DSC_ImportPfx: Update private key import location for LocalMachine us…

…ing Import-PfxCertificateEx (#249)

CHANGELOG.md

@@ -9,12 +9,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - PfxImport:
-  - Added Base64Content parameter to specify the content of a PFX file that can be included in the configuration MOF - Fixes [Issue #241](https://github.com/dsccommunity/CertificateDsc/issues/241).
+  - Added Base64Content parameter to specify the content of a PFX file that can be included in the
+  configuration MOF - Fixes [Issue #241](https://github.com/dsccommunity/CertificateDsc/issues/241).
 - CertificateImport:
-  - Added Base64Content parameter to specify the content of a certificate file that can be included in the configuration MOF - Fixes [Issue #241](https://github.com/dsccommunity/CertificateDsc/issues/241).
+  - Added Base64Content parameter to specify the content of a certificate file that can be included
+  in the configuration MOF - Fixes [Issue #241](https://github.com/dsccommunity/CertificateDsc/issues/241).
 
 ### Changed
 
+- Fix bug where `Import-PfxCertificateEx` would not install private keys in the ALLUSERSPROFILE path
+when importing to LocalMachine store. [Issue #248](https://github.com/dsccommunity/CertificateDsc/issues/248).
 - Renamed `master` branch to `main` - Fixes [Issue #237](https://github.com/dsccommunity/CertificateDsc/issues/237).
 - Updated `GitVersion.yml` to latest pattern - Fixes [Issue #245](https://github.com/dsccommunity/CertificateDsc/issues/245).
 - Changed `Test-Thumbprint` to cache supported hash algorithms to increase

source/Modules/CertificateDsc.Common/CertificateDsc.Common.psm1

@@ -1053,6 +1053,15 @@ function Import-PfxCertificateEx
 
     $flags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet
 
+    if ($location -eq 'LocalMachine')
+    {
+        $flags = $flags -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet
+    }
+    else
+    {
+        $flags = $flags -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::UserKeySet
+    }
+
     if ($PSCmdlet.ParameterSetName -eq 'Path')
     {
         $importDataValue = $FilePath

tests/Integration/CertificateDsc.Common.Tests.ps1

@@ -62,7 +62,7 @@ InModuleScope $script:subModuleName {
             It 'Should have imported the certificate with the correct values' {
                 $importedCert = Get-ChildItem -Path ('Cert:\CurrentUser\My\{0}' -f $certificate.Thumbprint)
                 $importedCert.Thumbprint | Should -Be $certificate.Thumbprint
-                $importedCert.HasPrivateKey | Should -Be $false
+                $importedCert.HasPrivateKey | Should -BeFalse
             }
         }
     }
@@ -112,13 +112,13 @@ InModuleScope $script:subModuleName {
             It 'Should have imported the containing certificate with the correct values' {
                 $importedCert = Get-ChildItem -Path ('Cert:\CurrentUser\My\{0}' -f $containingCertificate.Thumbprint)
                 $importedCert.Thumbprint | Should -Be $containingCertificate.Thumbprint
-                $importedCert.HasPrivateKey | Should -Be $false
+                $importedCert.HasPrivateKey | Should -BeFalse
             }
 
             It 'Should have imported the included certificate with the correct values' {
                 $importedCert = Get-ChildItem -Path ('Cert:\CurrentUser\My\{0}' -f $includedCertificate.Thumbprint)
                 $importedCert.Thumbprint | Should -Be $includedCertificate.Thumbprint
-                $importedCert.HasPrivateKey | Should -Be $false
+                $importedCert.HasPrivateKey | Should -BeFalse
             }
         }
     }
@@ -156,13 +156,17 @@ InModuleScope $script:subModuleName {
     Describe 'CertificateDsc.Common\Import-PfxCertificateEx' {
         Context 'Import a valid PKCS12 PFX Certificate file into "CurrentUser\My" store with non-exportable key' {
             It 'Should not throw an exception' {
-                { Import-PfxCertificateEx -FilePath $certificatePath -CertStoreLocation 'Cert:\CurrentUser\My' -Password $testPasswordSecure } | Should -Not -Throw
+                {
+                    Import-PfxCertificateEx -FilePath $certificatePath -CertStoreLocation 'Cert:\CurrentUser\My' -Password $testPasswordSecure
+                } | Should -Not -Throw
             }
 
             It 'Should have imported the certificate with the correct values' {
                 $importedCert = Get-ChildItem -Path ('Cert:\CurrentUser\My\{0}' -f $certificate.Thumbprint)
+                $rsaKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($importedCert)
+                $rsaKey.Key.IsMachineKey | Should -BeFalse
                 $importedCert.Thumbprint | Should -Be $certificate.Thumbprint
-                $importedCert.HasPrivateKey | Should -Be $true
+                $importedCert.HasPrivateKey | Should -BeTrue
             }
 
             It 'Should not be exportable and should throw the expected exception message' {
@@ -183,6 +187,39 @@ InModuleScope $script:subModuleName {
             Remove-Item -Path ('Cert:\CurrentUser\My\{0}' -f $certificate.Thumbprint) -Force -ErrorAction SilentlyContinue
         }
 
+        Context 'Import a valid PKCS12 PFX Certificate file into "LocalMachine\My" store with non-exportable key' {
+            It 'Should not throw an exception' {
+                {
+                    Import-PfxCertificateEx -FilePath $certificatePath -CertStoreLocation 'Cert:\LocalMachine\My' -Password $testPasswordSecure
+                } | Should -Not -Throw
+            }
+
+            It 'Should have imported the certificate with the correct values' {
+                $importedCert = Get-ChildItem -Path ('Cert:\LocalMachine\My\{0}' -f $certificate.Thumbprint)
+                $rsaKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($importedCert)
+                $rsaKey.Key.IsMachineKey | Should -BeTrue
+                $importedCert.Thumbprint | Should -Be $certificate.Thumbprint
+                $importedCert.HasPrivateKey | Should -BeTrue
+            }
+
+            It 'Should not be exportable and should throw the expected exception message' {
+                $importedCert = Get-ChildItem -Path ('Cert:\LocalMachine\My\{0}' -f $certificate.Thumbprint)
+                { $null = Export-PfxCertificate `
+                        -Cert $importedCert `
+                        -FilePath $certificateExportPath `
+                        -Password $testCredential.Password
+                } | Should -Throw 'Cannot export non-exportable private key.'
+
+                $null = Remove-Item `
+                    -Path $certificateExportPath `
+                    -Force `
+                    -ErrorAction SilentlyContinue
+            }
+
+            # Remove the imported certificate
+            Remove-Item -Path ('Cert:\LocalMachine\My\{0}' -f $certificate.Thumbprint) -Force -ErrorAction SilentlyContinue
+        }
+
         Context 'Import a valid PKCS12 PFX Certificate file into "CurrentUser\My" store with exportable key' {
             It 'Should not throw an exception' {
                 { Import-PfxCertificateEx -FilePath $certificatePath -CertStoreLocation 'Cert:\CurrentUser\My' -Password $testPasswordSecure -Exportable } | Should -Not -Throw
@@ -191,7 +228,7 @@ InModuleScope $script:subModuleName {
             It 'Should have imported the certificate with the correct values' {
                 $importedCert = Get-ChildItem -Path ('Cert:\CurrentUser\My\{0}' -f $certificate.Thumbprint)
                 $importedCert.Thumbprint | Should -Be $certificate.Thumbprint
-                $importedCert.HasPrivateKey | Should -Be $true
+                $importedCert.HasPrivateKey | Should -BeTrue
             }
 
             It 'Should be exportable' {