Open ruckc opened 1 year ago
The problem is that you specify no private key. The interface with OpenSSL that cryptography and PyOpenSSL use to handle PKCS12 files is very limited and will extract the main certificate (the one with the friendly name) as an 'other' certificate if there is no private key present. Thus the module sees that you provided a main certificate, but the PKCS12 file has no main certificate, and treats this as a mismatch.
So we have basically two choices (when a main certificate is provided, but no private key):
Right now we do 2., which causes the file to be regenerated in your case.
In my use case, i'm trying to build a PKCS12 truststore for a Java application. While using keytool would work, its much slower, and it would require us to install and maintain/patch a JRE outside of a container... just to insert a certificate into a PKCS12 store.
This issues seems to be also appear if other_certificates
is used :/
EDIT: I can't reproduce my issue with a generic playbook like used in this issue. Thus forget my comment here, I will check what is wrong on my target system.
EDIT2:
ok it is related to other_certificates
, but only with the old cryptography==3.2.1
version.
SUMMARY
openssl_pkcs12 always changed when only importing a certificate
ISSUE TYPE
COMPONENT NAME
openssl_pkcs12
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Ubuntu 22.04, local apply
STEPS TO REPRODUCE
EXPECTED RESULTS
On the 2nd run, I expect changed=0.
ACTUAL RESULTS
changed=1, the truststore.p12 is
changed
every time.