Skip to content

✨ Fix certificate export and improve SFA certificate management workflow #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
J-MaFf merged 31 commits into from
Dec 30, 2025
Merged

✨ Fix certificate export and improve SFA certificate management workflow #81

J-MaFf merged 31 commits into from
Dec 30, 2025

Conversation

@J-MaFf
Copy link
Owner

@J-MaFf J-MaFf commented Dec 30, 2025
edited
Loading

What does this PR do?

Export-UserCertificates.ps1 Improvements

  • Fixed certificate export failures: Added robust certutil.exe fallback when PowerShell's Export-PfxCertificate fails with non-exportable private key errors
  • Primary method switch: certutil is now the primary export method (more reliable than PowerShell) with PowerShell as fallback
  • Better error handling: Improved error reporting and fallback messaging
  • Output directory: Moved exports from Scripts/SFA to root-level Output/SFA for better organization

Publish-SFACertificates.ps1 Updates

  • Unified output location: All reports (failures, successes, cleanup warnings, summary) now export to Output/SFA
  • Path consistency: Fixed relative path calculations to correctly target Output/SFA directory

Why are we doing this?

  1. Reliability: certutil.exe is the underlying tool used by Windows Certificate Manager (MMC) and proves more reliable for edge cases with certificate exports
  2. Organization: Centralizes all SFA operation outputs in one location (Output/SFA) instead of scattered across Scripts
  3. User experience: Users who can export via MMC can now rely on certutil-based script automation without mysterious PowerShell failures
  4. Consistency: Both certificate export and publication scripts use the same output directory structure

How should this be tested?

  1. Certificate export test:

    • Run: .\Scripts\SFA\Export-UserCertificates.ps1\
    • Verify: PFX file created in Output/SFA/exports_[timestamp]/
    • Verify: export_summary.txt generated with correct status

  2. Output directory test:

    • Confirm Output/SFA directory exists at project root
    • Verify certificate exports save with correct path
    • Verify publication reports save to same Output/SFA location

  3. Edge case testing:

    • Test with certificates that have non-exportable flags
    • Test with various username/password combinations
    • Verify fallback mechanism triggers only when needed

Deployment notes

  • No breaking changes to existing script parameters
  • Output directory structure changed - update any documentation or CI/CD pipelines referencing old paths
  • Requires certutil.exe available (standard Windows utility)
  • Tested on Windows Server with PowerShell 5.1+

Closes #77

J-MaFf added 30 commits December 29, 2025 08:10
@J-MaFf
Deleted ISSUE_CHECK.md
32ec95b
@J-MaFf
fix: Enforce PowerShell Core requirement and add auto-redirect for Wi…
becae98 
…ndows PowerShell
@J-MaFf
docs: Add complete SFA certificate workflow documentation to README
647ee31
@J-MaFf
docs: Add userList.txt format example to Stage 1 and improve code sty…
58821c2 
…ling readability
@J-MaFf
fix: Improve error messaging to distinguish between missing folders v…
b6a64fb 
…s empty folders
@J-MaFf
chore: Clean up old test output files and apply error messaging impro…
a3e8df1 
…vements
@J-MaFf
fix: Correct certificate filtering regex to properly exclude Archive …
a2930d1 
…and Old folders
@J-MaFf
fix: Remove unnecessary auto-redirect logic from param() block
0cb3b0f
@J-MaFf
test: Update regex patterns for UNC path and case-insensitive folder …
8d0b490 
…filtering tests
@J-MaFf
fix: Remove duplicate success list entry in Publish-SFACertificates
1d53d2b 
- Removed duplicate successList entry that caused JSF to appear twice in summary
- Consolidated to single success record with complete information
- Removed unused successCount variable
@J-MaFf
refactor: Integrate branch connectivity check into Publish-SFACertifi…
b766dff 
…cates

- Added pre-flight connectivity check to main script
- Validates all branch paths are accessible before processing
- Displays accessible/inaccessible branch summary upfront
- Removed standalone Test-BranchMappings.ps1 (functionality now built-in)
@J-MaFf
docs: Update documentation for pre-flight connectivity check
405ec19 
- Updated feat_Publish-SFACertificates requirements.md with new FR requirements
- Documented pre-flight connectivity check functionality
- Updated README.html with workflow details
- Updated Publish-SFACertificates.ps1 script header
- Documented user prompt behavior for inaccessible branches
- Noted removal of standalone Test-BranchMappings.ps1
@J-MaFf
docs: Add SFA certificate management workflow to copilot instructions
20b321e
@J-MaFf
🧪 Complete SFA Certificate Management Test Suite (Phases 1-4) (#78)
c4384b7 
* test: Add integration tests for pre-flight connectivity check

- Tests for pre-flight check existence and structure
- Tests for user prompt behavior (all accessible, partial, abort)
- Tests for display output and emoji indicators
- Tests for integration with branch mappings
- Tests for edge cases and error handling
- Tests for abort behavior and state preservation
- Tests for user experience and messaging clarity

* test: Fix pre-flight check test assertions

* test: Add integration tests for certificate copy operations

* docs: Add test implementation summary for SFA integration tests

* test: Add Phase 2 network integration tests for real file operations

* test: Update Phase 2 tests and completion summary with current status
@J-MaFf
ci: Add Pester test execution to build pipeline
a65681e 
- Run all SFA tests on push and pull requests to main/testing
- Test on PowerShell 7.2, 7.3, and 7.4
- Generate NUnit XML test reports
- Upload artifacts and publish results
- Fail build on test failures
@J-MaFf
ci: Expand test pipeline to run all tests, not just SFA
df9f1e3 
- Changed test path from Tests/SFA/ to Tests/ for comprehensive coverage
- Updated path triggers to watch all Scripts, Tests, and Modules
- Renamed job to reflect full test suite execution
- Ensures all modules and utilities are validated on every push/PR
@J-MaFf
fix: Correct YAML indentation in pester-tests workflow
6663e82 
- Fixed improper indentation on Run All Tests step
- Aligns with GitHub Actions workflow syntax requirements
@J-MaFf
test: Skip parameter validation test
fbf0c73
@J-MaFf
fix: Update workflow to use correct action names and v4 upload-artifact
43040cb
@J-MaFf
fixing workflow
b731854
@J-MaFf
fix: Exclude integration tests from CI workflow
224a893
@J-MaFf
fix: Use valid Pester configuration to filter integration tests
3f43293
@J-MaFf
ci: Update workflow to use self-hosted Ubuntu runner
4b76496
@J-MaFf
docs: Add guide for setting up self-hosted GitHub Actions runner
a9a473b
@J-MaFf
test: Test self-hosted runner
6872286
@J-MaFf
fix: Use snap to install PowerShell on Ubuntu
2291d51
@J-MaFf
fix: Add certutil fallback for non-exportable certificate private keys
9d186a8 
- Export-PfxCertificate fails with 'Cannot export non-exportable private key' error on some certificates
- Windows certutil.exe can successfully export these certificates where PowerShell cmdlets fail
- Added automatic fallback: when Export-PfxCertificate fails, script attempts export using certutil.exe
- Certutil fallback preserves PFX password protection using -p parameter
- Script reports status as 'Exported (via certutil)' when fallback method is used
- Resolves issue where valid certificates with non-exportable flags could not be distributed

Testing verified:
- PowerShell method used first (preferred when available)
- Certutil fallback triggers only on 'non-exportable' errors
- Both methods preserve password protection
- Certificate file successfully created and accessible
@J-MaFf
refactor: Switch certutil to primary export method with PowerShell fa…
1c79f00 
…llback

- certutil.exe proved to be more reliable than PowerShell's Export-PfxCertificate
- certutil is the underlying tool used by Windows Certificate Manager (MMC)
- Switched method priority: certutil first, PowerShell as fallback
- Both methods support password-protected PFX export
- Reduces warnings in output when certutil succeeds (no unnecessary fallback attempts)
- Maintains backward compatibility by keeping PowerShell fallback

Rationale:
- PowerShell Export-PfxCertificate has undocumented limitations with certain passwords
- certutil handles edge cases and special characters in passwords more robustly
- Users familiar with MMC will recognize certutil as the trusted method
- No behavioral change for end users - exports still work the same way

Testing verified:
- Direct certutil export succeeds without fallback
- PFX file created with correct naming and size
- Password protection preserved correctly
@J-MaFf
docs: Update default output directory to Scripts/Output/SFA
4cceed6 
- Changed default OutputDirectory parameter from script root to Scripts/Output/SFA
- Centralizes certificate exports with other SFA outputs instead of cluttering Scripts/SFA
- Path now resolves to: Scripts/Output/SFA/exports_[timestamp]/
- Users can still override with -OutputDirectory parameter if needed
- Updated help documentation to reflect new default location
@J-MaFf
docs: Update output directory to Scripts/Output/SFA
92d0786 
- Changed output directory path from inconsistent locations to unified Scripts/Output/SFA
- Fixed path calculation to use correct relative path (one level up from Scripts/SFA)
- All reports (failures, successes, cleanup warnings) now export to Scripts/Output/SFA/
- Consistent with Export-UserCertificates.ps1 output location
- Centralizes all SFA operation reports in one organized location
@J-MaFf
fix: Correct output directory path to root-level Output/SFA
472d48f 
- Changed output directory from Scripts/Output/SFA to Output/SFA (root level)
- Export-UserCertificates.ps1 now outputs to Output/SFA/exports_[timestamp]/
- Publish-SFACertificates.ps1 reports now export to Output/SFA/
- Both scripts now use correct relative paths (two levels up from Scripts/SFA)
- Centralizes all SFA reports at project root Output folder
- Verified with test export - certificate created in correct location
@J-MaFf J-MaFf self-assigned this Dec 30, 2025
@J-MaFf J-MaFf added bug Something isn't working enhancement New feature or request refactoring certificates sfa-certificates labels Dec 30, 2025
@J-MaFf J-MaFf merged commit 4937c50 into main Dec 30, 2025
0 of 4 checks passed
@J-MaFf J-MaFf deleted the testing branch December 30, 2025 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@J-MaFf J-MaFf

Labels

bug Something isn't working certificates enhancement New feature or request refactoring sfa-certificates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🧪 Develop Integration and Functional Tests for SFA Certificate Scripts

2 participants

@J-MaFf