[VCert 5.0-rc1] No way to specify a PKCS12 specific password

[luispresuelVenafi]

BUSINESS PROBLEM Currently, the only was to set a password to PKCS12 generated file is through setting the the private key password. This lead to them sharing the same password all the time and there's no way to specific different password for PKCS12 file.

PROPOSED SOLUTION In stable version of VCert we have a P12 password flag as the following: --p12-password value Use to specify the password for a client PKCS#12 archive. Use in combination with --p12-file option.

I propose that we have a p12 password field as p12Password and it would be used as follows:

- type: PKCS12
        location: "/path/to/my/certificate/cert.p12"
        p12Password: myP12password
        afterInstallAction: "echo Success!!!"

This enables to set password to the P12 file that overwrites taking the same password as the private key.

Behavior should be as follows: 1) private key password and p12 password are set: p12 password is taken for p12 file 2) private key password is not set but p12 password is set: p12 password is taken for p12 file 3) private key password is set but p12 password is not set: private key is taken for p12 file 4) private key password and p12 are not set: p12 is left with no password

CURRENT ALTERNATIVES None for this use case

[rvelaVenafi]

After investigation. I found the following:

• PKCS12 go library only accepts one password, this password will be used for both the private key and the pfx bundle. vcert-cli logic decrypts the private key before creating the pfx bundle.
• The p12-password flag in vcert is used to store the password of a p12 bundle that will be used for authentication against a Venafi platform. Is never used for attempting to create a pfx bundle

Given these reasons, I consider this task not necessary, as no changes are required in the current logic of vcert playbook