Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v. 0.9.0.316 Get-ACMECertificate -ExportPkcs12 - pfx file ends up with "garbage" in CERT_FRIENDLY_NAME_PROP_ID(11) #283

Closed
LubomirH opened this issue Aug 13, 2017 · 2 comments
Closed

v. 0.9.0.316 Get-ACMECertificate -ExportPkcs12 - pfx file ends up with "garbage" in CERT_FRIENDLY_NAME_PROP_ID(11) #283

LubomirH opened this issue Aug 13, 2017 · 2 comments

Comments

@LubomirH
Copy link

Hi,
while exporting the certificate with the v. 0.9.0.316 using the -ExportPkcs12 option the CERT_FRIENDLY_NAME_PROP_ID(11) property of the end entity certificate gets populated with some "garbage" see the snip of the certutil -dump output below ;)
Also the exported file is 16KB big due to this.
Exporting just the certificate in PEM or DER format behaves OK

~
  CERT_KEY_CONTEXT_PROP_ID(5):
    hCryptProv = 000001D157151E00
    KeySpec = 1 -- AT_KEYEXCHANGE

  CERT_FRIENDLY_NAME_PROP_ID(11):
      [0]         Version: 3
         SerialNumber: 294597297531182112653731106124750001751979
             IssuerDN: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
           Start Date: 8/12/2017 6:16:00 PM
           Final Date: 11/10/2017 6:16:00 PM
            SubjectDN: CN=gallery.domain.tld
           Public Key: Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters
  Signature Algorithm: SHA-256withRSA
            Signature: 716b9018b1c350b517324da4854eda426147e11c
                       551769a794204657f6b643faf73901b394b10b56
                       a38becc399383b5e5ad063c88df3e9527eb12d3f
                       2072ce8e49d91b953888f8c28e5a5c28d6565a82
                       f094997e765c147efda521eebe3961e49bee96eb
                       bcba0f5042381400837c05780877329a12798260
                       2d7d3c1615c533712aed81c54b896688d3fd4dfc
                       3e3a3acbbb0d5bf77615a24949c37fa898d60b5c
                       1ca598fbd0583958cfdb722cd22e4cc8d48cfbd2
                       f725cb96fbb2bfe7e17e0951e5891d09afee95dd
                       be9b6cc9cb3dbc5b09b76d2a1a565be90ff1f167
                       b89d7cb801fe7164a9a63eb619e09e39f0481874
                       b4e994d64840d5a6eb6d2b91885fd130
       Extensions:
                       critical(True) KeyUsage: 0xA0
                       critical(False) 2.5.29.37 value = DER Sequence
    ObjectIdentifier(1.3.6.1.5.5.7.3.1)
    ObjectIdentifier(1.3.6.1.5.5.7.3.2)

                       critical(True) BasicConstraints: isCa(False)
                       critical(False) 2.5.29.14 value = DER Octet String[20]

                       critical(False) 2.5.29.35 value = DER Sequence
    Tagged [0] IMPLICIT
        DER Octet String[20]

                       critical(False) 1.3.6.1.5.5.7.1.1 value = DER Sequence
    DER Sequence
        ObjectIdentifier(1.3.6.1.5.5.7.48.1)
        Tagged [6] IMPLICIT
            DER Octet String[34]
    DER Sequence
        ObjectIdentifier(1.3.6.1.5.5.7.48.2)
        Tagged [6] IMPLICIT
            DER Octet String[35]

                       critical(False) 2.5.29.17 value = DER Sequence
    Tagged [2] IMPLICIT
        DER Octet String[17]

                       critical(False) 2.5.29.32 value = DER Sequence
    DER Sequence
        ObjectIdentifier(2.23.140.1.2.1)
    DER Sequence
        ObjectIdentifier(1.3.6.1.4.1.44947.1.1.1)
        DER Sequence
            DER Sequence
                ObjectIdentifier(1.3.6.1.5.5.7.2.1)
                IA5String(http://cps.letsencrypt.org)
            DER Sequence
                ObjectIdentifier(1.3.6.1.5.5.7.2.2)
                DER Sequence
                    UTF8String(This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/)



  CERT_ACCESS_STATE_PROP_ID(14):
  AccessState = 0
~
ebekker added a commit that referenced this issue Aug 16, 2017
@ebekker
Fixing #283
52f66df 
The entry key used to generate the BC PFX export was passed along as the
friendly name, needed to pick a better key
@ebekker
Copy link
Owner

ebekker commented Aug 16, 2017

Found the culprit, it was in the BouncyCastle provider for PKI functions. When exporting cert + key in PKCS12 (PFX) format, BC requires the use of an entry ID or alias, which translates into the FriendlyName of the cert when imported by .NET/Windows code.

I cleaned up the ID/alias that I used which previously was a serialized version of the whole cert. Unfortunately, one of the issues still remaining is that now the cert friendly name will by default actually be a blank string, instead of none -- I tried various permutations to address this, but none of them worked.

You can still override the Friendly Name with something meaningful when using the installers (IIS, Win Cert Store), but if you don't override it, it will appear blank in the cert store, instead of <None> like it's really supposed to.

@ebekker ebekker closed this as completed Aug 16, 2017
@ebekker
Copy link
Owner

ebekker commented Aug 16, 2017

The fixed version available in the pre-release feed, will be pushed to the gallery soon.

@crou crou mentioned this issue Oct 24, 2017
Closed
crou added a commit to crou/ACMESharp that referenced this issue Oct 25, 2017
@crou
Fix ebekker#288 and Improve ebekker#283
b61ad5f
@crou crou mentioned this issue Oct 25, 2017
Merged
ebekker added a commit that referenced this issue Oct 26, 2017
@ebekker
Merge pull request #306 from crou/master
ac549c3 
Fix PFX Export (#288 and Improve #283)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ebekker @LubomirH