Export-VdcCertificate "PEM (OpenSSL)" with key

[jidelaf]

Can you please let me know what will be the flags/options I should use in cmdlet Export-VdcCertificate to download a certificate with the following settings I would do form the venafi Web Gui:

Download:
Format "PEM (OpenSSL)"
Also Include:
   Root Chain -> NO
   Private key: -> YES
Password / Repeat Password: -> YES
Extract PEM content into separate files (.crt .key) yes

Our goal is do an automation to download the certificate in PEM (OpenSSL) format and it s Private key. We can do that successfully from the web gui with previous setings

I have tried using the Export-VdcCertificate with flag -Base64 flag but when I add the -PrivateKeyPassword I got error like:

Export-VdcCertificate: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

Our version is: Venafi Trust Protection Platform version 21.4.5.4454

Module version

Get-InstalledModule venafips 
Version              Name                                Repository           Description
-------              ----                                ----------           -----------
6.4.2                VenafiPS                            PSGallery            Automate your Venafi TLS Protect Datacenter and Cloud platforms!

[jidelaf]

By the way, those are the Cert requirements of the Vendor:

• Clusters support X.509 certificates in PEM format only.
• Private Key Files must not be encrypted.
• If the certificate admin provides a single file, ensure to separate the file to obtain the certificate and key files.
• By default, OCSP validation is disabled. Contact your account team to enable the feature.
• Does not support ECDSA certificates.

[gdbarron]

Only pkcs8 and pkcs12 support private keys. The error you received is due to an invalid set of params

What you want to use is Export-VdcCertificate -Path $certPath -Pkcs8 -PrivateKeyPassword 'mySecretPass!' -OutPath $out

Also, just a heads up that v21.4 is no longer supported and I would recommend upgrading.

[gdbarron]

@jidelaf did this work for you?

[jidelaf]

Hello @gdbarron YES! Your example did the trick and I now have the three files .key .crt .pem in same folder :)

Export-VdcCertificate -Path $venafiCertID -Pkcs8 -OutPath $outpath -PrivateKeyPassword $KeyPWEncrypted -verbose

Vendor only accept unencrypted key files. So I have then managed to decrypt the key file using openssl binaries locally

.\openssl-1.0.2u-x64_86-win64\openssl.exe pkcs8 -passin pass:$KeyPW -in $encryptedkeyfile -out $unencryptedkeyfile

I have had to use a very old version of openssl "openssl-1.0.2u-x64_86-win64" because if i use the newest openssl version 3.X I got an error about legacy providers not available

Thank you!

[gdbarron]

Great, glad to hear it!