Refactor certificate handling to use UserKeySet for X509KeyStorageFlags and remove local admin requirement for cmdlets

Gautam Sheth · Gautam Sheth · commit c65a3bb6339c · 2025-04-15T14:54:06.000+03:00
diff --git a/src/Commands/AzureAD/RegisterAzureADApp.cs b/src/Commands/AzureAD/RegisterAzureADApp.cs
@@ -94,11 +94,6 @@ public class RegisterAzureADApp : BasePSCmdlet, IDynamicParameters
 
         protected override void ProcessRecord()
         {
-            if (!PSUtility.IsUserLocalAdmin())
-            {
-                throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");
-            }
-
             if (ParameterSpecified(nameof(Store)) && !OperatingSystem.IsWindows())
             {
                 throw new PSArgumentException("The Store parameter is only supported on Microsoft Windows");
@@ -470,7 +465,7 @@ private X509Certificate2 GetCertificate(PSObject record)
 
                 try
                 {
-                    cert = new X509Certificate2(CertificatePath, CertificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
+                    cert = new X509Certificate2(CertificatePath, CertificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
                 }
                 catch (CryptographicException e) when (e.Message.Contains("The specified password is not correct"))
                 {
@@ -658,7 +653,6 @@ private void StartConsentFlow(string loginEndPoint, AzureADApp azureApp, string
             progressRecord.RecordType = ProgressRecordType.Completed;
             WriteProgress(progressRecord);
 
-
             if (!Stopping)
             {
                 if (ParameterSpecified(nameof(DeviceLogin)))
@@ -685,9 +679,7 @@ private void StartConsentFlow(string loginEndPoint, AzureADApp azureApp, string
                         authManager.ClearTokenCache();
                         authManager.GetAccessToken(resource, Microsoft.Identity.Client.Prompt.Consent);
                     }
-
                 }
-                WriteObject(record);
             }
 
             WriteObject(record);
diff --git a/src/Commands/AzureAD/RegisterEntraIDAppForInteractiveLogin.cs b/src/Commands/AzureAD/RegisterEntraIDAppForInteractiveLogin.cs
@@ -49,11 +49,6 @@ public class RegisterEntraIDAppForInteractiveLogin : BasePSCmdlet, IDynamicParam
 
         protected override void ProcessRecord()
         {
-            if (!PSUtility.IsUserLocalAdmin())
-            {
-                throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");
-            }
-
             var redirectUri = "http://localhost";
             // if (ParameterSpecified(nameof(DeviceLogin)) || OperatingSystem.IsMacOS())
             if (ParameterSpecified(nameof(DeviceLogin)) || OperatingSystem.IsMacOS())
diff --git a/src/Commands/Base/ConnectOnline.cs b/src/Commands/Base/ConnectOnline.cs
@@ -1,4 +1,6 @@
-﻿using PnP.PowerShell.Commands.Base.PipeBinds;
+﻿using Microsoft.SharePoint.Client;
+using PnP.Framework;
+using PnP.PowerShell.Commands.Base.PipeBinds;
 using PnP.PowerShell.Commands.Enums;
 using PnP.PowerShell.Commands.Model;
 using PnP.PowerShell.Commands.Provider;
@@ -13,9 +15,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using File = System.IO.File;
-using PnP.Framework;
 using Resources = PnP.PowerShell.Commands.Properties.Resources;
-using Microsoft.SharePoint.Client;
 
 namespace PnP.PowerShell.Commands.Base
 {
@@ -591,7 +591,7 @@ private PnPConnection ConnectAppOnlyWithCertificate()
                 if (!ParameterSpecified(nameof(X509KeyStorageFlags)))
                 {
                     X509KeyStorageFlags = X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet;
                 }
 
@@ -612,7 +612,7 @@ private PnPConnection ConnectAppOnlyWithCertificate()
                 if (!ParameterSpecified(nameof(X509KeyStorageFlags)))
                 {
                     X509KeyStorageFlags = X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet;
                 }
                 var certificate = new X509Certificate2(certificateBytes, CertificatePassword, X509KeyStorageFlags);
@@ -821,7 +821,7 @@ private PnPConnection ConnectEnvironmentVariable(InitializationType initializati
                 if (!ParameterSpecified(nameof(X509KeyStorageFlags)))
                 {
                     X509KeyStorageFlags = X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet;
                 }
 
@@ -984,8 +984,6 @@ private PSCredential GetCredentials()
         private string GetAppId()
         {
             var connectionUri = new Uri(Url);
-
-            
             // Try to get the credentials by full url
             string appId = PnPConnection.GetCacheClientId(connectionUri.ToString()) ?? Utilities.CredentialManager.GetAppId(connectionUri.ToString());
             if (appId == null)
diff --git a/src/Commands/Base/GetAzureCertificate.cs b/src/Commands/Base/GetAzureCertificate.cs
@@ -1,10 +1,10 @@
-﻿using System.Management.Automation;
+﻿using PnP.PowerShell.Commands.Utilities;
 using System;
+using System.Linq;
+using System.Management.Automation;
 using System.Security;
-using System.Security.Cryptography.X509Certificates;
-using PnP.PowerShell.Commands.Utilities;
 using System.Security.Cryptography;
-using System.Linq;
+using System.Security.Cryptography.X509Certificates;
 
 namespace PnP.PowerShell.Commands.Base
 {
@@ -28,7 +28,7 @@ protected override void ProcessRecord()
             }
             if (System.IO.File.Exists(Path))
             {
-                var certificate = new X509Certificate2(Path, Password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
+                var certificate = new X509Certificate2(Path, Password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet);
                 WriteAzureCertificateOutput(this, certificate, Password);
             }
             else
@@ -88,7 +88,7 @@ internal static void WriteAzureCertificateOutput(BasePSCmdlet cmdlet, X509Certif
                 certificate: CertificateHelper.CertificateToBase64(certificate),
                 privateKey: CertificateHelper.PrivateKeyToBase64(certificate),
                 sanNames: certificate.Extensions.Cast<X509Extension>()
-                                                .Where(n => n.Oid.FriendlyName=="Subject Alternative Name")
+                                                .Where(n => n.Oid.FriendlyName == "Subject Alternative Name")
                                                 .Select(n => new AsnEncodedData(n.Oid, n.RawData))
                                                 .Select(n => n.Format(false))
                                                 .FirstOrDefault().Split(',', StringSplitOptions.TrimEntries)
diff --git a/src/Commands/Base/NewAzureCertificate.cs b/src/Commands/Base/NewAzureCertificate.cs
@@ -54,11 +54,6 @@ protected override void ProcessRecord()
                 throw new PSArgumentException("The Store parameter is only supported on Microsoft Windows");
             }
 
-            if (!PSUtility.IsUserLocalAdmin())
-            {
-                throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");
-            }
-
             if (ValidYears < 1 || ValidYears > 30)
             {
                 ValidYears = 10;
diff --git a/src/Commands/PnP.PowerShell.csproj b/src/Commands/PnP.PowerShell.csproj
@@ -66,6 +66,7 @@
 		<PackageReference Include="PnP.Core.Admin" Version="1.14.*-*" Condition="'$(IsRelease)' == '1'" />
 
 		<PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.70.2" />
+		<PackageReference Include="Microsoft.Bcl.Cryptography" Version="9.0.2" />
 
 		<ProjectReference Include="..\ALC\PnP.PowerShell.ALC.csproj" />
 		
diff --git a/src/Commands/Utilities/CertificateHelper.cs b/src/Commands/Utilities/CertificateHelper.cs
@@ -129,7 +129,7 @@ internal static X509Certificate2 GetCertificateFromStore(string thumbprint)
         internal static X509Certificate2 GetCertificateFromPath(Cmdlet cmdlet, string certificatePath, SecureString certificatePassword,
             X509KeyStorageFlags x509KeyStorageFlags =
                         X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet)
         {
             if (System.IO.File.Exists(certificatePath))
@@ -268,7 +268,7 @@ internal static X509Certificate2 CreateSelfSignedCertificate(string commonName,
             X500DistinguishedName distinguishedName = new X500DistinguishedName(distinguishedNameString);
 
 #pragma warning disable CA1416 // Validate platform compatibility
-            using (RSA rsa = Platform.IsWindows ? MakeExportable(new RSACng(2048)) : RSA.Create(2048))
+            using (RSA rsa = RSA.Create(2048))
             {
                 var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
 
@@ -287,8 +287,14 @@ internal static X509Certificate2 CreateSelfSignedCertificate(string commonName,
                 {
                     certificate.FriendlyName = friendlyName;
                 }
+                string passString = password != null ? CredentialManager.SecureStringToString(password) : null;
 
-                return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
+                if (PSUtility.PSVersion == "7.5")
+                {
+                    return X509CertificateLoader.LoadPkcs12(certificate.Export(X509ContentType.Pfx, password), passString, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
+                }
+
+                return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
             }
 #pragma warning restore CA1416 // Validate platform compatibility
         }
diff --git a/src/Commands/Utilities/CredentialManager.cs b/src/Commands/Utilities/CredentialManager.cs
@@ -1,4 +1,7 @@
-﻿using System;
+﻿using Microsoft.Identity.Client.Extensions.Msal;
+using Microsoft.Win32.SafeHandles;
+using PnP.Framework.Modernization.Cache;
+using System;
 using System.Linq;
 using System.Management.Automation;
 using System.Management.Automation.Runspaces;
@@ -7,9 +10,6 @@
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Text;
-using Microsoft.Identity.Client.Extensions.Msal;
-using Microsoft.Win32.SafeHandles;
-using PnP.Framework.Modernization.Cache;
 using FILETIME = System.Runtime.InteropServices.ComTypes.FILETIME;
 
 [assembly: InternalsVisibleTo("PnP.PowerShell.Tests")]
@@ -498,7 +498,7 @@ private static PSCredential ReadMacOSKeyChainEntry(string applicationName)
             }
             return null;
         }
-        private static void WriteMacOSKeyChainEntry(string applicationName,string password)
+        private static void WriteMacOSKeyChainEntry(string applicationName, string password)
         {
             var keychain = new MacOSKeychain();
             keychain.AddOrUpdate(applicationName, applicationName, password.ToByteArray());
@@ -507,14 +507,14 @@ private static void WriteMacOSKeyChainEntry(string applicationName,string passwo
         private static bool DeleteMacOSKeyChainEntry(string name)
         {
             var keychain = new MacOSKeychain();
-            return keychain.Remove(name,name);
+            return keychain.Remove(name, name);
             // var cmd = $"/usr/bin/security delete-generic-password -s '{name}'";
             // var output = Shell.Bash(cmd);
             // var success = output.Count > 1 && !output[0].StartsWith("security:");
             // return success;
         }
 
-        private static string SecureStringToString(SecureString value)
+        public static string SecureStringToString(SecureString value)
         {
             IntPtr valuePtr = IntPtr.Zero;
             try

Original file line number	Diff line number	Diff line change
`@@ -94,11 +94,6 @@ public class RegisterAzureADApp : BasePSCmdlet, IDynamicParameters`
`94`	`94`
`95`	`95`	`protected override void ProcessRecord()`
`96`	`96`	`{`
`97`		`- if (!PSUtility.IsUserLocalAdmin())`
`98`		`- {`
`99`		`- throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");`
`100`		`- }`
`101`		`-`
`102`	`97`	`if (ParameterSpecified(nameof(Store)) && !OperatingSystem.IsWindows())`
`103`	`98`	`{`
`104`	`99`	`throw new PSArgumentException("The Store parameter is only supported on Microsoft Windows");`
`@@ -470,7 +465,7 @@ private X509Certificate2 GetCertificate(PSObject record)`
`470`	`465`
`471`	`466`	`try`
`472`	`467`	`{`
`473`		`- cert = new X509Certificate2(CertificatePath, CertificatePassword, X509KeyStorageFlags.Exportable \| X509KeyStorageFlags.MachineKeySet \| X509KeyStorageFlags.PersistKeySet);`
	`468`	`+ cert = new X509Certificate2(CertificatePath, CertificatePassword, X509KeyStorageFlags.Exportable \| X509KeyStorageFlags.UserKeySet \| X509KeyStorageFlags.PersistKeySet);`
`474`	`469`	`}`
`475`	`470`	`catch (CryptographicException e) when (e.Message.Contains("The specified password is not correct"))`
`476`	`471`	`{`
`@@ -658,7 +653,6 @@ private void StartConsentFlow(string loginEndPoint, AzureADApp azureApp, string`
`658`	`653`	`progressRecord.RecordType = ProgressRecordType.Completed;`
`659`	`654`	`WriteProgress(progressRecord);`
`660`	`655`
`661`		`-`
`662`	`656`	`if (!Stopping)`
`663`	`657`	`{`
`664`	`658`	`if (ParameterSpecified(nameof(DeviceLogin)))`
`@@ -685,9 +679,7 @@ private void StartConsentFlow(string loginEndPoint, AzureADApp azureApp, string`
`685`	`679`	`authManager.ClearTokenCache();`
`686`	`680`	`authManager.GetAccessToken(resource, Microsoft.Identity.Client.Prompt.Consent);`
`687`	`681`	`}`
`688`		`-`
`689`	`682`	`}`
`690`		`- WriteObject(record);`
`691`	`683`	`}`
`692`	`684`
`693`	`685`	`WriteObject(record);`
Original file line number	Diff line number	Diff line change
`@@ -54,11 +54,6 @@ protected override void ProcessRecord()`
`54`	`54`	`throw new PSArgumentException("The Store parameter is only supported on Microsoft Windows");`
`55`	`55`	`}`
`56`	`56`
`57`		`- if (!PSUtility.IsUserLocalAdmin())`
`58`		`- {`
`59`		`- throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");`
`60`		`- }`
`61`		`-`
`62`	`57`	`if (ValidYears < 1 \|\| ValidYears > 30)`
`63`	`58`	`{`
`64`	`59`	`ValidYears = 10;`
Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ internal static X509Certificate2 GetCertificateFromStore(string thumbprint)`
`129`	`129`	`internal static X509Certificate2 GetCertificateFromPath(Cmdlet cmdlet, string certificatePath, SecureString certificatePassword,`
`130`	`130`	`X509KeyStorageFlags x509KeyStorageFlags =`
`131`	`131`	`X509KeyStorageFlags.Exportable \|`
`132`		`- X509KeyStorageFlags.MachineKeySet \|`
	`132`	`+ X509KeyStorageFlags.UserKeySet \|`
`133`	`133`	`X509KeyStorageFlags.PersistKeySet)`
`134`	`134`	`{`
`135`	`135`	`if (System.IO.File.Exists(certificatePath))`
`@@ -268,7 +268,7 @@ internal static X509Certificate2 CreateSelfSignedCertificate(string commonName,`
`268`	`268`	`X500DistinguishedName distinguishedName = new X500DistinguishedName(distinguishedNameString);`
`269`	`269`
`270`	`270`	`#pragma warning disable CA1416 // Validate platform compatibility`
`271`		`- using (RSA rsa = Platform.IsWindows ? MakeExportable(new RSACng(2048)) : RSA.Create(2048))`
	`271`	`+ using (RSA rsa = RSA.Create(2048))`
`272`	`272`	`{`
`273`	`273`	`var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);`
`274`	`274`
`@@ -287,8 +287,14 @@ internal static X509Certificate2 CreateSelfSignedCertificate(string commonName,`
`287`	`287`	`{`
`288`	`288`	`certificate.FriendlyName = friendlyName;`
`289`	`289`	`}`
	`290`	`+ string passString = password != null ? CredentialManager.SecureStringToString(password) : null;`
`290`	`291`
`291`		`- return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable \| X509KeyStorageFlags.MachineKeySet \| X509KeyStorageFlags.PersistKeySet);`
	`292`	`+ if (PSUtility.PSVersion == "7.5")`
	`293`	`+ {`
	`294`	`+ return X509CertificateLoader.LoadPkcs12(certificate.Export(X509ContentType.Pfx, password), passString, X509KeyStorageFlags.Exportable \| X509KeyStorageFlags.UserKeySet \| X509KeyStorageFlags.PersistKeySet);`
	`295`	`+ }`
	`296`	`+`
	`297`	`+ return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable \| X509KeyStorageFlags.UserKeySet \| X509KeyStorageFlags.PersistKeySet);`
`292`	`298`	`}`
`293`	`299`	`#pragma warning restore CA1416 // Validate platform compatibility`
`294`	`300`	`}`