Exporting/Importing a Certificate with the Pure1 PowerShell Module

When deployed on Windows, the Pure1 PowerShell Module takes advantage of Windows-based certificates in the user (or specified) certificate store. On Linux or MacOS, it uses RSA private key pairs.

To relocate authentication on a Non-Windows machine to another non-Windows machine, you just copy the private key from wherever it is to the target. For Windows though you need to export the cert (which has a private key) from the certificate store, then you can copy the file to wherever.

In the latest release of the Pure1 PowerShell module (1.4.3.1) there is a new feature to do that for you–or at least simplify the process of exporting the cert with the right settings.

Let’s walk through exporting and then importing the cert. In a future post I will go into some of the other enhancements in this release in more detail.

As always the repo is here (and release notes) and it is best installed/updated via the PowerShell Gallery:

install-module PureStorage.Pure1
or
update-module PureStorage.Pure1

https://github.com/PureStorage-OpenConnect/PureStorage.Pure1

Exporting a Certificate

The PowerShell module works with the idea of a default certificate you can designate and it authenticates via the private key in that certificate.

So from scratch, the process would be:

  1. Create a new certificate and extract the public key.

2) Then paste the public key into Pure1:

3) Then copy and store the API key:

Now you can authenticate with that API key:

The module will find the default certificate and use it to authenticate via that specific API key. So from now on you just need to run New-PureOneConnection with that API upon running a script, and nothing else. Unless you want to use a new certificate etc.

But this certificate is on my local machine, and I want to use that same key on a different Windows machine. How do I move it?

The process is threefold:

  1. Export the cert.
  2. Copy it to the target machine.
  3. Add it to the certificate store.

Export the Certificate with the Module

Run Get-PureOneCertificate -Export. This will export the default certificate to the working location. If you want to export a different certificate you can specify that, or a different directory if desired via parameters.

Since the export includes a private key, it will need a password. Enter that.

This will export the certificate to a pfx file.

Now copy that to your destination machine. If you are just backing up the file, you can leave it here. If you want to use it elsewhere, or restore it, follow the process:

Copy to Target Machine

So I copy it to my remote machine:

If the Pure1 Module is not installed, install it on the remote machine.

There is a new feature in the New-PureOneCertificate cmdlet that allows for the importing of a PFX certificate file like the one above. To use this behavior, specify a target PFX file.

New-PureOneCertificate -CertificateFile C:\users\cody\PureOneCert.pfx

The default behavior puts it in the current user certificate store, you can specify the local machine store if desired. It will also ask to make it the default certificate by default, you can specify -NonDefault if you prefer to not make it the default.

Finish!

From now on with this host all you need to authenticate is that API key:

Delete the pfx file now if you want.