VCert CLI format pkcs12 retrieves certificate and private key separately instead of as keystore

[tr1ck3r]

PROBLEM SUMMARY VCert CLI format pkcs12 retrieves certificate and private key separately instead of as keystore

STEPS TO REPRODUCE

1. Log into WebAdmin
2. Grant a user WebSDK access and view/read/write/create permission to a policy folder (zone)
3. For the folder from the previous step, set the 'Private Key PBE Algorithm' policy to 'High security but low system compatibility (SHA256 AES256)'
4. Execute the following command (note this uses Windows syntax):

   
   vcert enroll -u https://tpp.venafi.example --tpp-user local:carla --tpp-password newPassw0rd! --csr service -z VCert\P12 --cn case1.vcert.io --format pkcs12 --file case1.p12 --key-password newPassw0rd!

vCert: 2019/06/26 08:48:18 Successfully connected to TPP vCert: 2019/06/26 08:48:18 Successfully read zone configuration for VCert\P12 vCert: 2019/06/26 08:48:18 Successfully created request for case1.vcert.io vCert: 2019/06/26 08:48:18 Successfully posted request for case1.vcert.io, will pick up by \VED\Policy\VCert\P12\case1.vcert.io vCert: 2019/06/26 08:48:18 Issuance of certificate is pending... vCert: 2019/06/26 08:48:23 unable to retrieve: Unexpected status code on TPP Certificate Retrieval. Status: 400 Private key not found, please modify your selection.

5. Back in WebAdmin, navigate to the VCert\P12\case1.vcert.io certificate, change the 'CSR Generation' setting to 'Service Generated CSR', then click 'Renew Now' to enroll a new certificate where the key/CSR are centrally generated by TPP.
6. Execute the following command:

vcert pickup -u https://tpp.venafi.example --tpp-user local:carla --tpp-password newPassw0rd! --pickup-id \VED\Policy\VCert\P12\case1.vcert.io --format pkcs12 --file case1.p12 --key-password newPassw0rd!

vCert: 2019/06/26 08:50:41 Successfully connected to TPP vCert: 2019/06/26 08:50:41 Failed to retrieve certificate: unable to retrieve: Unexpected status code on TPP Certificate Retrieval. Status: 400 OpenSSL format is not allowed because a higher PBE algorithm is required in policy.

**EXPECTED RESULTS**
The `enroll --csr service --format pkcs12` command should be setting the "Manual Csr" attribute in TPP to a value of 0 so that the key/CSR are centrally generated.

For enroll `--csr service --format pkcs12` and `pickup --format pkcs12`, VCert should be calling **POST certificates/retrieve** with the Format parameter set to a value of "PKCS #<span/>12" to download the keystore rather than constructing it locally from the individual certificate, private key, and chain certificates.  This will make the "Private Key PBE Algorithm" policy irrelevant since that only applies to PEM formatted private keys.

**ACTUAL RESULTS**
As shown in the command output from the repo steps.

**COMMENTS/WORKAROUNDS**
Enrolling with local CSR generation (default) and the pkcs12 format works as expected:

vcert enroll -u https://tpp.venafi.example --tpp-user local:carla --tpp-password newPassw0rd! -z VCert\P12 --cn case2.vcert.io --format pkcs12 --file case2.p12 --key-password newPassw0rd!

vCert: 2019/06/26 09:12:42 Successfully connected to TPP vCert: 2019/06/26 09:12:42 Successfully read zone configuration for VCert\P12 vCert: 2019/06/26 09:12:42 Successfully created request for case2.vcert.io vCert: 2019/06/26 09:12:42 Successfully posted request for case2.vcert.io, will pick up by \VED\Policy\VCert\P12\case2.vcert.io vCert: 2019/06/26 09:12:42 Issuance of certificate is pending... vCert: 2019/06/26 09:12:47 Successfully retrieved request for \VED\Policy\VCert\P12\case1.vcert.io PickupID="\VED\Policy\VCert\P12\case2.vcert.io"

Users will still encounter the PBE algorithm error if they attempt `--csr service` with `--format pem` or `json` but that should be dealt with in a separate issue because that's an enhancement rather than a bug (i.e. adding support for PKCS#8 private keys).

[tr1ck3r]

Believe this would require significant refactoring. May only be worthwhile in the context of adding support for Java Keystore (jks) format.

This issue is related to https://github.com/Venafi/vcert/issues/41.

[rvelaVenafi]

@tr1ck3r is this issue addressed for you?