Open taliesins opened 7 years ago
I think the way around this problem is to make use of the powershell commandlets for certificates. When I used the cmdlet instead of the powershell generated by Chef I was able to access certificate private key.
cmdlet:
Import-PfxCertificate -FilePath C:\chef\cache\test.pfx -CertStoreLocation Cert:\LocalMachine\My
chef powershell:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "C:\chef\cache\test.pfx", "", ([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeyset)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "MY", ([System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($cert)
$store.Close()
I can only think it was implemented this way as perhaps Powershell 3 did not have this commandlet. Perhaps Get-Command
could be used so that systems that support the commandlet will use it.
@taliesins Thanks for reporting and the extra information. This has been brought up to the team to review.
I experience the reported issue when using Import-PfxCertificate. The issue being where a user imports a certificate and private key from a PKCS package (*.pfx), and the certificate appears to have a private key c/o the HasPrivateKey data member, but the PrivateKey data member is null.
Actual problem as I see, is with guard script (at least with Win 2016) When guard script runs second time behind LocalSystem (Chef configured as Task) it deletes Private Key from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys When System.Security.Cryptography.X509Certificates.X509Certificate2 class instantiated it creates temporary PrivateKey container (with actual conatiner name), and deletes it when disposed.
@sergeydeg Do you know any way around this?
@sergeydeg and @ilovemysillybanana have a look at #483 and vote for it. This problem exists in .net 4.61 and below. Powershell leverages .net so the problem bubbles up.
@ilovemysillybanana I implemented whole PFX import and ACL with true PowerShell. It is not out-of-box usage, and strictly tied to my task. Can share code block, if someone can make this more usable to implement in this cookbook. My solution only works with Server 2012/ Windows 8 and UP
@taliesins a comment to your solution - it not remove the problem with subsequent guard script runs
@sergeydeg I've actually just started working with powershell, but if I could adapt the solution to my own needs I'd be happy to do so and create a pull request after. I'm using windows 2k16 so that would be great.
@taliesins I am new to developing on Windows, my version of windows is using .NET 4.7 shouldn't I be immune from this problem?
@ilovemysillybanana take a look: chef pfx import acl
@sergeydeg will do! I don't know if it matters but I'm doing this through vagrant when I bake my images. If you guys know of anyone who's done it that way, that'd be great to see.
Cookbook version
Latest version
Chef-client version
Latest version
Platform Details
Windows Server 2012 R2 with latest patches applied. I have tried to install the latest WIM 5.1 and it did not help.
Scenario:
Trying to set ACL permissions on certificate
Steps to Reproduce:
Expected Result:
Private key permissions to be set for certificate.
Actual Result:
When not setting certificate permissions and loading MMC, you can see that certificate does have a private key.
This does not occur with all certificates. Only when CSP is CNG.
I think the error is related to the following (TL;DR; .net has problems getting private key when CSP is CNG): https://blogs.technet.microsoft.com/vishalagarwal/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store/
And we might be able to fix it using the following: https://stackoverflow.com/questions/17185429/how-to-grant-permission-to-private-key-from-powershell/22146915#22146915
Exception occurs with the following error message: