New-PACertificate not using provided pfx password

[egreiff907]

I have a script issuing the following commands:

$pfxpass = ConvertTo-SecureString "*****" -AsPlainText

New-PACertificate -Domain $CertificateDNSList -CertKeyLength 2048 -PfxPassSecure $pfxpass -FriendlyName $maindomain -DnsAlias $CertificateDNSList -DnsSleep 15 -PreferredChain $PreferredChain -InformationAction SilentlyContinue -Verbose

with the following verbose output:

VERBOSE: Updating directory info from https://acme-staging-v02.api.letsencrypt.org/directory
VERBOSE: Using ACME Server https://acme-staging-v02.api.letsencrypt.org/directory
VERBOSE: Using account 9192261
VERBOSE: Order name not specified, using 'test3pfx.spscc.edu'
VERBOSE: Using existing order 'test3pfx.spscc.edu' with status ready
VERBOSE: Setting DnsAlias to test3pfx.spscc.edu
VERBOSE: Setting PfxPass to '*****'
VERBOSE: Setting DnsSleep to 15
VERBOSE: Saving order changes
VERBOSE: test3pfx.spscc.edu authorization is already valid
VERBOSE: Finalizing the order.
VERBOSE: Creating new certificate request with key length 2048.
VERBOSE: Creating new private key for the certificate request.
VERBOSE: Downloading signed certificate
VERBOSE: Updating cert expiration and renewal window
VERBOSE: Successfully created certificate.

The pfx files created have the default password 'poshacme' instead of my provided password. It was working before my last update to 4.10.0. I don't remember what version I updated from. Has anyone else mentioned this as an issue?

[rmbolger]

Hi @egreiff907. Thanks for reaching out. This may end up being a bug but I won't likely be able to look into it until after the new year.

VERBOSE: Using existing order 'test3pfx.spscc.edu' with status ready

I'm guessing this is the root of the problem. Because it's picking up an existing order, it's ignoring the PfxPassSecure because it was already set from a previous call.

That said, you can work around the issue by modifying the cert/order after the fact using Set-PAOrder -PfxPassSecure. It will update the PFX files with the new password without needing to generate a new cert.

[egreiff907]

Thanks Ryan. Yes, my script is creating an order before calling New-PACertificate. I have changed my script to set pfxpass when creating the order. So that's getting me around the issue if indeed your intent was to have New-PACertificate update an existing order's pfxpass if the parameter is present.

[rmbolger]

Hey @egreiff907. It was indeed a bug, though not where I originally thought it might be. I had a small logic error in Set-PAOrder that was preventing New-PACertificate from seeing the updated order details after it changed something like PfxPass. It would then re-save the old unchanged copy over the new changed copy.

I'll try to get a new release out soon with the fix.

[rmbolger]

The fix is now live in version 4.12.0.