antrea-io · tnqn · Jul 18, 2024 · Jul 17, 2024 · rajnkamr · Jul 17, 2024
diff --git a/hack/windows/Install-OVS.ps1 b/hack/windows/Install-OVS.ps1
@@ -175,7 +175,14 @@ function CheckAndInstallOVSDriver {
     $ExportType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
     $Cert = (Get-AuthenticodeSignature $DriverFile).SignerCertificate
     [System.IO.File]::WriteAllBytes($CertificateFile, $Cert.Export($ExportType))
-    Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\TrustedPublisher
+    # Use certstore.Add to import cert into trusted publishers instead of Import-Certificate,
+    # otherwise an error "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
+    # may occur when `Import-Certificate` is used to import a certificate to the trusted publisher
+    # store for the first time on a fresh Windows 2022 Node. See issue #6530.
+    $CertStore = Get-Item cert:\LocalMachine\TrustedPublisher
+    $CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
+    $CertStore.Add($(Get-Item $CertificateFile).FullName)
-    $CertStore.Add($(Get-Item $CertificateFile).FullName)
+# Load the certificate from the file into an X509Certificate2 object
+$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+$certificate.Import($certificateFilePath)
+# Add the certificate to the store
+$certStore.Add($certificate)
+
-    $CertStore.Add($(Get-Item $CertificateFile).FullName)
+# Load the certificate from the file into an X509Certificate2 object
+$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+$certificate.Import($certificateFilePath)
+# Add the certificate to the store
+$certStore.Add($certificate)
+
+    $CertStore.Close()
     Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\Root
 
     # Install the OVSext driver with the desired version