Comments (8)
I solved this with the following snippet, it does sometimes build it in the wrong order though...:
# This certificate does not have the full chain, which might break some applications. Creating the full chain
$tmpPfx = Get-PfxData -FilePath "$env:TEMP\$domain.pfx" -Password $password
Export-PfxCertificate -PFXData $tmpPfx -FilePath "$env:TEMP\fullchain.pfx" -Password $password -ChainOption BuildChain
Not sure if it fits into this module, but it does fit into a script using it @glatzert
from acme-ps.
Version 1.2 will include the certificate chain during export.
from acme-ps.
LE will not include the chain automatically, so you have to download and combine it yourself (use openssl for that) - the Link is in the README.md file.
If you have any Idea, how I might automatically download the chain and include it into the exported cert, I'll most likely implement it, but as of now, I don't know how that would be done in .NET or PS.
from acme-ps.
As part of an example that might work.
It's important to mention, that the Export will only include the chain, if it's present in the Windows-Certificate store.
Nevertheless - it might be possible to set the -ChainOption in Export-AcmeCertificate
, so it will be picked up, if available.
- Invesitage -ChainOption in
Export-AcmeCertificate
from acme-ps.
I solved this with the following snippet, it does sometimes build it in the wrong order though...:
# This certificate does not have the full chain, which might break some applications. Creating the full chain $tmpPfx = Get-PfxData -FilePath "$env:TEMP\$domain.pfx" -Password $password Export-PfxCertificate -PFXData $tmpPfx -FilePath "$env:TEMP\fullchain.pfx" -Password $password -ChainOption BuildChain
Not sure if it fits into this module, but it does fit into a script using it @glatzert
Thanks man!!! This helped me alot!!
from acme-ps.
LE will not include the chain automatically
Hi @glatzert, The Let's Encrypt ACME v2 server has always sent the full PEM-encoded certificate chain at the certificate URL.
This response should contain both the leaf and intermediate as an application/pem-certificate-chain
:
e.g.
PS /> [System.Text.Encoding]::UTF8.GetString((Invoke-ACMESignedWebRequest -Url https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa42055a6bacfc97958a0a0c7cfd8c2aeade -State $acmeStateDir).Content)
-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgITAPpCBVprrPyXlYoKDHz9jCrq3jANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDA1MDYw
OTE4NDhaFw0yMDA4MDQwOTE4NDhaMBsxGTAXBgNVBAMTEGEuZm9vLm1vbmthcy54
eXowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9JMNbtvZDl70Zyyvp
W/WnDeeHfZHpDth9M7TpuDpXSWpNtnpbFa0OabdLGd7FrizzHYQX0K4SkoHbBcba
H38Rs6CJL7J2mBwwqJgqkWbYfV1DqPFBbLyd32PgxC+BkPiYM3LTz7hrY/z9mj7N
nePvjDF6gWI8CkK78e85pzoe7fva2tqatiFBg245oNDDwELhVPmawBegW/lQMEfl
z19sWTcyuGBp5zJdgflfZQUfkgEUTj4e3GcOdlqEng0QIN2okQ0FeYfwkdg9Lga2
3NuAP2znICxyXzBc5lBHShRfLv5KL62WEf4mIavVtqiQs0xKJccbTzr1De0pySyJ
8om7AgMBAAGjggJtMIICaTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGECjkY2XgVF
ENaCUR3NpHHFzV89MB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHcG
CCsGAQUFBwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Auc3RnLWludC14
MS5sZXRzZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1p
bnQteDEubGV0c2VuY3J5cHQub3JnLzAbBgNVHREEFDASghBhLmZvby5tb25rYXMu
eHl6MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYB
BQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIE
AgSB9QSB8gDwAHYA3Zk0/KXnJIDJVmh9gTSZCEmySfe1adjHvKs/XMHzbmQAAAFx
6X63iQAABAMARzBFAiEA7a3fGYCFKpOOUDiXN/fF2JUzj5Zf2vJfmUzjrxMreu0C
IHQR1Nae8hKD7baalAG857rKDF1h3J3fDYP81ezbLSZuAHYAsMyD5aX5fWuvfAnM
KEkEhyrH6IsTLGNQt8b9JuFsbHcAAAFx6X65rgAABAMARzBFAiEAixYyw4gWrDKh
ZREPp23V3gSwm0ZNua1ld59IgwMxGe8CIDQdztyktpANymJFJZeToMM7CMX0H72R
qQZbGZK3iZAWMA0GCSqGSIb3DQEBCwUAA4IBAQCZcdHRhCZVS97Cc6lq0k89d/ms
Qh9kyLCZdkY+YOMmNAdMpeMI4oUgv7yl7DaTMwaeQDiRv2uERWNHoKnh3TviBCr4
Q7zRJSbq519v6Ez+XrMycMIq8qfS8fDoSEcXbvet1Q9uDGL/oRl43PDxJNJq5gD4
vdRnq2BYDjXnQd/lgyCf5aA1SeR3WgQQcHOF41G+YB3lQhVXAvJsDs1IJnixkV1D
VX0T67aruvoY2wet+SqTI/r7KwC/XTy/8gTt/YdDaFJHUbHlzteRyMbdkyB6xjIp
Mb4wS20t+VyzAwawdR7ncRHaLJ60RPyh7uwQDy1Z7eJZZzfIybclc5IfJ//U
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
-----END CERTIFICATE-----
At the moment Export-PfxCertificate
is only looking at the first (end-entity) certificate, but ideally it would pick up the full chain and include it in the PFX.
Some careful code that splits the string along the PEM encapsulation boundaries (-----BEGIN CERTIFICATE-----
,-----BEGIN CERTIFICATE-----
) could do the trick.
from acme-ps.
Hm - I was not aware of the chain being included.
I'll take a look, if I can combine them into the PFX.
from acme-ps.
@glatzert : Is there any option to include the Root CA as well? That would be awsome...
Currently have a work-around. But would be great, if it came out of the box =)
Bag Attributes
friendlyName: DST Root CA X3
subject=/O=Digital Signature Trust Co./CN=DST Root CA X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
from acme-ps.
Related Issues (20)
- [Improvement] Allow DirectoryUrl to be passed to revocation, to omit the state object
- [Improvement] Add state reference to order
- [BUG]? Full chain export seems to be exporting in the wrong order HOT 4
- [BUG] Chain not included for specific instance.. HOT 1
- [Improvement] Exporting x509 certs/keys as PEM HOT 4
- Exception calling "GetResult" with "0" argument(s): "An error occurred while sending the request." HOT 6
- Certificate not working on older Android after 29.9.2021 HOT 2
- New-AcmePSKey invalid ValidateSet for RSAKeySize HOT 1
- DNS-01 HOT 10
- New Order / Old Account HOT 5
- Are SHA-1 self signatures being used to issue CSRs? HOT 1
- HTTP-01 Challenge File Not Getting Created HOT 3
- Authorizations does not seem to be parsing correctly HOT 12
- [BUG] The certificate chain seems to be out of order in 1.5.2. Versions 1.5.3-beta, and 1.5.4 Fails to run. HOT 4
- [BUG] Some of the *ToExport keys are missing from the module manifest HOT 2
- [BUG] v1.5.6 Export-Certificate "value cannot be null" HOT 10
- Cannot export non-exportable private key HOT 1
- [BUG] When using New-ACMEAccount with previous AccountKey it errors with Get-Account HOT 1
- [BUG] The exported PFX certificate doesn't have the full Let's Encrypt chain HOT 4
- Issue Export-ACMECertificate HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-ps.