Allow certificate renewal without key reuse #264
Assignees
Labels
enhancement
New feature or request
Comments
|
Hi @NathanBowdish. Thanks for reporting and for posting your first issue :) Can you tell me a bit about your certificate in addition to how it was created, ask or csr? Is it current and active? You can confirm the status and version with Can you also run the command with |
|
Greg,
Thank you for the work you are doing on this.
The Cert was created in Venafi Cloud no CSR from the server if that’s what you mean.
This is piggybacking on what AprajitaPriya had posted - Invoke-VcCertificateAction -Renew not working #262
You fixed that issue and did PR to Main, I downloaded Main that is what I’m currently trying to use
Here is the Output
encryptionType : RSA
keyStrength : 2048
subjectKeyIdentifierHash : 8B27B27171BD99D1EE5EB906F26152472F917D5A
authorityKeyIdentifierHash : 3E14D0A517AA292F27288024AE39931E4189F9D1
serialNumber : 4B00000C1EEBE1B041484AE42B000000000C1E
subjectDN : cn= voyagerxxx.xxx.xxx,ou=Cybersecurity,o=xxx,c=US,st=Washington,l=XXXX
subjectCN : {voyagerxxx.xxx.xxx}
subjectO : XXXX
subjectOU : {Cybersecurity}
subjectST : Washington
subjectL : XXXX
subjectC : US
subjectAlternativeNamesByType : @{otherName=System.Object[]; rfc822Name=System.Object[]; dNSName=System.Object[];
x400Address=System.Object[]; directoryName=System.Object[];
ediPartyName=System.Object[]; uniformResourceIdentifier=System.Object[];
iPAddress=System.Object[]; registeredID=System.Object[]}
subjectAlternativeNameDns : { voyagerxxx.xxx.xxx }
issuerDN : cn=XXXXINTERNALCA03,0.9.2342.19200300.100.1.25=org,0.9.2342.19200300.100.1.25=XXXX,0.9.
2342.19200300.100.1.25=inside
issuerCN : {XXXXXXXXX}
keyUsage : {digitalSignature, keyEncipherment}
extendedKeyUsage : {1.3.6.1.5.5.7.3.1}
ocspNoCheck : False
versionType : CURRENT
serialNumber=390000002252DF3476DB729ABD000000000022; subjectDN=cn=XXXXINTERNALCA03,0.9.
2342.19200300.100.1.25=org,0.9.2342.19200300.100.1.25=XXXX,0.9.2342.19200300.100.1.25=i
nside; subjectCN=System.Object[]; subjectAlternativeNamesByType=;
issuerDN=cn=XXXXROOTCA; issuerCN=System.Object[]; keyUsage=System.Object[];
pathLength=0; ocspNoCheck=False; versionType=CURRENT; totalInstanceCount=1;
totalActiveInstanceCount=0; instances=System.Object[]; ownership=},
@{id=ab5f9110-a3f7-11ed-b8ed-2d0416e4af6b;
companyId=85d375a0-8038-11e5-bf87-317fe88bb23a;
managedCertificateId=ab7c67e0-a3f7-11ed-b373-f1e3707d3405;
fingerprint=F1B4E184462621F66F60A00FBE34CCD6A048DEB3; certificateName=XXXXX;
issuerCertificateIds=System.Object[]; certificateStatus=ACTIVE;
modificationDate=2024-02-29T16:44:34.519+00:00;
validityStart=2016-10-24T19:12:30.000+00:00;
validityEnd=2036-10-24T19:16:59.000+00:00; selfSigned=True;
signatureAlgorithm=SHA256_WITH_RSA_ENCRYPTION; signatureHashAlgorithm=SHA256;
encryptionType=RSA; keyStrength=2048;
subjectKeyIdentifierHash=FD7E9A4265AC381BC97F7F45EBB67ABF382AEAA7;
serialNumber=1582A981D841FFAD45B931214E952784; subjectDN=cn=XXXXROOTCA;
subjectCN=System.Object[]; subjectAlternativeNamesByType=; issuerDN=cn=XXXXROOTCA;
issuerCN=System.Object[]; keyUsage=System.Object[]; pathLength=1; ocspNoCheck=False;
versionType=CURRENT; totalInstanceCount=1; totalActiveInstanceCount=0;
instances=System.Object[]; ownership=}}
VERBOSE: Using script session
VERBOSE:
{"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"***hidden***"},"UseBasicParsing":true,"Uri"
:"https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true"}<https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true%22%7d>
VERBOSE: GET
https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true with
0-byte payload
VERBOSE: received 5853-byte response of content type application/json
VERBOSE: Using script session
VERBOSE:
{"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"***hidden***"},"UseBasicParsing":true,"Uri"
:"https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d"}<https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d%22%7D>
VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d with 0-byte
payload
VERBOSE: received 873-byte response of content type application/json
VERBOSE: Using script session
VERBOSE:
{"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"***hidden***"},"UseBasicParsing":true,"Uri"
:"https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0"}<https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0%22%7D>
VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0 with
0-byte payload
VERBOSE: received 2156-byte response of content type application/json
VERBOSE: Using script session
VERBOSE:
{"UseBasicParsing":true,"Method":"Post","Uri":"https://api.venafi.cloud/outagedetection/v1/certificaterequests","Body"<https://api.venafi.cloud/outagedetection/v1/certificaterequests%22,%22Body%22>:
{"existingCertificateId":"44491930-b60f-11ee-bf75-9798121d6e8d","applicationId":"90522f70-25a9-11ee-8e58-c9df4e72279d",
"reuseCSR":true,"certificateIssuingTemplateId":"871a4960-20f4-11ee-a6ac-b3f7f9dc765a"},"ContentType":"application/json"
,"Headers":{"tppl-api-key":"***hidden***"}}
VERBOSE: Response status code 412
CertificateID : 44491930-b60f-11ee-bf75-9798121d6e8d
Success : False
Error : The remote server returned an error: (412) Precondition Failed.
From: Greg Brownstein ***@***.***>
Sent: Thursday, February 29, 2024 4:13 PM
To: Venafi/VenafiPS ***@***.***>
Cc: Nathan Bowdish ***@***.***>; Mention ***@***.***>
Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)
You don't often get email from ***@***.******@***.***>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
EXTERNAL MESSAGE!
Caution: This message originated outside of XXXX. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.
…________________________________
Hi @NathanBowdish<https://github.com/NathanBowdish>. Thanks for reporting and for posting your first issue :)
Can you tell me a bit about your certificate in addition to how it was created, ask or csr? Is it current and active? You can confirm the status and version with Get-VcCertificate -ID $certificateId.
Can you also run the command with -verbose and provide the (sanitized) output?
—
Reply to this email directly, view it on GitHub<#264 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BGSGCRE6EKRDQUKJV27VN3TYV7BYVAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZSGE4DSNRSGY>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.
|
|
Assuming you didn't change any of the uuids, can you please try the following and let me know the output? |
|
Invoke-WebRequest : {"errors":[{"code":10746,"message":"Key reuse is not allowed","args":[]}]}
At C:\agent3\_work\35\s\NathanTest\Pipelines\Renew-CertVenafi.ps1:52 char:1
+ Invoke-WebRequest -Headers @{'tppl-api-key' = $VenafiSession.Key.GetN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
From: Greg Brownstein ***@***.***>
Sent: Friday, March 1, 2024 6:40 AM
To: Venafi/VenafiPS ***@***.***>
Cc: Nathan Bowdish ***@***.***>; Mention ***@***.***>
Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)
You don't often get email from ***@***.******@***.***>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
EXTERNAL MESSAGE!
Caution: This message originated outside of BECU. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.
…________________________________
Assuming you didn't change any of the uuids, can you please try the following and let me know the output?
$body = @{
existingCertificateId = '44491930-b60f-11ee-bf75-9798121d6e8d'
certificateIssuingTemplateId = '871a4960-20f4-11ee-a6ac-b3f7f9dc765a'
applicationId = '90522f70-25a9-11ee-8e58-c9df4e72279d'
reuseCSR = $true
}
Invoke-WebRequest -Headers @{'tppl-api-key' = $VenafiSession.Key.GetNetworkCredential().password } -Uri 'https://api.venafi.cloud/outagedetection/v1/certificaterequests' -Method Post -Body ($body | ConvertTo-Json) -ContentType 'application/json'
—
Reply to this email directly, view it on GitHub<#264 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BGSGCRCIHAHLN4UOZSIGVIDYWCHNTAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTGMZDANZZGU>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.
|
|
Thanks! Looks like you haven't turned on key reuse with your issuing template. Go to your Issuing Template, scroll to the bottom, and turn this option on.
If you have any questions on this feature, please reach out to support. I will work on ensuring this additional information is captured in the error VenafiPS provides. |
|
How do we use VenafiPS to renew certificate with new private key because key reuse is not allowed
From: Greg Brownstein ***@***.***>
Sent: Friday, March 1, 2024 11:33 AM
To: Venafi/VenafiPS ***@***.***>
Cc: Nathan Bowdish ***@***.***>; Mention ***@***.***>
Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)
You don't often get email from ***@***.******@***.***>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
EXTERNAL MESSAGE!
Caution: This message originated outside of BECU. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.
…________________________________
Thanks! Looks like you haven't turned on key reuse with your issuing template. Go to your Issuing Template, scroll to the bottom, and turn this option on.
image.png (view on web)<https://github.com/Venafi/VenafiPS/assets/11862024/12d808d3-a6f8-493a-b08c-1cc1795f72b3>
If you have any questions on this feature, please reach out to support.
I will work on ensuring this additional information is captured in the error VenafiPS provides.
—
Reply to this email directly, view it on GitHub<#264 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BGSGCRHZJRQBUGURBWI4X4TYWDJXTAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTG44TMOJWGY>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.
|
gdbarron
changed the title
|
@NathanBowdish can you give this a go? https://github.com/Venafi/VenafiPS/tree/renew-without-key-reuse |
|
@gdbarron Hello Greg, im another Engineer from BECU that also is following this issue. I have tried your new branch and encountered an issue with it. in VenafiPS/Public/Invoke-VcCertificateAction.ps1 its missing a required csrAttribute 'SubjectCN' in the switch starting on line 176. You will also have to cast the SubjectCN to a string to make it work since the return object of SubjectCN in $thisCert = Get-VcCertificate -ID $ID is an array and the CertificateRequest Endpoint seems to only accept a string for the subjectCN CSR attributes. My local branch is currently working with this. |
|
Thanks Connor, I appreciate you pointing this out. I've added this, but instead of converting to string, I'm selecting the first item in the array since converting multiple items to string would be an issue. I've also added a check for multiple CNs and |
|
Great call on the |
|
Great, thanks for confirming. |
|
Hi @gdbarron I tried out the latest main branch. Cert Renewal works but I need to pass the applicationId to the Invoke-VcCertificateAction Command otherwise it throws below error. While the cert is tagged to single application. PS E:\Certs\VenafiPS-main\VenafiPS-main\VenafiPS> $result = Invoke-VcCertificateAction -ID $certificateId -Renew PS E:\Certs\VenafiPS-main\VenafiPS-main\VenafiPS> $result.Error |
|
Thanks @aprajitapriya. I see the issue and given both Connor and I tested, I'm not sure how it got past. Please use the workaround for now and I'll get a fix out shortly. |
|
@aprajitapriya v.6.2.1 has the fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment
Steps to reproduce
Invoke-VcCertificateAction -ID $certificateId -Renew
Expected behavior
Certificate successfully renewed
Actual behavior
The remote server returned an error: (412) Precondition Failed.
The text was updated successfully, but these errors were encountered: