Keyfactor · fiddlermikey · Sep 19, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 18, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+v1.4.5
+- Bug Fix: For F5-WS-REST store type, make sure certificate chain is ordered properly when installing to F5 - EE Cert => Issuing CA Cert => One-to-many Intermediate CA Certs => Root CA Cert.
+
 v1.4.4
 - Bug Fix: Allow PEM formats with # comments at top of file during inventory
 

diff --git a/F5Client.cs b/F5Client.cs
@@ -20,6 +20,7 @@
 using System.Text.RegularExpressions;
 
 using Newtonsoft.Json;
+using System.Collections;
 
 namespace Keyfactor.Extensions.Orchestrator.F5Orchestrator
 {
@@ -61,7 +62,7 @@ public F5Client(CertificateStore certificateStore, string serverUserName, string
             PFXPassword = pfxPassword;
             IgnoreSSLWarning = ignoreSSLWarning;
             Inventory = inventory;
-            
+
             if (logger == null)
             {
                 logger = Keyfactor.Logging.LogHandler.GetClassLogger(this.GetType());
@@ -246,14 +247,14 @@ private void AddPfx(byte[] entryContents, string partition, string name, string
                     AddPfx(entryContents, partition, name, password, GetKeyName(ex.message));
                 else
                     throw (name.Contains(".crt", StringComparison.OrdinalIgnoreCase) &&
-                           ex.Message.Contains("expected to exist", StringComparison.OrdinalIgnoreCase) ? 
-                                new Exception("Certificate and Key name may be different. If so, an F5 hotfix may be required to allow for the automatic renewal of this certificate.", ex) : 
+                           ex.Message.Contains("expected to exist", StringComparison.OrdinalIgnoreCase) ?
+                                new Exception("Certificate and Key name may be different. If so, an F5 hotfix may be required to allow for the automatic renewal of this certificate.", ex) :
                                 ex);
             }
 
             LogHandlerCommon.MethodExit(logger, CertificateStore, "AddPfx");
         }
-        
+
         // Method to parse error message from /pkcs12 API call that can occur when the certificate and key have different names.
         //  There is an F5 hotfix needed to be installed to produce the specific error message parsed by this method to get the
         //  separate key name.
@@ -585,12 +586,9 @@ public void ReplaceWebServerCrt(string b64Certificate)
 
             StringBuilder certPemBuilder = new StringBuilder();
 
-
-
-            //////// THE LIST MUST BE REVERSED SO THAT THE END-ENTITY CERT IS FIRST /////////
-            //////// CAN IT BE ASSUMED THE LAST ENTRY IS END-ENTIT? /////////////////////////
-            clist.Reverse();
-            /////////////////////////////////////////////////////////////////////////////////
+            //reordering of certificate chain necessary because of BouncyCastle bug.  Being fixed in a later release
+            if (clist.Count > 1)
+                clist = ReorderPEMLIst(clist);
 
             LogHandlerCommon.Trace(logger, CertificateStore, "Building certificate PEM");
             foreach (X509Certificate2 cert in clist)
@@ -634,6 +632,30 @@ public void ReplaceWebServerCrt(string b64Certificate)
             LogHandlerCommon.MethodExit(logger, CertificateStore, "ReplaceWebServerCrt");
         }
 
+        // Put certificate chain in proper order - EE => issuing => intermediate1 => ... => intermediateN => root
+        private List<X509Certificate2> ReorderPEMLIst(List<X509Certificate2> certList)
+        {
+            List<X509Certificate2> rtnList = new List<X509Certificate2>();
+            X509Certificate2 root = certList.FirstOrDefault(p => p.IssuerName.RawData.SequenceEqual(p.SubjectName.RawData));
+            if (root == null || string.IsNullOrEmpty(root.SerialNumber))
+                throw new Exception("Invalid certificate chain.  No root CA certificate found.");
+
+            rtnList.Add(root);
+
+            X509Certificate2 parentCert = root;
+            for (int i=1; i<certList.Count; i++)
+            {
+                X509Certificate2 childCert = certList.FirstOrDefault(p => p.IssuerName.RawData.SequenceEqual(parentCert.SubjectName.RawData) && !p.IssuerName.RawData.SequenceEqual(p.SubjectName.RawData));
+                if (root == null || string.IsNullOrEmpty(root.SerialNumber))
+                    throw new Exception("Invalid certificate chain.  End entity or issuing CA certificate not found.");
+
+                rtnList.Insert(0, childCert);
+                parentCert = childCert;
+            }
+
+            return rtnList;
+        }
+
         // WebServer
         #endregion
 

diff --git a/README.md b/README.md
@@ -14,16 +14,13 @@ The Universal Orchestrator is part of the Keyfactor software distribution and is
 The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
 
 
-
-
 ## Support for F5
 
 F5 is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
 
-
 ---