From 497e9b0c873f5c08b1a0d609d998e5d3c5257d0b Mon Sep 17 00:00:00 2001
From: Rephl3x <zak.bearman@amslabs.net>
Date: Fri, 30 Jan 2026 11:12:27 +1300
Subject: [PATCH] Add PFX password toggle

---
 certy.ps1 | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/certy.ps1 b/certy.ps1
index fdc6f11..ec43173 100644
--- a/certy.ps1
+++ b/certy.ps1
@@ -824,6 +824,10 @@ $pfxPasswordBox = Add-TextBox $xInput $y $inputWidth $rowHeight $false
 $pfxPasswordBox.UseSystemPasswordChar = $true
 $y += $rowHeight + $gap
 
+$pfxPasswordToggle = Add-CheckBox "Use PFX password" $xInput $y 180 $rowHeight
+$pfxPasswordToggle.Checked = $true
+$y += $rowHeight + $gap
+
 Add-Label "ACME base URI" $xLabel $y $labelWidth $rowHeight
 $baseUriBox = Add-TextBox $xInput $y $inputWidth $rowHeight $false
 $baseUriBox.Text = "https://acmeprod.wd.govt.nz:9999/acme/rsa/"
@@ -883,11 +887,15 @@ function Update-OutputTypeUI {
         $outputPathLabel.Text = "PEM output path"
         $pfxPasswordLabel.Visible = $false
         $pfxPasswordBox.Visible = $false
+        $pfxPasswordToggle.Visible = $false
         $pfxPasswordBox.Text = ""
+        $pfxPasswordToggle.Checked = $false
     } else {
         $outputPathLabel.Text = "PFX output path"
         $pfxPasswordLabel.Visible = $true
         $pfxPasswordBox.Visible = $true
+        $pfxPasswordToggle.Visible = $true
+        $pfxPasswordBox.Enabled = $pfxPasswordToggle.Checked -and -not $disableCertsBox.Checked
     }
 }
 
@@ -1033,7 +1041,8 @@ function Update-CertGenerationUI {
     $wacsPathBox.Enabled = -not $disabled
     $outputTypeBox.Enabled = -not $disabled
     $outputPathBox.Enabled = -not $disabled
-    $pfxPasswordBox.Enabled = -not $disabled
+    $pfxPasswordToggle.Enabled = -not $disabled
+    $pfxPasswordBox.Enabled = -not $disabled -and $pfxPasswordToggle.Checked
     $baseUriBox.Enabled = -not $disabled
     $validationBox.Enabled = -not $disabled
     $validationPortBox.Enabled = -not $disabled
@@ -1084,6 +1093,9 @@ if ($loadedDefaults) {
     $value = Get-DefaultValue -Defaults $loadedDefaults -Name "PfxPassword"
     if (-not [string]::IsNullOrWhiteSpace($value)) { $pfxPasswordBox.Text = $value }
 
+    $value = Get-DefaultValue -Defaults $loadedDefaults -Name "UsePfxPassword"
+    if ($null -ne $value) { $pfxPasswordToggle.Checked = [bool]$value }
+
     $value = Get-DefaultValue -Defaults $loadedDefaults -Name "BaseUri"
     if (-not [string]::IsNullOrWhiteSpace($value)) { $baseUriBox.Text = $value }
 
@@ -1152,6 +1164,7 @@ function Apply-Layout {
     $outputTypeBox.Width = $inputWidthCalc
     $outputPathBox.Width = $inputWidthCalc
     $pfxPasswordBox.Width = $inputWidthCalc
+    $pfxPasswordToggle.Width = $inputWidthCalc
     $baseUriBox.Width = $inputWidthCalc
     $validationBox.Width = $inputWidthCalc
     $validationPortBox.Width = $inputWidthCalc
@@ -1180,6 +1193,10 @@ $replicationEnabledBox.Add_CheckedChanged({
     if (Test-Path function:Update-ReplicationUI) { Update-ReplicationUI }
 })
 
+$pfxPasswordToggle.Add_CheckedChanged({
+    $pfxPasswordBox.Enabled = $pfxPasswordToggle.Checked -and -not $disableCertsBox.Checked
+})
+
 $filePreviewBtn.Add_Click({
     $path = $fileBox.Text.Trim()
     if ([string]::IsNullOrWhiteSpace($path)) {
@@ -1321,6 +1338,7 @@ $saveDefaultsBtn.Add_Click({
         OutputType          = $outputTypeBox.SelectedItem.ToString()
         OutputPath          = $outputPathBox.Text
         PfxPassword         = $pfxPasswordBox.Text
+        UsePfxPassword      = $pfxPasswordToggle.Checked
         BaseUri             = $baseUriBox.Text
         Validation          = $validationBox.Text
         ValidationPort      = $validationPortBox.Text
@@ -1331,7 +1349,7 @@ $saveDefaultsBtn.Add_Click({
     }
     Save-Defaults -Defaults $defaults
     & $logAction "Defaults saved to $(Get-DefaultsPath)."
-    if (-not [string]::IsNullOrWhiteSpace($pfxPasswordBox.Text)) {
+    if ($pfxPasswordToggle.Checked -and -not [string]::IsNullOrWhiteSpace($pfxPasswordBox.Text)) {
         & $logAction "Warning: PFX password is stored in plaintext."
     }
 })
@@ -1371,7 +1389,8 @@ $runBtn.Add_Click({
         $outputType = $outputTypeBox.SelectedItem.ToString()
         $outputPath = $outputPathBox.Text.Trim()
         if (-not $outputPath) { throw "Output path is required." }
-        if ($outputType -eq "PFX" -and [string]::IsNullOrWhiteSpace($pfxPasswordBox.Text)) {
+        $usePfxPassword = $outputType -eq "PFX" -and $pfxPasswordToggle.Checked
+        if ($usePfxPassword -and [string]::IsNullOrWhiteSpace($pfxPasswordBox.Text)) {
             throw "PFX password is required."
         }
 
@@ -1443,7 +1462,7 @@ $runBtn.Add_Click({
                         -HostFqdns @($entry.Fqdn) `
                         -OutputType $outputType `
                         -OutputPath $outputPath `
-                        -PfxPassword $pfxPasswordBox.Text `
+                        -PfxPassword ($(if ($usePfxPassword) { $pfxPasswordBox.Text } else { "" })) `
                         -BaseUri $baseUriBox.Text.Trim() `
                         -Validation $validationBox.Text.Trim() `
                         -ValidationPort $validationPortBox.Text.Trim() `
@@ -1458,7 +1477,7 @@ $runBtn.Add_Click({
                     -HostFqdns $hostList `
                     -OutputType $outputType `
                     -OutputPath $outputPath `
-                    -PfxPassword $pfxPasswordBox.Text `
+                    -PfxPassword ($(if ($usePfxPassword) { $pfxPasswordBox.Text } else { "" })) `
                     -BaseUri $baseUriBox.Text.Trim() `
                     -Validation $validationBox.Text.Trim() `
                     -ValidationPort $validationPortBox.Text.Trim() `