Comments (9)
There might be a possibility during pfx export, but I'm not sure.
Also the CSPs you mention are appearantly "legacy" and MS-centric. The module itself is (or at least should be) x-plat.
If you can provide a PR, which does allow to set the CSP, I'll probably merge it.
I personally will not implement it, and since you have a working solution with openssl, there's no real need to include it in the module.
It'd also be possible to add documentation about import / export needs.
from acme-ps.
The fact is that there were no such problems with the previous ASMESharp module.
from acme-ps.
Ok. And?
from acme-ps.
I do not quite understand what you need to provide so that you can turn on the provider.
from acme-ps.
So far I can identify two places, where the provider might be selectable.
The first is the creation of the RSA-Key; the second is the export of the certificate.
This is the RSAKey: https://github.com/PKISharp/ACMESharpCore-PowerShell/blob/master/ACME-PS/internal/classes/crypto/RSAKey.ps1
And this the Export-Certificate internals:
https://github.com/PKISharp/ACMESharpCore-PowerShell/blob/master/ACME-PS/internal/classes/crypto/Certificate.ps1
Just to be clear, about my interests: I'm willing to help on the "merge-into-the-module"-side of things and carry it around in the module until it's not possible anymore, but I have very little interest in digging into the CSP specifics in windows myself - especially when there's already a valid tool (openSSL) to use and solve the problem.
from acme-ps.
First, I don't mean to pile on because I think the work you've done here is terrific Tom. Thank you for making such a valuable contribution to the developer community. And please let me know if my next comments would be more appropriate elsewhere.
I have seen the same issue reported by Slamich and I independently arrived at the same solution (ie. "openssl.exe"). I am fine with leaving it at that.
"The fact is that there were no such problems with the previous ASMESharp module."
This is my real concern.
I am sure there are many others who migrated to "ACME-PS" from "ASMESharp" (who are also very grateful for your efforts Tom). With that migration in mind I have been wondering about something else.
One nice feature of "ASMESharp" was its "stateless" implementation (ie. it saved 100% of its own state to disk). That approach allowed its various commands to be run independently in multiple (ie. separate) Powershell sessions (one after another) without concern for losing state.
"ACME-PS" does not allow this. While "ACME-PS" saves some of its state to disk, the balance requires the use of temporary in-memory PS variables. That means users must complete the entire process in a single Powershell session.
Can you please explain that design choice Tom? Is there an easy way to arrive at a similar "stateless" approach (ie. similar to how "ASMESharp" manages 100% of its own state itself) ?
from acme-ps.
@GeorgeSchiro I moved you issue - thanks for pointing out. Discussion is welcome.
@Slamich - I'm sorry, if I was hostile, but I read your comment as "it was like that, and now I want you to implement it that way again" - I only assumed that, but since text is without tone, that might be a blatant misinterpretation of your intend.
If you have ideas how to tackle the problem or want to investigate the matter, I'll help if I can.
from acme-ps.
@glatzert to me it seems like it is an "issue" coming from how the Microsoft Crypto library processes the "ExportWithPrivateKey" or whatever the function is called.
It seems that it uses the Cryptography Next Generation (CNG) and that might be the issue. Not sure tho. Maybe you can have at it (https://referencesource.microsoft.com/#System.Core/System/Security/Cryptography/X509Certificates/RSACertificateExtensions.cs) and implement it yourself using the "old" crypto API (not CNG)?
thanks in advance :)
from acme-ps.
Currently ACME-PS is written as module, running in Windows Powershell as well as Powershell Core - the latter one being "the future" on all systems - especially when .NET 5.0 will be around.
I don't think, the old crypto API is compatible with .NET Core, meaning I'd probably have to build a special code-path to support the legacy crypto provider on WindowsPowershell only. That seems like a lot of work regarding, you can still use openSSL as a workaround.
Is there a prohibitive reason to not use openSSL?
openssl.exe pkcs12 -in certificate.pfx -out certificate.pem -nodes
openssl.exe pkcs12 -export -in certificate.pem -out new_certificate.pfx
from acme-ps.
Related Issues (20)
- Order shows that cert expires in 6 days, but cert shows 90 days? HOT 3
- [Improvement] Allow DirectoryUrl to be passed to revocation, to omit the state object
- [Improvement] Add state reference to order
- [BUG]? Full chain export seems to be exporting in the wrong order HOT 4
- [BUG] Chain not included for specific instance.. HOT 1
- [Improvement] Exporting x509 certs/keys as PEM HOT 4
- Exception calling "GetResult" with "0" argument(s): "An error occurred while sending the request." HOT 6
- Certificate not working on older Android after 29.9.2021 HOT 2
- New-AcmePSKey invalid ValidateSet for RSAKeySize HOT 1
- DNS-01 HOT 10
- New Order / Old Account HOT 5
- Are SHA-1 self signatures being used to issue CSRs? HOT 1
- HTTP-01 Challenge File Not Getting Created HOT 3
- Authorizations does not seem to be parsing correctly HOT 12
- [BUG] The certificate chain seems to be out of order in 1.5.2. Versions 1.5.3-beta, and 1.5.4 Fails to run. HOT 4
- [BUG] Some of the *ToExport keys are missing from the module manifest HOT 2
- [BUG] v1.5.6 Export-Certificate "value cannot be null" HOT 10
- Cannot export non-exportable private key HOT 1
- [BUG] When using New-ACMEAccount with previous AccountKey it errors with Get-Account HOT 1
- [BUG] The exported PFX certificate doesn't have the full Let's Encrypt chain HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-ps.