search

Venafi / vcert

Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
https://support.venafi.com/hc/en-us/articles/217991528
Apache License 2.0
88 stars 64 forks source link

Cannot pickup certs in any format other than PEM #281

Open bohrasaurabh opened 1 year ago

bohrasaurabh commented 1 year ago

PROBLEM SUMMARY I am unable to pickup the certs in any other format other than PEM. The workaround provided by Venafi team to our organization didnt work. I was told to use 4.16.x release to use any format other than PEM.

STEPS TO REPRODUCE

./vcert pickup -u https://myfqdn.host.com/ -t MY_TOKEN \ 
--pickup-id \\VED\\Policy\\Certificates\\PATH_TO\\CERT.com \
--format jks --file CERT.com.jks --jks-alias CERT.com \
--key-password TestPassw0rd#123 --jks-password TestPassw0rd#123

vCert: 2023/03/16 14:05:47 Successfully connected to Trust Protection Platform
vCert: 2023/03/16 14:05:50 Successfully retrieved request for \VED\Policy\Certificates\PATH_TO\CERT.com
vCert: 2023/03/16 14:05:50 ERROR: To continue, you must select either the SHA1 3DES or SHA256 AES256 private key PBE algorithm. In a web browser, log in to TLS Protect and go to Configuration > Folders, select your zone, then click Certificate Policy and expand Show Advanced Options to make the change.

COMMENTS/WORKAROUNDS workaround is to use 4.16.x release

luispresuelVenafi commented 1 year ago

Hi @bohrasaurabh, thank you reaching out

There error you are seeing does not match what you say. That error, as the error message suggests, during VCert 4.17.x and above, we dropped support for MD5 encryption, in which case you must select any of other two for your policies, otherwise, pickup won't work.

That said, I did a test on my own, and in deed, there's bug:

$ vcert pickup -u https:/******* -t *******  --pickup-id \path\to\test.example.com --format jks --file CERT.com --jks-alias CERT.com --key-password TestPassw0rd#123 --jks-password TestPassw0rd#123
vCert: 2023/03/16 15:34:13 Successfully connected to Trust Protection Platform
vCert: 2023/03/16 15:34:13 Failed to retrieve certificate: unable to retrieve: Unexpected status code on TPP Certificate Retrieval. Status: 400 Failed to lookup private key, error: Failed to lookup private key vault id

It does work it you remove JKS part:

$ vcert pickup -u https:/******* -t *******  --pickup-id \path\to\test.example.com
vCert: 2023/03/16 15:32:54 Successfully connected to Trust Protection Platform
vCert: 2023/03/16 15:32:54 Successfully retrieved request for \path\to\test.example.com
-----BEGIN CERTIFICATE-----
MIIH3zCCBcegAwIBAgITbQCxYPZLYx2yaw6VIwAAALFg9jANBgkqhkiG9w0BAQsF
bohrasaurabh commented 1 year ago

@luispresuelVenafi - It does work without format option