plugins/11-cert.ps1

[CmdletBinding()]
param(
    $Config
)

# pfx/p12 and cer/crt are supported
@($Config.Certificates) -ne $null | % {
    $CertificatePath = if (($Uri = [uri]$_.Url).Scheme) {
        $tmp = Join-Path ([System.IO.Path]::GetTempPath()) $Uri.Segments[-1]
        Write-Verbose "Fetching certificate from $Uri"
        Invoke-WebRequest -Uri $Uri -OutFile $tmp
        $tmp
    } else {
        Join-Path $Config._Path $_.File
    }
    
    $Cert = switch -Regex ($CertificatePath) {
        '(pfx|p12)$' {
            Push-Location $PSScriptRoot\openssl
            $Password = $_.Password -join '' | cmd '/c openssl enc -base64 -d | openssl rsautl -inkey private.pem -decrypt'
            # keyStorageFlag = 18 : 'MachineKeySet' - 2,'Exportable' - 4,'PersistKeySet' - 16
            New-Object Security.Cryptography.X509Certificates.X509Certificate2($CertificatePath,$Password,18)
            Pop-Location
        }
        '(cer|crt)$' {
            New-Object Security.Cryptography.X509Certificates.X509Certificate2($CertificatePath)
        }
    }
    foreach ($Store in $_.Store) {
        $StoreLocation, $StoreName = $Store -split '\\'
        $CertStore = New-Object Security.Cryptography.X509Certificates.X509Store($StoreName, $StoreLocation)
        Write-Verbose "Installing certificate $($_.File) into $Store"
        $CertStore.Open('ReadWrite')
        $CertStore.Add($Cert)
        $CertStore.Close()
    }
    if ($tmp -and (Test-Path $tmp)) { Remove-Item $tmp }
}