From bab8cea7c5367bf300b3ad48a29b9547a6284e47 Mon Sep 17 00:00:00 2001
From: Daniel Scott-Raynsford <PlagueHO@users.noreply.github.com>
Date: Sun, 30 Aug 2020 19:46:43 +1200
Subject: [PATCH] Added example for PFXImport - Fixes #213 (#238)

---
 CHANGELOG.md                                  |  5 ++
 source/DSCResources/DSC_PfxImport/README.md   | 13 +++++
 ...xImport_InstallPFXAdministrator_Config.ps1 | 58 +++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 source/Examples/Resources/PfxImport/5-PfxImport_InstallPFXAdministrator_Config.ps1

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 50709712..9ee01a81 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - CertificateDsc
   - Automatically publish documentation to GitHub Wiki - Fixes [Issue #235](https://github.com/dsccommunity/CertificateDsc/issues/235).
 
+### Added
+
+- PfxImport:
+  - Added example showing importing private key using `PsDscRunAsCredential`
+    to specify an administrator account - Fixes [Issue #213](https://github.com/dsccommunity/CertificateDsc/issues/213).
 
 ## [4.7.0.0] - 2019-06-26
 
diff --git a/source/DSCResources/DSC_PfxImport/README.md b/source/DSCResources/DSC_PfxImport/README.md
index 54a3a79c..2e980006 100644
--- a/source/DSCResources/DSC_PfxImport/README.md
+++ b/source/DSCResources/DSC_PfxImport/README.md
@@ -3,6 +3,19 @@
 The resource is used to import a PFX certificate into a Windows certificate
 store.
 
+## Credentials for Importing a Private Key
+
+Depending on your operating system and domain configuration, you may need to
+use a local or domain administrator credential to import certificates with a
+private key. To do this, set the `PsDscRunAsCredential` parameter with this
+resource to the credential of a local or domain administrator for this machine.
+
+If you still have problems importing the PFX into the Local Machine store
+please check the account specified in `PsDscRunAsCredential` has permissions
+to `$env:SystemDrive:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys`.
+See [this page](https://docs.microsoft.com/en-us/troubleshoot/iis/cannot-import-ssl-pfx-local-certificate)
+for more information.
+
 ## Requirements
 
 - Target machine must be running Windows Server 2008 R2 or later.
diff --git a/source/Examples/Resources/PfxImport/5-PfxImport_InstallPFXAdministrator_Config.ps1 b/source/Examples/Resources/PfxImport/5-PfxImport_InstallPFXAdministrator_Config.ps1
new file mode 100644
index 00000000..57a96d80
--- /dev/null
+++ b/source/Examples/Resources/PfxImport/5-PfxImport_InstallPFXAdministrator_Config.ps1
@@ -0,0 +1,58 @@
+<#PSScriptInfo
+.VERSION 1.0.0
+.GUID dca596de-c24c-4600-bca8-9897d60c41c3
+.AUTHOR DSC Community
+.COMPANYNAME DSC Community
+.COPYRIGHT Copyright the DSC Community contributors. All rights reserved.
+.TAGS DSCConfiguration
+.LICENSEURI https://github.com/dsccommunity/CertificateDsc/blob/master/LICENSE
+.PROJECTURI https://github.com/dsccommunity/CertificateDsc
+.ICONURI
+.EXTERNALMODULEDEPENDENCIES
+.REQUIREDSCRIPTS
+.EXTERNALSCRIPTDEPENDENCIES
+.RELEASENOTES First version.
+.PRIVATEDATA 2016-Datacenter,2016-Datacenter-Server-Core
+#>
+
+#Requires -Modules CertificateDsc
+
+<#
+    .DESCRIPTION
+        Import a PFX into the 'Root' Local Machine certificate store using
+        an administrator credential. The password in the Credential parameter
+        is used to decrypt the PFX file and the PsDscRunAsCredential is the
+        account that is used to import the certificate and private key into
+        Local Machine store. The PsDscRunAsCredential must have permission
+        to import the certificate and private key.
+#>
+Configuration PfxImport_InstallPFXAdministrator_Config
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullorEmpty()]
+        [System.Management.Automation.PSCredential]
+        $Credential,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateNotNullorEmpty()]
+        [System.Management.Automation.PSCredential]
+        $AdminCredential
+    )
+
+    Import-DscResource -ModuleName CertificateDsc
+
+    Node localhost
+    {
+        PfxImport CompanyCert
+        {
+            Thumbprint           = 'c81b94933420221a7ac004a90242d8b1d3e5070d'
+            Path                 = '\\Server\Share\Certificates\CompanyCert.pfx'
+            Location             = 'LocalMachine'
+            Store                = 'Root'
+            Credential           = $Credential
+            PsDscRunAsCredential = $AdminCredential
+        }
+    }
+}