我正在尝试编写脚本来安装我们的本地 CI/CD 代理。其中一部分是安装一些证书
电源外壳
Import-Certificate -FilePath self_signed_CA.cer -CertStoreLocation cert:\LocalMachine\root
Import-PfxCertificate -FilePath my_cert.pfx -CertStoreLocation cert:\CurrentUser\TrustedPublisher -Password $password
Import-PfxCertificate -FilePath my_cert.pfx -CertStoreLocation cert:\CurrentUser\My -Password $password
signtool.exe之后执行
The following certificates were considered:
Issued to: <our company>
Issued by: <some ca>
Expires: <is valid>
SHA1 hash: <...>
Issued to: <...>
Issued by: <...>
Expires: <...>
SHA1 hash: <...>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
所有这些都是通过远程 powershell 会话执行的。当我使用同一帐户通过 RDP 连接到计算机时,它就signtool.exe开始工作了,甚至是远程的。我对此感到困惑。为什么会发生这种情况?
编辑
我可以通过像这样手动远程处理来重现此问题。
$cred = Get-Credential
$sess = New-PSSession -Credential $cred -Computername <computername>
Enter-PSSession -Session $sess
我已将重现步骤减少为使用certutil.exe(因此不包括signtool.exe)
因此,虽然有一个RDP 会话打开所述机器。我在会话
> certutil -store -user my
my "Personal"
================ Certificate 0 ================
Serial Number: 01
Issuer: <...>
NotBefore: <...>
NotAfter: <...>
Subject: <...>
Non-root Certificate
Cert Hash(sha1): <...>
Key Container = <...>
Unique container name: <...>
Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Signature test passed
CertUtil: -store command completed successfully.
当我退出 RDP 会话并等待一段时间(不到 1 分钟)时,我会在同一时间收到以下信息会话
> certutil -store -user my
my "Personal"
================ Certificate 0 ================
Serial Number: 01
Issuer: <...>
NotBefore: <...>
NotAfter: <...>
Subject: <...>
Non-root Certificate
Cert Hash(sha1): <...>
Key Container = <...>
Provider = Microsoft Software Key Storage Provider
Missing stored keyset
CertUtil: -store command completed successfully.
此虚拟机的映像应该被完全锁定,因此可能存在一些设置或策略干扰我试图实现的目标。但到目前为止,还没有找到导致这种情况的原因。
我已经发现另一篇帖子症状相似,但所有涉及的帐户都具有“作为服务登录”的权限。