Comments (8)
Gholie
commented on July 22, 2024
1
I solved this with the following snippet, it does sometimes build it in the wrong order though...:
# This certificate does not have the full chain, which might break some applications. Creating the full chain
$tmpPfx = Get-PfxData -FilePath "$env:TEMP\$domain.pfx" -Password $password
Export-PfxCertificate -PFXData $tmpPfx -FilePath "$env:TEMP\fullchain.pfx" -Password $password -ChainOption BuildChain
Not sure if it fits into this module, but it does fit into a script using it @glatzert
from acme-ps.
glatzert
commented on July 22, 2024
1
Version 1.2 will include the certificate chain during export.
from acme-ps.
glatzert
commented on July 22, 2024
LE will not include the chain automatically, so you have to download and combine it yourself (use openssl for that) - the Link is in the README.md file.
If you have any Idea, how I might automatically download the chain and include it into the exported cert, I'll most likely implement it, but as of now, I don't know how that would be done in .NET or PS.
from acme-ps.
glatzert
commented on July 22, 2024
As part of an example that might work.
It's important to mention, that the Export will only include the chain, if it's present in the Windows-Certificate store.
Nevertheless - it might be possible to set the -ChainOption in Export-AcmeCertificate, so it will be picked up, if available.
- Invesitage -ChainOption in
Export-AcmeCertificate
from acme-ps.
asifma
commented on July 22, 2024
I solved this with the following snippet, it does sometimes build it in the wrong order though...:
# This certificate does not have the full chain, which might break some applications. Creating the full chain $tmpPfx = Get-PfxData -FilePath "$env:TEMP\$domain.pfx" -Password $password Export-PfxCertificate -PFXData $tmpPfx -FilePath "$env:TEMP\fullchain.pfx" -Password $password -ChainOption BuildChainNot sure if it fits into this module, but it does fit into a script using it @glatzert
Thanks man!!! This helped me alot!!
from acme-ps.
alexzorin
commented on July 22, 2024
LE will not include the chain automatically
Hi @glatzert, The Let's Encrypt ACME v2 server has always sent the full PEM-encoded certificate chain at the certificate URL.
This response should contain both the leaf and intermediate as an application/pem-certificate-chain:
e.g.
PS /> [System.Text.Encoding]::UTF8.GetString((Invoke-ACMESignedWebRequest -Url https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa42055a6bacfc97958a0a0c7cfd8c2aeade -State $acmeStateDir).Content)
-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgITAPpCBVprrPyXlYoKDHz9jCrq3jANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDA1MDYw
OTE4NDhaFw0yMDA4MDQwOTE4NDhaMBsxGTAXBgNVBAMTEGEuZm9vLm1vbmthcy54
eXowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9JMNbtvZDl70Zyyvp
W/WnDeeHfZHpDth9M7TpuDpXSWpNtnpbFa0OabdLGd7FrizzHYQX0K4SkoHbBcba
H38Rs6CJL7J2mBwwqJgqkWbYfV1DqPFBbLyd32PgxC+BkPiYM3LTz7hrY/z9mj7N
nePvjDF6gWI8CkK78e85pzoe7fva2tqatiFBg245oNDDwELhVPmawBegW/lQMEfl
z19sWTcyuGBp5zJdgflfZQUfkgEUTj4e3GcOdlqEng0QIN2okQ0FeYfwkdg9Lga2
3NuAP2znICxyXzBc5lBHShRfLv5KL62WEf4mIavVtqiQs0xKJccbTzr1De0pySyJ
8om7AgMBAAGjggJtMIICaTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGECjkY2XgVF
ENaCUR3NpHHFzV89MB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHcG
CCsGAQUFBwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Auc3RnLWludC14
MS5sZXRzZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1p
bnQteDEubGV0c2VuY3J5cHQub3JnLzAbBgNVHREEFDASghBhLmZvby5tb25rYXMu
eHl6MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYB
BQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIE
AgSB9QSB8gDwAHYA3Zk0/KXnJIDJVmh9gTSZCEmySfe1adjHvKs/XMHzbmQAAAFx
6X63iQAABAMARzBFAiEA7a3fGYCFKpOOUDiXN/fF2JUzj5Zf2vJfmUzjrxMreu0C
IHQR1Nae8hKD7baalAG857rKDF1h3J3fDYP81ezbLSZuAHYAsMyD5aX5fWuvfAnM
KEkEhyrH6IsTLGNQt8b9JuFsbHcAAAFx6X65rgAABAMARzBFAiEAixYyw4gWrDKh
ZREPp23V3gSwm0ZNua1ld59IgwMxGe8CIDQdztyktpANymJFJZeToMM7CMX0H72R
qQZbGZK3iZAWMA0GCSqGSIb3DQEBCwUAA4IBAQCZcdHRhCZVS97Cc6lq0k89d/ms
Qh9kyLCZdkY+YOMmNAdMpeMI4oUgv7yl7DaTMwaeQDiRv2uERWNHoKnh3TviBCr4
Q7zRJSbq519v6Ez+XrMycMIq8qfS8fDoSEcXbvet1Q9uDGL/oRl43PDxJNJq5gD4
vdRnq2BYDjXnQd/lgyCf5aA1SeR3WgQQcHOF41G+YB3lQhVXAvJsDs1IJnixkV1D
VX0T67aruvoY2wet+SqTI/r7KwC/XTy/8gTt/YdDaFJHUbHlzteRyMbdkyB6xjIp
Mb4wS20t+VyzAwawdR7ncRHaLJ60RPyh7uwQDy1Z7eJZZzfIybclc5IfJ//U
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
-----END CERTIFICATE-----
At the moment Export-PfxCertificate is only looking at the first (end-entity) certificate, but ideally it would pick up the full chain and include it in the PFX.
Some careful code that splits the string along the PEM encapsulation boundaries (-----BEGIN CERTIFICATE-----,-----BEGIN CERTIFICATE-----) could do the trick.
from acme-ps.
glatzert
commented on July 22, 2024
Hm - I was not aware of the chain being included.
I'll take a look, if I can combine them into the PFX.
from acme-ps.
asifma
commented on July 22, 2024
@glatzert : Is there any option to include the Root CA as well? That would be awsome...
Currently have a work-around. But would be great, if it came out of the box =)
Bag Attributes
friendlyName: DST Root CA X3
subject=/O=Digital Signature Trust Co./CN=DST Root CA X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
from acme-ps.
Related Issues (20)
- [Improvement] Allow DirectoryUrl to be passed to revocation, to omit the state object
- [Improvement] Add state reference to order
- [BUG]? Full chain export seems to be exporting in the wrong order HOT 4
- [BUG] Chain not included for specific instance.. HOT 1
- [Improvement] Exporting x509 certs/keys as PEM HOT 4
- Exception calling "GetResult" with "0" argument(s): "An error occurred while sending the request." HOT 6
- Certificate not working on older Android after 29.9.2021 HOT 2
- New-AcmePSKey invalid ValidateSet for RSAKeySize HOT 1
- DNS-01 HOT 10
- New Order / Old Account HOT 5
- Are SHA-1 self signatures being used to issue CSRs? HOT 1
- HTTP-01 Challenge File Not Getting Created HOT 3
- Authorizations does not seem to be parsing correctly HOT 12
- [BUG] The certificate chain seems to be out of order in 1.5.2. Versions 1.5.3-beta, and 1.5.4 Fails to run. HOT 4
- [BUG] Some of the *ToExport keys are missing from the module manifest HOT 2
- [BUG] v1.5.6 Export-Certificate "value cannot be null" HOT 10
- Cannot export non-exportable private key HOT 1
- [BUG] When using New-ACMEAccount with previous AccountKey it errors with Get-Account HOT 1
- [BUG] The exported PFX certificate doesn't have the full Let's Encrypt chain HOT 4
- Issue Export-ACMECertificate HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-ps.