Get-PfxCertificate returns Access Denied

Barrett Lewis 16 Reputation points
2020-12-10T01:42:09.007+00:00

I am trying to sign some code with Set-AuthenticodeSignature. To do that I need to get the certificate from a pfx file. Get-PfxCertificate returns Access Denied, and I can't find any discussion/reference/documentation that could explain why that is happening or what it means.

> get-acl test.pfx


    Directory: C:\xyz

Path    Owner                  Access
----    -----                  ------
test.pfx BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl…
> ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

True
> Get-PfxCertificate -FilePath test.pfx -Password (ConvertTo-SecureString -String (Get-Content test.txt) -AsPlainText -Force) -Verbose


Get-PfxCertificate: Access denied.

I am certain that the PFX is valid since it works in other contexts, including within the same instance of the mcr.microsoft.com/powershell:windowsservercore-1809 container, as ContainerAdministrator, but not as my custom user, which is also an administrator created like

net user $UserName /ADD /ACTIVE:YES /EXPIRES:NEVER /FULLNAME:"$Description" /PASSWORDCHG:NO /PASSWORDREQ:NO
net localgroup Administrators /add $UserName

I wouldn't expect any user permissions to be relevant when loading a cert object from a pfx file via password, but it works as the ContainerAdministrator user, so I don't know. I am able to dump the binary pfx out with Get-Content as the custom user, so I don't think it's a file permission issue, maybe some nuance about pfx files?

I have also tried

> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2((Resolve-Path "test.pfx"), (Get-Content test.txt))

New-Object: Exception calling ".ctor" with "2" argument(s): "Access denied."

To get basically the same error.

I'm looking for any possible explanation of why I could be getting this error, what it could mean? Or any way to get more verbose output of the error?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,446 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,718 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,357 questions
{count} vote