3

I am using the following code to install a .pfx file on an Azure Cloud Service:

Add-AzureCertificate -serviceName $CloudServiceName -certToDeploy $PfxFile.FullName -ErrorAction 'Stop' -Password $applicationCertsPassword

I think it's throwing an Exception because the .pfx file does not require a password.

How can I determine beforehand whether or not the .pfx file requires a password?

EDIT: I'd like to determine beforehand if the .pfx file has a password or not so I can avoid running the commandlet again without the password argument in the catch block.

David Klempfner
  • 8,700
  • 20
  • 73
  • 153
  • .pfx file should always be password protected, because it contains private key. If you .pfx file is not, "you're doing it wrong" :) One way to get around that, is to import it into windows keystone and then export with a password. – Jan Chrbolka Apr 10 '15 at 03:18
  • There's no need for a password if the .pfx file is zipped and the .zip file contains a password. – David Klempfner Apr 10 '15 at 04:27
  • 1
    That's a valid point. I think it is more of a convention, that when a .pfx file is exported, it is exported with a password to protect the private key. If it sits anywhere unprotected (before, or after it's placed in a password protected zip file) there is a chance of "somebody" getting access to the private key. – Jan Chrbolka Apr 10 '15 at 04:57

2 Answers2

3

You could always put it in a Try{} and then do the same command without the password in the Catch{}, but that's kind of dirty scripting.

Try{
    Add-AzureCertificate -serviceName $CloudServiceName -certToDeploy $PfxFile.FullName -ErrorAction 'Stop' -Password $applicationCertsPassword
}
Catch{
    Add-AzureCertificate -serviceName $CloudServiceName -certToDeploy $PfxFile.FullName -ErrorAction 'Stop'
}

What I think I would probably do instead is attempt to load the certificate up as an object with no password, and if that fails I'd know that there's a password for it.

$OldEA = $ErrorActionPreference
$ErrorActionPreference = SilentlyContinue
If([System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile($pfxfile.fullname)){"No Password"}
$ErrorActionPreference = $OldEA

Pretty sure that'll accomplish what you want. I don't happen to have a PFX file without a password to verify with right now though, because as Jan pointed out they aren't really something you should have in general.

TheMadTechnician
  • 34,906
  • 3
  • 42
  • 56
1

The .pfx certificate file that you use to upload to an Azure cloud service must include the private key, and so it must be password protected. You will be asked for that password once it is uploaded.

gbellmann
  • 1,945
  • 1
  • 22
  • 27