Is there a way to decode pfx file with the x509-certificate-exporter?

[strossan]

No description provided.

[npdgm]

Hi @strossan,
It is not possible to read PKCS#12 bundles with this exporter for now, only PEM encoded X.509 certificates are supported.
I'm interested about new use cases and would like to evaluate if this could be implemented.
Would you mind telling more about the typical environment where you encounter these files? What platform and software stack if they are commonly known tools. This is only out of curiosity because as maintainers of this project we don't see many PKCS files these days, especially not on systems where the x509-certificate-exporter is deployed.
Thank you

[strossan]

We started to implement Kubernetes environments recently. We, for the moment, use Azure Kubernetes Services (AKS). Part of our process, we create keyvaults in Azure, so we can encrypt values for various SaaS we use and pass the information to our micro services. It happens to be done with PKCS#12.
I put the request because it could be something you support or may want to support down the road. Thanks for considering it.

[npdgm]

Hi,
Implementing support for PKCS#12 has been evaluated a couple times. When working on version 3 we investigated what libraries could be used, as the standard golang library barely provide interfaces for this format.
We ultimately decided not to support PKCS#12.

Friction points are:

• unsatisfactory standard library and wish not to depend on large crypto packages
• conflicts on how to handle both formats: probing files doesn't feel like a clean method, and the remaining choice is to significantly refactor code and command-line arguments
• PKCS#12 bundles are more complex and raise problems we didn't have to handle with PEM blobs. We don't want to purposely ignore corner cases.
• likely risk of having to alter metrics specifications

So eventually we will only support PEM for the time being. Design choices have been made on these premises and it keeps things simple and easier to maintain.