################
<#
.SYNOPSIS
    Import-KeyVaultCertificate
.DESCRIPTION
    Import-KeyVaultCertificate
.PARAMETER VaultName
.PARAMETER Name
.PARAMETER Password
.PARAMETER Version
.PARAMETER DisableVersions
.NOTES
    This template allows to write secrets into the KeyVault if they are not present. If they are present, the script will ignore it.
.EXAMPLE
    Import-KeyVaultCertificate.ps1 -VaultName 'vaultname' -Name 'certificatename' -Password 'certificatepassword' -Thumbprint 'certificatethumbprint' -FilePath 'certificate.pfx'
.EXAMPLE
    Import-KeyVaultCertificate.ps1 -VaultName 'vaultname' -Name 'certificatename' -SecurePassword (ConvertTo-SecureString -String 'certificatepassword' -AsPlainText -Force) -Thumbprint 'certificatethumbprint' -FilePath 'certificate.pfx'
#>
# ' char inc as Notepad++ language recognition does not like get-help contents
##############################################################################
[CmdletBinding(DefaultParametersetname = "String")]
param (
    [Parameter(Mandatory = $true)]
    [string] $VaultName,
    [Parameter(Mandatory = $true)]
    [string] $Name,
    [Parameter(Mandatory = $true)]
    [string] $Thumbprint,
    [Parameter(Mandatory = $true)]
    [string] $FilePath,
    [Parameter(Mandatory = $true, ParameterSetName = "String")]
    [string] $Password,
    [Parameter(Mandatory = $true, ParameterSetName = "SecureString")]
    [securestring] $SecurePassword,
    [Parameter(Mandatory = $false)]
    [string] $Version,
    [Parameter(Mandatory = $false)]
    [switch] $DisableVersions
)
begin {
    $Verbose = ($PSBoundParameters['Verbose'] -eq $true) -or ($VerbosePreference -eq 'Continue')
    $KeyVaultParams = @{}
    if ($Version -ne $null) {
        $KeyVaultParams.Add('Version', $Version)
    }
}
process {
    try {
        $KeyVault = @(Get-AzureRmResource -ErrorAction Stop | Where-Object {($_.Name -eq $VaultName) -and ($_.ResourceType -eq 'Microsoft.KeyVault/vaults')})
        if ($KeyVault.count -ne 1) {
            Write-Error -Message ('KeyVault "{0}" not found - Internal Error.' -F $VaultName) -ErrorAction Stop
        }
    }
    catch {
        Write-Error -Message ('KeyVault "{0}" not found - Internal Error.' -F $VaultName) -ErrorAction Stop
    }
    $GetKeyVaultCertificate = Get-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name @KeyVaultParams
    if (($GetKeyVaultCertificate -ne $null) -and ($GetKeyVaultCertificate.Name -eq $Name) -and ($GetKeyVaultCertificate.Thumbprint -eq $Thumbprint)) {
        Write-Warning -Message ('Certificate "{0}" with Thumbprint "{1}" is present in KeyVault "{2}"' -F $GetKeyVaultCertificate.Name, $GetKeyVaultCertificate.Thumbprint, $KeyVault.Name)
    }
    elseif (($GetKeyVaultCertificate -eq $null) -or (($GetKeyVaultCertificate -eq $null) -and ($GetKeyVaultCertificate.Thumbprint -ne $Thumbprint))) {
        try {
            $CatchMessage = 'Failed to upload the certificate "{0}" in key vault "{1}".'
            if ($PSCmdlet.ParameterSetName -eq 'String') {
                $SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force
            }
            Write-Output ($NewCertValue = Import-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name -Password $SecurePassword -FilePath $FilePath -Verbose:$Verbose -ErrorAction Stop)
            if ($DisableVersions) {
                $CatchMessage = 'Unable to retrieve certificate "{0}" in key vault "{1}".'
                (Get-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name -IncludeVersions | Where-Object {$_.Enabled })  | ForEach-Object {
                    if ($_.Version -ne $NewCertValue.Version) {
                        $CatchMessage = 'Failed to disable version for certificate "{0}" in key vault "{1}" [Version: ' + $_.Version + '].'
                        Set-AzureKeyVaultCertificateAttribute -VaultName $VaultName -Name $Name -Version $_.Version -Enable $false -Verbose:$Verbose -ErrorAction Stop
                    }
                }
            }
        }
        catch {
            Write-Error -Message ($CatchMessage -F $Name, $VaultName) -ErrorAction Stop
        }
    }
}

如果我尝试使用它,它会要求我提供一个版本,尽管我指定该参数不是强制性的。如果我删除@KeyVaultParams,那么我就到了捕获消息中的脚本:

'Failed to upload the certificate "{0}" in key vault "{1}".'

Get-AzureKeyVaultCertificate进行了调试,它表示找不到证书,这是正确的,但它不会转到行来导入证书。如果我使用Import-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name -Password (ConvertTo-SecureString -AsPlainText -Force:$true 'xxxxxx') -FilePath 'cert.pfx' cmdlet并导入证书,那么下次使用脚本时,我会收到警告——这正是我想要的。表示证书在密钥保管库中,指纹匹配。

因此,有两个问题:1.版本似乎是管理性的——我该如何绕过它?2.如果证书没有导入,则不导入证书;我不在钥匙库里-为什么?

感谢的帮助

好的。与此同时,我发现了问题:

  1. @KeyVaultParams-i从$Version -ne $null中去除了-eq $null
  2. 这里的逻辑是错误的:CCD_ 7。应该是(($GetKeyVaultCertificate -eq $null) -or (($GetKeyVaultCertificate -ne $null)
  3. 当脚本要求输入明文密码时,我正在将密码解析为securestring
  4. 在最后一个catch之前添加了Write-error $_.Exception.Message以查看错误,该错误为:The specified network password is not correct.

我希望这能帮助那些想在更多…中导入证书的人。。奇特的方式:(

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium