refactor: Switch certutil to primary export method with PowerShell fallback

J-MaFf · J-MaFf · commit 1c79f0013ab7 · 2025-12-30T11:37:21.000-08:00
- certutil.exe proved to be more reliable than PowerShell's Export-PfxCertificate
- certutil is the underlying tool used by Windows Certificate Manager (MMC)
- Switched method priority: certutil first, PowerShell as fallback
- Both methods support password-protected PFX export
- Reduces warnings in output when certutil succeeds (no unnecessary fallback attempts)
- Maintains backward compatibility by keeping PowerShell fallback

Rationale:
- PowerShell Export-PfxCertificate has undocumented limitations with certain passwords
- certutil handles edge cases and special characters in passwords more robustly
- Users familiar with MMC will recognize certutil as the trusted method
- No behavioral change for end users - exports still work the same way

Testing verified:
- Direct certutil export succeeds without fallback
- PFX file created with correct naming and size
- Password protection preserved correctly
diff --git a/Scripts/SFA/Export-UserCertificates.ps1 b/Scripts/SFA/Export-UserCertificates.ps1
@@ -331,69 +331,58 @@ $exportScriptBlock = {
                 $filePath = Join-Path $ExportPath $fileName
 
                 try {
-                    if ($certPassword) {
-                        Export-PfxCertificate -Cert $cert -FilePath $filePath -Password $certPassword -Force -ErrorAction Stop | Out-Null
+                    # Use certutil as primary method - it's more reliable and what Windows Certificate Manager uses
+                    # Convert SecureString password to plain text for certutil
+                    $plaintextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($certPassword))
+
+                    # Export using certutil with password protection
+                    & certutil.exe -p $plaintextPassword -exportPFX -user My $cert.Thumbprint $filePath 2>&1 | Out-Null
+
+                    if (Test-Path $filePath -ErrorAction SilentlyContinue) {
+                        $results += @{
+                            User         = $userName
+                            Username     = $domainUsername
+                            Store        = $storeType
+                            Status       = '✅ Exported'
+                            FileName     = $fileName
+                            Expiration   = $expirationDate
+                            UsedFallback = $usedFallback
+                            Count        = 1
+                        }
                     }
                     else {
-                        Export-PfxCertificate -Cert $cert -FilePath $filePath -Force -ErrorAction Stop | Out-Null
-                    }
-
-                    $results += @{
-                        User         = $userName
-                        Username     = $domainUsername
-                        Store        = $storeType
-                        Status       = '✅ Exported'
-                        FileName     = $fileName
-                        Expiration   = $expirationDate
-                        UsedFallback = $usedFallback
-                        Count        = 1
+                        throw "Certificate file was not created"
                     }
                 }
                 catch {
-                    # If PowerShell export fails with non-exportable error, try certutil as fallback
-                    if ($_ -like "*non-exportable*") {
-                        Write-Host "  ⚠️  PowerShell export failed, trying certutil.exe..." -ForegroundColor Yellow
-
-                        try {
-                            # Convert SecureString password to plain text for certutil
-                            $plaintextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($certPassword))
-
-                            # Export using certutil with password protection
-                            & certutil.exe -p $plaintextPassword -exportPFX -user My $cert.Thumbprint $filePath | Out-Null
-
-                            if (Test-Path $filePath -ErrorAction SilentlyContinue) {
-                                $results += @{
-                                    User         = $userName
-                                    Username     = $domainUsername
-                                    Store        = $storeType
-                                    Status       = '✅ Exported (via certutil)'
-                                    FileName     = $fileName
-                                    Expiration   = $expirationDate
-                                    UsedFallback = $usedFallback
-                                    Count        = 1
-                                }
-                            }
-                            else {
-                                throw "Certutil export file not created"
-                            }
+                    # Fallback to PowerShell Export-PfxCertificate if certutil fails
+                    Write-Host "  ⚠️  certutil export failed, trying PowerShell..." -ForegroundColor Yellow
+
+                    try {
+                        if ($certPassword) {
+                            Export-PfxCertificate -Cert $cert -FilePath $filePath -Password $certPassword -Force -ErrorAction Stop | Out-Null
                         }
-                        catch {
-                            $results += @{
-                                User         = $userName
-                                Username     = $domainUsername
-                                Store        = $storeType
-                                Status       = "❌ Error (both methods failed): $_"
-                                UsedFallback = $usedFallback
-                                Count        = 0
-                            }
+                        else {
+                            Export-PfxCertificate -Cert $cert -FilePath $filePath -Force -ErrorAction Stop | Out-Null
+                        }
+
+                        $results += @{
+                            User         = $userName
+                            Username     = $domainUsername
+                            Store        = $storeType
+                            Status       = '✅ Exported (via PowerShell)'
+                            FileName     = $fileName
+                            Expiration   = $expirationDate
+                            UsedFallback = $usedFallback
+                            Count        = 1
                         }
                     }
-                    else {
+                    catch {
                         $results += @{
                             User         = $userName
                             Username     = $domainUsername
                             Store        = $storeType
-                            Status       = "❌ Error: $_"
+                            Status       = "❌ Error (both methods failed): $_"
                             UsedFallback = $usedFallback
                             Count        = 0
                         }
