param ([Parameter(Position=0)][string]$pfxFile, [string]$pw="", [string]$instance="", [switch]$removeDismissed=$false)

# If there's an error in a call such as $cfg.certificates.Lock(), it is important that the script stops.
# Continuing while another application is also potentially modifying settings may corrupt them.

$ErrorActionPreference = "Stop"

# The PowerShell instance executing this script needs to run elevated, as administrator, to access SSH Server settings.

Write-Host ""
Write-Host "Run this in an elevated, administrative PowerShell or Command Prompt window."
Write-Host "Replaces the currently employed FTPS certificate in Bitvise SSH Server versions 9.xx."
Write-Host ""

if (($pfxFile -eq "") -or ($pfxFile -eq "-?") -or ($pfxFile -eq "/?")) {
    Write-Host "Usage:"
    Write-Host ""
    Write-Host "  <pfxFileName> [-pw <password>] [-instance <instanceName>]"
    Write-Host "                [-removeDismissed]"
    Write-Host ""
    Write-Host "    Imports the certificate and private key in the specified PFX file."
    Write-Host "    If successful, dismisses the currently employed certificate and"
    Write-Host "    employs the certificate which was imported. If -removeDismissed is"
    Write-Host "    specified, any remaining dismissed certificates are removed."
    Write-Host ""
    exit 2
}

Write-Host "Instantiating BssCfg object..."
$cfg = new-object -com "Bitvise.BssCfg"
Write-Host "BssCfg object instantiated."
Write-Host ""

# If there are multiple SSH Server instances installed, select the desired instance by name.

$cfg.SetInstance($instance)

# Lock and load SSH Server certificates

Write-Host "Locking SSH Server certificates"
$cfg.certificates.Lock()
try
{
    Write-Host "Loading SSH Server certificates"
    $cfg.certificates.Load()

    Write-Host "Importing new certificate from $pfxFile"
    $newCert = $cfg.certificates.ImportFromFileEx($pfxFile, $pw)
    
    Write-Host "Employing new certificate"
    $cfg.certificates.Employ($newCert.index)
    
    if ($removeDismissed -and $cfg.certificates.existsEmployed)
    {
        Write-Host "Removing dismissed certificates"

        $nrRemoved = 0
        for ($i=$cfg.certificates.count; $i -gt 0; )
        {
            --$i;
            if ($i -ne $cfg.certificates.employedIndex)
            {
                $cfg.certificates.Erase($i)
                ++$nrRemoved
            }
        }
        
        Write-Host "$nrRemoved certificate(s) removed"
    }

    # Save and unlock certificates

    Write-Host "Saving SSH Server certificates"
    $cfg.certificates.Save($true)   # $true to perform automatic backup, $false to not
}
finally
    { $cfg.certificates.Unlock() }