Enable working with .pfx files in CZERTAINLY

[doloban]

At this moment I believe there is no support for .pfx files in CZERTAINLY.

It would be useful to add option to import and export .pfx files from Certificate Inventory.

[3keyroman]

The following draft issue was created for this feature: https://github.com/orgs/CZERTAINLY/projects/5/views/1?sliceBy%5Bvalue%5D=Certificates+%26+Requests&pane=issue&itemId=75318048

Basically, what we would like to do, is to use the already implemented feature of cryptographic keys inventory to store the private key associated with the certificate in the keystore. Once the user uploads keystore, the private key can be imported to token and we can then benefit from the key inside the inventory, when it will be needed to process some data.

We can forget the password for the keystore when it is successfully imported. The certificate will be visible in inventory with the associated key.

When the user (with appropriate permission) would like to download the certificate with such key, there will be an option to download certificate in PFX format. User will provide its own password and PFX file will be downloaded, secured by the chosen password (we do not need to remember the original password when it was imported).

However, there are few implementation challenges that must be solved, for example:

• should we support symmetric keys in the keystore?
• import and export of the clear-text private key is not considered as a secure practice and will not be available for tokens that are managed by HSM for example, where such functionality is not allowed
• we cannot wrap and decrypt the key, this is security vulnerability

@doloban do you have any further suggestion or ideas on this feature?

[doloban]

Thanks for response. Yes, I totally agree with the idea of using your, already implemented, Cryptographic Keys Component for this scenario, as the private key of the certificate could be stored in Key Store during its import. After that, the user could see a key icon in the certificate list, where there is a row with whole .pfx instead of just certificate.

Also in the past I have experimented with Location and Entity Components. As I remember, they are supposed to provide path for key stores and certificate stores, could it be possible to create Location with full path to certificate store with all the .pfx files and after that choose the option to import all .pfx files from the specific location straight into CZERTAINLY inventory?

[3keyroman]

Yes, this is the idea, how to implement it, however, it will be available only for tokens with the capability to import and export clear-text key that will be then wrapped in the PFX. Typically it would be software based, because certified hardware devices would not allow it.

Entities and locations are independent from this, please create new issue or discussion.