How to use from a powershell a *.pfx certificate used on build pipeline with the download secure file task

Multi tool use
Multi tool use












0















I got this problem:
I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials.
Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.



I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this



and i got an error like this



Logging in...
D:a1sScriptsfileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognized
as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.



$tenantId  = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH%
$certThumbprint = $cert.Thumbprint

Write-Host "Logging in...";

Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint


Tasks used on the build pipeline










share|improve this question

























  • Output $cert var after assigning it to see what's in there to make sure that environment variable is getting passed properly from the task.

    – pabrams
    Jan 2 at 20:27











  • Make sure you reference any values passed as a parameter to the powershell task correctly.

    – Matt
    Jan 2 at 21:15











  • When i'm trying to Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH the screen doesn't show anything.

    – Vanessa
    Jan 3 at 12:38











  • @Vanessa. Have you uploaded the .pfx file to Azure pipeline library as secure file?

    – Tom Sun
    Jan 3 at 13:22













  • @TomSun yes, and also use the download secure file before the powershell task

    – Vanessa
    Jan 3 at 21:25
















0















I got this problem:
I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials.
Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.



I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this



and i got an error like this



Logging in...
D:a1sScriptsfileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognized
as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.



$tenantId  = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH%
$certThumbprint = $cert.Thumbprint

Write-Host "Logging in...";

Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint


Tasks used on the build pipeline










share|improve this question

























  • Output $cert var after assigning it to see what's in there to make sure that environment variable is getting passed properly from the task.

    – pabrams
    Jan 2 at 20:27











  • Make sure you reference any values passed as a parameter to the powershell task correctly.

    – Matt
    Jan 2 at 21:15











  • When i'm trying to Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH the screen doesn't show anything.

    – Vanessa
    Jan 3 at 12:38











  • @Vanessa. Have you uploaded the .pfx file to Azure pipeline library as secure file?

    – Tom Sun
    Jan 3 at 13:22













  • @TomSun yes, and also use the download secure file before the powershell task

    – Vanessa
    Jan 3 at 21:25














0












0








0








I got this problem:
I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials.
Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.



I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this



and i got an error like this



Logging in...
D:a1sScriptsfileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognized
as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.



$tenantId  = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH%
$certThumbprint = $cert.Thumbprint

Write-Host "Logging in...";

Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint


Tasks used on the build pipeline










share|improve this question
















I got this problem:
I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials.
Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.



I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this



and i got an error like this



Logging in...
D:a1sScriptsfileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognized
as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.



$tenantId  = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH%
$certThumbprint = $cert.Thumbprint

Write-Host "Logging in...";

Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint


Tasks used on the build pipeline







azure azure-devops azure-powershell






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 2 at 16:02







Vanessa

















asked Jan 2 at 15:57









VanessaVanessa

11




11













  • Output $cert var after assigning it to see what's in there to make sure that environment variable is getting passed properly from the task.

    – pabrams
    Jan 2 at 20:27











  • Make sure you reference any values passed as a parameter to the powershell task correctly.

    – Matt
    Jan 2 at 21:15











  • When i'm trying to Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH the screen doesn't show anything.

    – Vanessa
    Jan 3 at 12:38











  • @Vanessa. Have you uploaded the .pfx file to Azure pipeline library as secure file?

    – Tom Sun
    Jan 3 at 13:22













  • @TomSun yes, and also use the download secure file before the powershell task

    – Vanessa
    Jan 3 at 21:25



















  • Output $cert var after assigning it to see what's in there to make sure that environment variable is getting passed properly from the task.

    – pabrams
    Jan 2 at 20:27











  • Make sure you reference any values passed as a parameter to the powershell task correctly.

    – Matt
    Jan 2 at 21:15











  • When i'm trying to Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH the screen doesn't show anything.

    – Vanessa
    Jan 3 at 12:38











  • @Vanessa. Have you uploaded the .pfx file to Azure pipeline library as secure file?

    – Tom Sun
    Jan 3 at 13:22













  • @TomSun yes, and also use the download secure file before the powershell task

    – Vanessa
    Jan 3 at 21:25

















Output $cert var after assigning it to see what's in there to make sure that environment variable is getting passed properly from the task.

– pabrams
Jan 2 at 20:27





Output $cert var after assigning it to see what's in there to make sure that environment variable is getting passed properly from the task.

– pabrams
Jan 2 at 20:27













Make sure you reference any values passed as a parameter to the powershell task correctly.

– Matt
Jan 2 at 21:15





Make sure you reference any values passed as a parameter to the powershell task correctly.

– Matt
Jan 2 at 21:15













When i'm trying to Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH the screen doesn't show anything.

– Vanessa
Jan 3 at 12:38





When i'm trying to Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH the screen doesn't show anything.

– Vanessa
Jan 3 at 12:38













@Vanessa. Have you uploaded the .pfx file to Azure pipeline library as secure file?

– Tom Sun
Jan 3 at 13:22







@Vanessa. Have you uploaded the .pfx file to Azure pipeline library as secure file?

– Tom Sun
Jan 3 at 13:22















@TomSun yes, and also use the download secure file before the powershell task

– Vanessa
Jan 3 at 21:25





@TomSun yes, and also use the download secure file before the powershell task

– Vanessa
Jan 3 at 21:25












1 Answer
1






active

oldest

votes


















0














The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.



We could get the certThumbprint with following code



$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint


If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.




If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save




enter image description here




You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task




If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:



function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}


$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"


Test Result:



enter image description here



For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.



Update:



The following is the detail steps to use the pfx file in the Azure Devops pipeline.




  1. prepare a .pfx file.

  2. Add a download secure file task and upload the pfx file.


enter image description here




  1. create a variable group and add a variable named sSecStrPassword


enter image description here




  1. link the variable to the build


enter image description here




  1. Add powershell script task and add the following script in it.


enter image description here



# Write your powershell commands here.

Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH

function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}

$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"



  1. queue the build and check the result.


enter image description here






share|improve this answer


























  • Hi, I tried your code but i got a message like this: Exception calling "Import" with "3" argument(s): "The path is not of a legal form."

    – Vanessa
    Jan 3 at 12:39













  • @vanessa Have you tried to create a sSecStrPassword in the library and link it the variable tab? You could output the $env:DOWNLOADSECUREFILE_SECUREFILEPATH to test it in the pipeline. You also could test demo code in the local or azure pipeline with hard code (password). If the password contains special characters, please use '' to escape. As I metioned use '$(sSecStrPassword)'. If it works, then could change it with variable in the azure devops pipeline.

    – Tom Sun
    Jan 3 at 13:14













  • Hi, i got a new error with this solution Logging in... D:a1sScriptsscriptps.ps1 : The Script does not work :The path is not of a legal form. At D:a_temp3e212052-1215-40bf-b7fc-ef7c100b8238.ps1:2 char:1 + . 'D:a1sScriptsscriptps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,scriptps.ps1

    – Vanessa
    Jan 3 at 20:55













  • @Vanessa. I have updated the answer with detail steps, you could refer to it.

    – Tom Sun
    Jan 7 at 1:34











  • Hi, I create a new pipeline just like the example you gave me and i got the following error: "Exception calling "Import" with "3" argument(s): "The specified network password is not correct." I don't know if is related to the autogenerated certificate. I use one that I created before, and exported with the private key, selected pkcs file and the password is encrypted AES256-SHA256. Should I use another encryption method? Thanks

    – Vanessa
    Jan 8 at 2:15













Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54009357%2fhow-to-use-from-a-powershell-a-pfx-certificate-used-on-build-pipeline-with-the%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.



We could get the certThumbprint with following code



$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint


If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.




If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save




enter image description here




You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task




If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:



function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}


$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"


Test Result:



enter image description here



For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.



Update:



The following is the detail steps to use the pfx file in the Azure Devops pipeline.




  1. prepare a .pfx file.

  2. Add a download secure file task and upload the pfx file.


enter image description here




  1. create a variable group and add a variable named sSecStrPassword


enter image description here




  1. link the variable to the build


enter image description here




  1. Add powershell script task and add the following script in it.


enter image description here



# Write your powershell commands here.

Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH

function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}

$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"



  1. queue the build and check the result.


enter image description here






share|improve this answer


























  • Hi, I tried your code but i got a message like this: Exception calling "Import" with "3" argument(s): "The path is not of a legal form."

    – Vanessa
    Jan 3 at 12:39













  • @vanessa Have you tried to create a sSecStrPassword in the library and link it the variable tab? You could output the $env:DOWNLOADSECUREFILE_SECUREFILEPATH to test it in the pipeline. You also could test demo code in the local or azure pipeline with hard code (password). If the password contains special characters, please use '' to escape. As I metioned use '$(sSecStrPassword)'. If it works, then could change it with variable in the azure devops pipeline.

    – Tom Sun
    Jan 3 at 13:14













  • Hi, i got a new error with this solution Logging in... D:a1sScriptsscriptps.ps1 : The Script does not work :The path is not of a legal form. At D:a_temp3e212052-1215-40bf-b7fc-ef7c100b8238.ps1:2 char:1 + . 'D:a1sScriptsscriptps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,scriptps.ps1

    – Vanessa
    Jan 3 at 20:55













  • @Vanessa. I have updated the answer with detail steps, you could refer to it.

    – Tom Sun
    Jan 7 at 1:34











  • Hi, I create a new pipeline just like the example you gave me and i got the following error: "Exception calling "Import" with "3" argument(s): "The specified network password is not correct." I don't know if is related to the autogenerated certificate. I use one that I created before, and exported with the private key, selected pkcs file and the password is encrypted AES256-SHA256. Should I use another encryption method? Thanks

    – Vanessa
    Jan 8 at 2:15


















0














The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.



We could get the certThumbprint with following code



$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint


If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.




If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save




enter image description here




You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task




If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:



function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}


$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"


Test Result:



enter image description here



For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.



Update:



The following is the detail steps to use the pfx file in the Azure Devops pipeline.




  1. prepare a .pfx file.

  2. Add a download secure file task and upload the pfx file.


enter image description here




  1. create a variable group and add a variable named sSecStrPassword


enter image description here




  1. link the variable to the build


enter image description here




  1. Add powershell script task and add the following script in it.


enter image description here



# Write your powershell commands here.

Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH

function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}

$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"



  1. queue the build and check the result.


enter image description here






share|improve this answer


























  • Hi, I tried your code but i got a message like this: Exception calling "Import" with "3" argument(s): "The path is not of a legal form."

    – Vanessa
    Jan 3 at 12:39













  • @vanessa Have you tried to create a sSecStrPassword in the library and link it the variable tab? You could output the $env:DOWNLOADSECUREFILE_SECUREFILEPATH to test it in the pipeline. You also could test demo code in the local or azure pipeline with hard code (password). If the password contains special characters, please use '' to escape. As I metioned use '$(sSecStrPassword)'. If it works, then could change it with variable in the azure devops pipeline.

    – Tom Sun
    Jan 3 at 13:14













  • Hi, i got a new error with this solution Logging in... D:a1sScriptsscriptps.ps1 : The Script does not work :The path is not of a legal form. At D:a_temp3e212052-1215-40bf-b7fc-ef7c100b8238.ps1:2 char:1 + . 'D:a1sScriptsscriptps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,scriptps.ps1

    – Vanessa
    Jan 3 at 20:55













  • @Vanessa. I have updated the answer with detail steps, you could refer to it.

    – Tom Sun
    Jan 7 at 1:34











  • Hi, I create a new pipeline just like the example you gave me and i got the following error: "Exception calling "Import" with "3" argument(s): "The specified network password is not correct." I don't know if is related to the autogenerated certificate. I use one that I created before, and exported with the private key, selected pkcs file and the password is encrypted AES256-SHA256. Should I use another encryption method? Thanks

    – Vanessa
    Jan 8 at 2:15
















0












0








0







The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.



We could get the certThumbprint with following code



$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint


If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.




If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save




enter image description here




You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task




If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:



function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}


$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"


Test Result:



enter image description here



For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.



Update:



The following is the detail steps to use the pfx file in the Azure Devops pipeline.




  1. prepare a .pfx file.

  2. Add a download secure file task and upload the pfx file.


enter image description here




  1. create a variable group and add a variable named sSecStrPassword


enter image description here




  1. link the variable to the build


enter image description here




  1. Add powershell script task and add the following script in it.


enter image description here



# Write your powershell commands here.

Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH

function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}

$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"



  1. queue the build and check the result.


enter image description here






share|improve this answer















The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.



We could get the certThumbprint with following code



$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint


If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.




If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save




enter image description here




You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task




If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:



function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}


$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"


Test Result:



enter image description here



For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.



Update:



The following is the detail steps to use the pfx file in the Azure Devops pipeline.




  1. prepare a .pfx file.

  2. Add a download secure file task and upload the pfx file.


enter image description here




  1. create a variable group and add a variable named sSecStrPassword


enter image description here




  1. link the variable to the build


enter image description here




  1. Add powershell script task and add the following script in it.


enter image description here



# Write your powershell commands here.

Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH

function GetThumbprintPFX {
param([string] $CertificatePath, [string]$Password)
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint
return $thumbprint
}

$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"



  1. queue the build and check the result.


enter image description here







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 8 at 1:35

























answered Jan 3 at 1:41









Tom SunTom Sun

17.7k2923




17.7k2923













  • Hi, I tried your code but i got a message like this: Exception calling "Import" with "3" argument(s): "The path is not of a legal form."

    – Vanessa
    Jan 3 at 12:39













  • @vanessa Have you tried to create a sSecStrPassword in the library and link it the variable tab? You could output the $env:DOWNLOADSECUREFILE_SECUREFILEPATH to test it in the pipeline. You also could test demo code in the local or azure pipeline with hard code (password). If the password contains special characters, please use '' to escape. As I metioned use '$(sSecStrPassword)'. If it works, then could change it with variable in the azure devops pipeline.

    – Tom Sun
    Jan 3 at 13:14













  • Hi, i got a new error with this solution Logging in... D:a1sScriptsscriptps.ps1 : The Script does not work :The path is not of a legal form. At D:a_temp3e212052-1215-40bf-b7fc-ef7c100b8238.ps1:2 char:1 + . 'D:a1sScriptsscriptps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,scriptps.ps1

    – Vanessa
    Jan 3 at 20:55













  • @Vanessa. I have updated the answer with detail steps, you could refer to it.

    – Tom Sun
    Jan 7 at 1:34











  • Hi, I create a new pipeline just like the example you gave me and i got the following error: "Exception calling "Import" with "3" argument(s): "The specified network password is not correct." I don't know if is related to the autogenerated certificate. I use one that I created before, and exported with the private key, selected pkcs file and the password is encrypted AES256-SHA256. Should I use another encryption method? Thanks

    – Vanessa
    Jan 8 at 2:15





















  • Hi, I tried your code but i got a message like this: Exception calling "Import" with "3" argument(s): "The path is not of a legal form."

    – Vanessa
    Jan 3 at 12:39













  • @vanessa Have you tried to create a sSecStrPassword in the library and link it the variable tab? You could output the $env:DOWNLOADSECUREFILE_SECUREFILEPATH to test it in the pipeline. You also could test demo code in the local or azure pipeline with hard code (password). If the password contains special characters, please use '' to escape. As I metioned use '$(sSecStrPassword)'. If it works, then could change it with variable in the azure devops pipeline.

    – Tom Sun
    Jan 3 at 13:14













  • Hi, i got a new error with this solution Logging in... D:a1sScriptsscriptps.ps1 : The Script does not work :The path is not of a legal form. At D:a_temp3e212052-1215-40bf-b7fc-ef7c100b8238.ps1:2 char:1 + . 'D:a1sScriptsscriptps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,scriptps.ps1

    – Vanessa
    Jan 3 at 20:55













  • @Vanessa. I have updated the answer with detail steps, you could refer to it.

    – Tom Sun
    Jan 7 at 1:34











  • Hi, I create a new pipeline just like the example you gave me and i got the following error: "Exception calling "Import" with "3" argument(s): "The specified network password is not correct." I don't know if is related to the autogenerated certificate. I use one that I created before, and exported with the private key, selected pkcs file and the password is encrypted AES256-SHA256. Should I use another encryption method? Thanks

    – Vanessa
    Jan 8 at 2:15



















Hi, I tried your code but i got a message like this: Exception calling "Import" with "3" argument(s): "The path is not of a legal form."

– Vanessa
Jan 3 at 12:39







Hi, I tried your code but i got a message like this: Exception calling "Import" with "3" argument(s): "The path is not of a legal form."

– Vanessa
Jan 3 at 12:39















@vanessa Have you tried to create a sSecStrPassword in the library and link it the variable tab? You could output the $env:DOWNLOADSECUREFILE_SECUREFILEPATH to test it in the pipeline. You also could test demo code in the local or azure pipeline with hard code (password). If the password contains special characters, please use '' to escape. As I metioned use '$(sSecStrPassword)'. If it works, then could change it with variable in the azure devops pipeline.

– Tom Sun
Jan 3 at 13:14







@vanessa Have you tried to create a sSecStrPassword in the library and link it the variable tab? You could output the $env:DOWNLOADSECUREFILE_SECUREFILEPATH to test it in the pipeline. You also could test demo code in the local or azure pipeline with hard code (password). If the password contains special characters, please use '' to escape. As I metioned use '$(sSecStrPassword)'. If it works, then could change it with variable in the azure devops pipeline.

– Tom Sun
Jan 3 at 13:14















Hi, i got a new error with this solution Logging in... D:a1sScriptsscriptps.ps1 : The Script does not work :The path is not of a legal form. At D:a_temp3e212052-1215-40bf-b7fc-ef7c100b8238.ps1:2 char:1 + . 'D:a1sScriptsscriptps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,scriptps.ps1

– Vanessa
Jan 3 at 20:55







Hi, i got a new error with this solution Logging in... D:a1sScriptsscriptps.ps1 : The Script does not work :The path is not of a legal form. At D:a_temp3e212052-1215-40bf-b7fc-ef7c100b8238.ps1:2 char:1 + . 'D:a1sScriptsscriptps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,scriptps.ps1

– Vanessa
Jan 3 at 20:55















@Vanessa. I have updated the answer with detail steps, you could refer to it.

– Tom Sun
Jan 7 at 1:34





@Vanessa. I have updated the answer with detail steps, you could refer to it.

– Tom Sun
Jan 7 at 1:34













Hi, I create a new pipeline just like the example you gave me and i got the following error: "Exception calling "Import" with "3" argument(s): "The specified network password is not correct." I don't know if is related to the autogenerated certificate. I use one that I created before, and exported with the private key, selected pkcs file and the password is encrypted AES256-SHA256. Should I use another encryption method? Thanks

– Vanessa
Jan 8 at 2:15







Hi, I create a new pipeline just like the example you gave me and i got the following error: "Exception calling "Import" with "3" argument(s): "The specified network password is not correct." I don't know if is related to the autogenerated certificate. I use one that I created before, and exported with the private key, selected pkcs file and the password is encrypted AES256-SHA256. Should I use another encryption method? Thanks

– Vanessa
Jan 8 at 2:15






















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54009357%2fhow-to-use-from-a-powershell-a-pfx-certificate-used-on-build-pipeline-with-the%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







q4Vvj5bnBNIX,lA0,l4yfhwfe0MELeo M0uf,IcK1ys,QGrq,p,u8Ikj,XKXML9p8p8ITf2Y 0ea7LH
oybd,aTSY,o,8Lo1og ZpkiAB

Popular posts from this blog

Monofisismo

Angular Downloading a file using contenturl with Basic Authentication

Olmecas