3

I'm trying to script the installation of our on-premise CI/CD agent. Part of that is installing some certificates

Powershell

Import-Certificate -FilePath self_signed_CA.cer -CertStoreLocation cert:\LocalMachine\root
Import-PfxCertificate -FilePath my_cert.pfx -CertStoreLocation cert:\CurrentUser\TrustedPublisher -Password $password
Import-PfxCertificate -FilePath my_cert.pfx -CertStoreLocation cert:\CurrentUser\My -Password $password

Executing signtool.exe after that

The following certificates were considered:
    Issued to: <our company>
    Issued by: <some ca>
    Expires:   <is valid>
    SHA1 hash: <...>

    Issued to: <...>
    Issued by: <...>
    Expires:   <...>
    SHA1 hash: <...>

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

All of this is executed through remote powershell sessions. The moment I RDP to the machine with the same account, signtool.exe starts to work, even remotely. I'm baffled by this. Why does this happen?

Edit

I can reproduce this by manually remoting like this.

$cred = Get-Credential
$sess = New-PSSession -Credential $cred -Computername <computername>
Enter-PSSession -Session $sess

I've reduced the steps to reproduce to using certutil.exe (so excluding signtool.exe)

So while having an RDP session open to said machine. I get the following within the PSSession

> certutil -store -user my

my "Personal"
================ Certificate 0 ================
Serial Number: 01
Issuer: <...>
 NotBefore: <...>
 NotAfter: <...>
Subject: <...>
Non-root Certificate
Cert Hash(sha1): <...>
  Key Container = <...>
  Unique container name: <...>
  Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Signature test passed
CertUtil: -store command completed successfully.

When I sign out of the RDP session, and wait for a bit (< 1 minute), I get the following within that same PSSession

> certutil -store -user my

my "Personal"
================ Certificate 0 ================
Serial Number: 01
Issuer: <...>
 NotBefore: <...>
 NotAfter: <...>
Subject: <...>
Non-root Certificate
Cert Hash(sha1): <...>
  Key Container = <...>
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset
CertUtil: -store command completed successfully.

The image of this VM is supposed to be fairly locked down, so there might be some setting or policy interfering with what I'm trying to achieve. But so far haven't had any luck finding out what would be causing this.

I have found another post with similar symptoms, but all involved accounts have the "Logon as service" right.

dvdvorle
  • 181
  • 2
  • 7
  • 2
    How do you remote with PS exactly? There might be an issue with "CurrentUser". – stackprotector Jul 17 '20 at 17:06
  • @Thomas I've edited the post with some additional information – dvdvorle Jul 20 '20 at 13:14
  • Thx for the update. Now we need some clarification: Is this all about PS-Sessions or are you really also using Remote Desktop Protocol (RDP) connections as you are writing? – stackprotector Jul 20 '20 at 14:22
  • The goal is to just use PS-Sessions without any RDP. I get the wrong behaviour with just a PS-Session though, and I just happened to notice (while trying to figure out what's going wrong) that I got the right behaviour within the PS-Session if I was also logged in through an RDP session in parallel to the same machine with the same account. – dvdvorle Jul 20 '20 at 17:38

0 Answers0