-
-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The certificate generated is not applicable for Exchange 2013 #45
Comments
There might be a possibility during pfx export, but I'm not sure. If you can provide a PR, which does allow to set the CSP, I'll probably merge it. It'd also be possible to add documentation about import / export needs. |
The fact is that there were no such problems with the previous ASMESharp module. |
Ok. And? |
I do not quite understand what you need to provide so that you can turn on the provider. |
So far I can identify two places, where the provider might be selectable. This is the RSAKey: https://github.com/PKISharp/ACMESharpCore-PowerShell/blob/master/ACME-PS/internal/classes/crypto/RSAKey.ps1 And this the Export-Certificate internals: Just to be clear, about my interests: I'm willing to help on the "merge-into-the-module"-side of things and carry it around in the module until it's not possible anymore, but I have very little interest in digging into the CSP specifics in windows myself - especially when there's already a valid tool (openSSL) to use and solve the problem. |
This comment has been minimized.
This comment has been minimized.
@GeorgeSchiro I moved you issue - thanks for pointing out. Discussion is welcome. If you have ideas how to tackle the problem or want to investigate the matter, I'll help if I can. |
@glatzert to me it seems like it is an "issue" coming from how the Microsoft Crypto library processes the "ExportWithPrivateKey" or whatever the function is called. thanks in advance :) |
Currently ACME-PS is written as module, running in Windows Powershell as well as Powershell Core - the latter one being "the future" on all systems - especially when .NET 5.0 will be around. I don't think, the old crypto API is compatible with .NET Core, meaning I'd probably have to build a special code-path to support the legacy crypto provider on WindowsPowershell only. That seems like a lot of work regarding, you can still use openSSL as a workaround. Is there a prohibitive reason to not use openSSL?
|
Hi.
Generated a certificate using this module.
I get a PFX file that I import in Exchange 2013
It is imported with an invalid CSP provider:
"Microsoft Software Key Storage Provider"
And you need the provider to be:
"Microsoft Enhanced Cryptographic Provider v1.0"
or
"Microsoft RSA SChannel Cryptographic Provider"
Found a solution to work around this problem
openssl.exe pkcs12 -in certificate.pfx -out certificate.pem -nodes
openssl.exe pkcs12 -export -in certificate.pem -out new_certificate.pfx
After that, the certificate is imported with the desired provider:
"Microsoft Enhanced Cryptographic Provider v1.0"
Can you fix it?
The text was updated successfully, but these errors were encountered: