search

Venafi / VenafiPS

Powershell module to fully automate your Venafi TLS Protect Datacenter and Cloud platforms!
https://venafips.readthedocs.io/
Apache License 2.0
17 stars 8 forks source link

Allow certificate renewal without key reuse #264

Closed NathanBowdish closed 4 months ago

NathanBowdish commented 4 months ago

Environment

Full Operating System:
VenafiPS version: Downloaded Main
PowerShell version:  5.1.14393.6343
TLSPDC version (if applicable):

Steps to reproduce

Invoke-VcCertificateAction -ID $certificateId -Renew

Expected behavior

Certificate successfully renewed

Actual behavior

The remote server returned an error: (412) Precondition Failed.

gdbarron commented 4 months ago

Hi @NathanBowdish. Thanks for reporting and for posting your first issue :)

Can you tell me a bit about your certificate in addition to how it was created, ask or csr? Is it current and active? You can confirm the status and version with Get-VcCertificate -ID $certificateId.

Can you also run the command with -verbose and provide the (sanitized) output?

NathanBowdish commented 4 months ago

Greg,

Thank you for the work you are doing on this.

The Cert was created in Venafi Cloud no CSR from the server if that’s what you mean.

This is piggybacking on what AprajitaPriya had posted - Invoke-VcCertificateAction -Renew not working #262 You fixed that issue and did PR to Main, I downloaded Main that is what I’m currently trying to use

Here is the Output

encryptionType : RSA keyStrength : 2048 subjectKeyIdentifierHash : 8B27B27171BD99D1EE5EB906F26152472F917D5A authorityKeyIdentifierHash : 3E14D0A517AA292F27288024AE39931E4189F9D1 serialNumber : 4B00000C1EEBE1B041484AE42B000000000C1E subjectDN : cn= voyagerxxx.xxx.xxx,ou=Cybersecurity,o=xxx,c=US,st=Washington,l=XXXX subjectCN : {voyagerxxx.xxx.xxx} subjectO : XXXX subjectOU : {Cybersecurity} subjectST : Washington subjectL : XXXX subjectC : US subjectAlternativeNamesByType : @{otherName=System.Object[]; rfc822Name=System.Object[]; dNSName=System.Object[]; x400Address=System.Object[]; directoryName=System.Object[]; ediPartyName=System.Object[]; uniformResourceIdentifier=System.Object[]; iPAddress=System.Object[]; registeredID=System.Object[]} subjectAlternativeNameDns : { voyagerxxx.xxx.xxx } issuerDN : cn=XXXXINTERNALCA03,0.9.2342.19200300.100.1.25=org,0.9.2342.19200300.100.1.25=XXXX,0.9. 2342.19200300.100.1.25=inside issuerCN : {XXXXXXXXX} keyUsage : {digitalSignature, keyEncipherment} extendedKeyUsage : {1.3.6.1.5.5.7.3.1} ocspNoCheck : False versionType : CURRENT serialNumber=390000002252DF3476DB729ABD000000000022; subjectDN=cn=XXXXINTERNALCA03,0.9. 2342.19200300.100.1.25=org,0.9.2342.19200300.100.1.25=XXXX,0.9.2342.19200300.100.1.25=i nside; subjectCN=System.Object[]; subjectAlternativeNamesByType=; issuerDN=cn=XXXXROOTCA; issuerCN=System.Object[]; keyUsage=System.Object[]; pathLength=0; ocspNoCheck=False; versionType=CURRENT; totalInstanceCount=1; totalActiveInstanceCount=0; instances=System.Object[]; ownership=}, @{id=ab5f9110-a3f7-11ed-b8ed-2d0416e4af6b; companyId=85d375a0-8038-11e5-bf87-317fe88bb23a; managedCertificateId=ab7c67e0-a3f7-11ed-b373-f1e3707d3405; fingerprint=F1B4E184462621F66F60A00FBE34CCD6A048DEB3; certificateName=XXXXX; issuerCertificateIds=System.Object[]; certificateStatus=ACTIVE; modificationDate=2024-02-29T16:44:34.519+00:00; validityStart=2016-10-24T19:12:30.000+00:00; validityEnd=2036-10-24T19:16:59.000+00:00; selfSigned=True; signatureAlgorithm=SHA256_WITH_RSA_ENCRYPTION; signatureHashAlgorithm=SHA256; encryptionType=RSA; keyStrength=2048; subjectKeyIdentifierHash=FD7E9A4265AC381BC97F7F45EBB67ABF382AEAA7; serialNumber=1582A981D841FFAD45B931214E952784; subjectDN=cn=XXXXROOTCA; subjectCN=System.Object[]; subjectAlternativeNamesByType=; issuerDN=cn=XXXXROOTCA; issuerCN=System.Object[]; keyUsage=System.Object[]; pathLength=1; ocspNoCheck=False; versionType=CURRENT; totalInstanceCount=1; totalActiveInstanceCount=0; instances=System.Object[]; ownership=}} VERBOSE: Using script session VERBOSE: {"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"hidden"},"UseBasicParsing":true,"Uri" :"https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true"}https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true%22%7d VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/certificates/44491930-b60f-11ee-bf75-9798121d6e8d?ownershipTree=true with 0-byte payload VERBOSE: received 5853-byte response of content type application/json VERBOSE: Using script session VERBOSE: {"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"hidden"},"UseBasicParsing":true,"Uri" :"https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d"}https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d%22%7D VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/applications/90522f70-25a9-11ee-8e58-c9df4e72279d with 0-byte payload VERBOSE: received 873-byte response of content type application/json VERBOSE: Using script session VERBOSE: {"ContentType":"application/json","Method":"Get","Headers":{"tppl-api-key":"hidden"},"UseBasicParsing":true,"Uri" :"https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0"}https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0%22%7D VERBOSE: GET https://api.venafi.cloud/outagedetection/v1/certificaterequests/428681a0-b60f-11ee-8d31-e1cabc53f9a0 with 0-byte payload VERBOSE: received 2156-byte response of content type application/json VERBOSE: Using script session VERBOSE: {"UseBasicParsing":true,"Method":"Post","Uri":"https://api.venafi.cloud/outagedetection/v1/certificaterequests","Body"https://api.venafi.cloud/outagedetection/v1/certificaterequests%22,%22Body%22: {"existingCertificateId":"44491930-b60f-11ee-bf75-9798121d6e8d","applicationId":"90522f70-25a9-11ee-8e58-c9df4e72279d", "reuseCSR":true,"certificateIssuingTemplateId":"871a4960-20f4-11ee-a6ac-b3f7f9dc765a"},"ContentType":"application/json" ,"Headers":{"tppl-api-key":"hidden"}} VERBOSE: Response status code 412 CertificateID : 44491930-b60f-11ee-bf75-9798121d6e8d Success : False Error : The remote server returned an error: (412) Precondition Failed.

From: Greg Brownstein @.> Sent: Thursday, February 29, 2024 4:13 PM To: Venafi/VenafiPS @.> Cc: Nathan Bowdish @.>; Mention @.> Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)

You don't often get email from @.**@.>. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification EXTERNAL MESSAGE!

Caution: This message originated outside of XXXX. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.

Hi @NathanBowdishhttps://github.com/NathanBowdish. Thanks for reporting and for posting your first issue :)

Can you tell me a bit about your certificate in addition to how it was created, ask or csr? Is it current and active? You can confirm the status and version with Get-VcCertificate -ID $certificateId.

Can you also run the command with -verbose and provide the (sanitized) output?

— Reply to this email directly, view it on GitHubhttps://github.com/Venafi/VenafiPS/issues/264#issuecomment-1972189626, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BGSGCRE6EKRDQUKJV27VN3TYV7BYVAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZSGE4DSNRSGY. You are receiving this because you were mentioned.Message ID: @.**@.>>

NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.

gdbarron commented 4 months ago

Assuming you didn't change any of the uuids, can you please try the following and let me know the output?

$body = @{
    existingCertificateId        = '44491930-b60f-11ee-bf75-9798121d6e8d'
    certificateIssuingTemplateId = '871a4960-20f4-11ee-a6ac-b3f7f9dc765a'
    applicationId                = '90522f70-25a9-11ee-8e58-c9df4e72279d'
    reuseCSR                     = $true
}
Invoke-WebRequest -Headers @{'tppl-api-key' = $VenafiSession.Key.GetNetworkCredential().password } -Uri 'https://api.venafi.cloud/outagedetection/v1/certificaterequests' -Method Post -Body ($body | ConvertTo-Json) -ContentType 'application/json'
NathanBowdish commented 4 months ago

Invoke-WebRequest : {"errors":[{"code":10746,"message":"Key reuse is not allowed","args":[]}]} At C:\agent3_work\35\s\NathanTest\Pipelines\Renew-CertVenafi.ps1:52 char:1

From: Greg Brownstein @.> Sent: Friday, March 1, 2024 6:40 AM To: Venafi/VenafiPS @.> Cc: Nathan Bowdish @.>; Mention @.> Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)

You don't often get email from @.**@.>. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification EXTERNAL MESSAGE!

Caution: This message originated outside of BECU. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.

Assuming you didn't change any of the uuids, can you please try the following and let me know the output?

$body = @{

existingCertificateId        = '44491930-b60f-11ee-bf75-9798121d6e8d'

certificateIssuingTemplateId = '871a4960-20f4-11ee-a6ac-b3f7f9dc765a'

applicationId                = '90522f70-25a9-11ee-8e58-c9df4e72279d'

reuseCSR                     = $true

}

Invoke-WebRequest -Headers @{'tppl-api-key' = $VenafiSession.Key.GetNetworkCredential().password } -Uri 'https://api.venafi.cloud/outagedetection/v1/certificaterequests' -Method Post -Body ($body | ConvertTo-Json) -ContentType 'application/json'

— Reply to this email directly, view it on GitHubhttps://github.com/Venafi/VenafiPS/issues/264#issuecomment-1973320795, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BGSGCRCIHAHLN4UOZSIGVIDYWCHNTAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTGMZDANZZGU. You are receiving this because you were mentioned.Message ID: @.**@.>>

NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.

gdbarron commented 4 months ago

Thanks! Looks like you haven't turned on key reuse with your issuing template. Go to your Issuing Template, scroll to the bottom, and turn this option on.

image

If you have any questions on this feature, please reach out to support.

I will work on ensuring this additional information is captured in the error VenafiPS provides.

NathanBowdish commented 4 months ago

How do we use VenafiPS to renew certificate with new private key because key reuse is not allowed

From: Greg Brownstein @.> Sent: Friday, March 1, 2024 11:33 AM To: Venafi/VenafiPS @.> Cc: Nathan Bowdish @.>; Mention @.> Subject: [EXTERNAL] Re: [Venafi/VenafiPS] Invoke-VcCertificateAction -Renew New Issue (Issue #264)

You don't often get email from @.**@.>. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification EXTERNAL MESSAGE!

Caution: This message originated outside of BECU. Please do not open attachments or click links from an unknown or suspicious source. Report suspicious emails by clicking on the Report Email button.

Thanks! Looks like you haven't turned on key reuse with your issuing template. Go to your Issuing Template, scroll to the bottom, and turn this option on.

image.png (view on web)https://github.com/Venafi/VenafiPS/assets/11862024/12d808d3-a6f8-493a-b08c-1cc1795f72b3

If you have any questions on this feature, please reach out to support.

I will work on ensuring this additional information is captured in the error VenafiPS provides.

— Reply to this email directly, view it on GitHubhttps://github.com/Venafi/VenafiPS/issues/264#issuecomment-1973796966, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BGSGCRHZJRQBUGURBWI4X4TYWDJXTAVCNFSM6AAAAABEAYYD5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTG44TMOJWGY. You are receiving this because you were mentioned.Message ID: @.**@.>>

NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, re-transmitting, disseminating, or otherwise using the information. Thank you.

gdbarron commented 4 months ago

@NathanBowdish can you give this a go? https://github.com/Venafi/VenafiPS/tree/renew-without-key-reuse

STOTTCO commented 4 months ago

@gdbarron Hello Greg, im another Engineer from BECU that also is following this issue. I have tried your new branch and encountered an issue with it. in VenafiPS/Public/Invoke-VcCertificateAction.ps1 its missing a required csrAttribute 'SubjectCN' in the switch starting on line 176. You will also have to cast the SubjectCN to a string to make it work since the return object of SubjectCN in $thisCert = Get-VcCertificate -ID $ID is an array and the CertificateRequest Endpoint seems to only accept a string for the subjectCN CSR attributes. My local branch is currently working with this. 

                switch ($thisCert.PSObject.Properties.Name) {
                    'subjectCN' { $renewParams.csrAttributes.commonName = [string]$thisCert.subjectCN }
...
gdbarron commented 4 months ago

Thanks Connor, I appreciate you pointing this out. I've added this, but instead of converting to string, I'm selecting the first item in the array since converting multiple items to string would be an issue. I've also added a check for multiple CNs and -Force switch to override default behavior.

STOTTCO commented 4 months ago

Great call on the -force, much cleaner than my suggestion. Your update works for me, at least for a basic SSL certificate.

gdbarron commented 4 months ago

Great, thanks for confirming.

gdbarron commented 4 months ago

266

aprajitapriya commented 4 months ago

Hi @gdbarron I tried out the latest main branch. Cert Renewal works but I need to pass the applicationId to the Invoke-VcCertificateAction Command otherwise it throws below error. While the cert is tagged to single application.

PS E:\Certs\VenafiPS-main\VenafiPS-main\VenafiPS> $result = Invoke-VcCertificateAction -ID $certificateId -Renew

PS E:\Certs\VenafiPS-main\VenafiPS-main\VenafiPS> $result.Error Multiple applications associated, APP-ITBSR (90522f70-25a9-11ee-8e58-c9df4e72279d). Only 1 application can be renewed at a time. Rerun Invoke-VcCertificateAction and add '-AdditionalParameter @{'Application'='applicati on id'}' and provide the actual id you would like to renew._

gdbarron commented 4 months ago

Thanks @aprajitapriya. I see the issue and given both Connor and I tested, I'm not sure how it got past. Please use the workaround for now and I'll get a fix out shortly.

gdbarron commented 4 months ago

@aprajitapriya v.6.2.1 has the fix.