powershell - 无法将证书导入 Keyvault
问题描述
我有以下 powershell 代码,我需要使用这些代码将证书导入密钥库:
###############################################################################
<#
.SYNOPSIS
Import-KeyVaultCertificate
.DESCRIPTION
Import-KeyVaultCertificate
.PARAMETER VaultName
.PARAMETER Name
.PARAMETER Password
.PARAMETER Version
.PARAMETER DisableVersions
.NOTES
This template allows to write secrets into the KeyVault if they are not present. If they are present, the script will ignore it.
.EXAMPLE
Import-KeyVaultCertificate.ps1 -VaultName 'vaultname' -Name 'certificatename' -Password 'certificatepassword' -Thumbprint 'certificatethumbprint' -FilePath 'certificate.pfx'
.EXAMPLE
Import-KeyVaultCertificate.ps1 -VaultName 'vaultname' -Name 'certificatename' -SecurePassword (ConvertTo-SecureString -String 'certificatepassword' -AsPlainText -Force) -Thumbprint 'certificatethumbprint' -FilePath 'certificate.pfx'
#>
# ' char inc as Notepad++ language recognition does not like get-help contents
##############################################################################
[CmdletBinding(DefaultParametersetname = "String")]
param (
[Parameter(Mandatory = $true)]
[string] $VaultName,
[Parameter(Mandatory = $true)]
[string] $Name,
[Parameter(Mandatory = $true)]
[string] $Thumbprint,
[Parameter(Mandatory = $true)]
[string] $FilePath,
[Parameter(Mandatory = $true, ParameterSetName = "String")]
[string] $Password,
[Parameter(Mandatory = $true, ParameterSetName = "SecureString")]
[securestring] $SecurePassword,
[Parameter(Mandatory = $false)]
[string] $Version,
[Parameter(Mandatory = $false)]
[switch] $DisableVersions
)
begin {
$Verbose = ($PSBoundParameters['Verbose'] -eq $true) -or ($VerbosePreference -eq 'Continue')
$KeyVaultParams = @{}
if ($Version -ne $null) {
$KeyVaultParams.Add('Version', $Version)
}
}
process {
try {
$KeyVault = @(Get-AzureRmResource -ErrorAction Stop | Where-Object {($_.Name -eq $VaultName) -and ($_.ResourceType -eq 'Microsoft.KeyVault/vaults')})
if ($KeyVault.count -ne 1) {
Write-Error -Message ('KeyVault "{0}" not found - Internal Error.' -F $VaultName) -ErrorAction Stop
}
}
catch {
Write-Error -Message ('KeyVault "{0}" not found - Internal Error.' -F $VaultName) -ErrorAction Stop
}
$GetKeyVaultCertificate = Get-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name @KeyVaultParams
if (($GetKeyVaultCertificate -ne $null) -and ($GetKeyVaultCertificate.Name -eq $Name) -and ($GetKeyVaultCertificate.Thumbprint -eq $Thumbprint)) {
Write-Warning -Message ('Certificate "{0}" with Thumbprint "{1}" is present in KeyVault "{2}"' -F $GetKeyVaultCertificate.Name, $GetKeyVaultCertificate.Thumbprint, $KeyVault.Name)
}
elseif (($GetKeyVaultCertificate -eq $null) -or (($GetKeyVaultCertificate -eq $null) -and ($GetKeyVaultCertificate.Thumbprint -ne $Thumbprint))) {
try {
$CatchMessage = 'Failed to upload the certificate "{0}" in key vault "{1}".'
if ($PSCmdlet.ParameterSetName -eq 'String') {
$SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force
}
Write-Output ($NewCertValue = Import-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name -Password $SecurePassword -FilePath $FilePath -Verbose:$Verbose -ErrorAction Stop)
if ($DisableVersions) {
$CatchMessage = 'Unable to retrieve certificate "{0}" in key vault "{1}".'
(Get-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name -IncludeVersions | Where-Object {$_.Enabled }) | ForEach-Object {
if ($_.Version -ne $NewCertValue.Version) {
$CatchMessage = 'Failed to disable version for certificate "{0}" in key vault "{1}" [Version: ' + $_.Version + '].'
Set-AzureKeyVaultCertificateAttribute -VaultName $VaultName -Name $Name -Version $_.Version -Enable $false -Verbose:$Verbose -ErrorAction Stop
}
}
}
}
catch {
Write-Error -Message ($CatchMessage -F $Name, $VaultName) -ErrorAction Stop
}
}
}
如果我尝试使用它,它会询问我一个版本,尽管我指定该参数不是强制性的。如果我删除@KeyVaultParams
,我会到达 catch 消息中脚本的位置:
'Failed to upload the certificate "{0}" in key vault "{1}".'
对它进行了调试Get-AzureKeyVaultCertificate
,我说找不到证书,这是正确的,但它没有转到导入它的行。如果我使用 Import-AzureKeyVaultCertificate -VaultName $VaultName -Name $Name -Password (ConvertTo-SecureString -AsPlainText -Force:$true 'xxxxxx') -FilePath 'cert.pfx'
cmdlet 并导入证书,下次我使用脚本时会收到警告 - 这就是我想要的。表示证书在 keyvault 中并且指纹匹配。
所以 2 个问题: 1. 版本似乎是强制性的 - 我该如何解决?2. 如果 keyvault 中不存在证书,则不会导入证书 - 为什么?
谢谢您的帮助
解决方案
好的。同时我发现了问题:
@KeyVaultParams
- 我删除-eq $null
了$Version -ne $null
- 这里的逻辑是错误的:
(($GetKeyVaultCertificate -eq $null) -or (($GetKeyVaultCertificate -eq $null)
。它应该是(($GetKeyVaultCertificate -eq $null) -or (($GetKeyVaultCertificate -ne $null)
- 当脚本要求输入明文密码时,我将密码解析为安全字符串。
Write-error $_.Exception.Message
在最后一个之前添加了一个catch
以查看错误,即:The specified network password is not correct.
我希望这可以帮助那些想要以更...花哨的方式导入证书的人:)
推荐阅读
- python - PYARMOR : 混淆用错误的编码写入特定字符。例如:° 写成 °
- vb.net - ASP.NET 中的客户端回调具有非常奇怪的行为
- pyspark - org.apache.spark.SparkException:由于数据块中的阶段失败,作业中止
- python - python中使用tic tac toe的Minimax算法
- android - 是否可以在 Android 上读取与第三方应用程序的 NFC 通信?
- flutter - 在 Flutter 应用的每个视图底部显示音乐播放器
- python - 在 for 循环的初始运行期间使用列表中的第二个值执行操作
- java - 如果我在 Spring Data JDBC 中使用没有 @Id 的实体类,我会遗漏什么吗?
- wordpress - 是否使用旧的购买主题进行网站开发?
- machine-learning - 在 Keras 中合并顺序模型