Private key of the certificate are not encrypted

convertersystems / opc-ua-client

Visualize and control your enterprise using OPC Unified Architecture (OPC UA) and Visual Studio.

MIT License

403 stars 119 forks source link

Private key of the certificate are not encrypted #225

Open FieryPhoenix100 opened 2 years ago

FieryPhoenix100 commented 2 years ago

When creating certificates via DirectoryStore, it is not possible to encrypt the private key of the certificate. There is also no way to read the encrypted private key.

quinmars commented 2 years ago

May I ask what you are trying to accomplish? The DirectoryStore can be used by the channel to retrieve the local certificate and the corresponding key parameters. Usually, you do not have to call the DirectoryStore methods yourself. There are cases were you might want to implement IDirectoryStore, for example when you want to add some user interface interactions. But even there I'd make it a wrapper around the existing DirectoryStore.

FieryPhoenix100 commented 2 years ago

I would like to be able to store private keys in encrypted form. I see that the keys are written to a file using PemWriter. PemWriter can encrypt keys. Unfortunately this feature is not available when using DirectoryStore. I think it's not safe to store private keys unencrypted.

awcullen commented 2 years ago

I believe the suggestion is to add algorithm and password arguments (strings) to the DirectoryStore constructor (or have reasonable defaults). Then use these parameters when reading and writing the private key files (pem encoded).

Anyone wish to contribute?