Enhancement Request - Add the -certificate paramater as an option to Get-CCPCredential

[jduban]

This is an enhancement request.

Your Environment

• PowerShell Version: 5.1
• CredentialRetriever Branch & Version: 3.2.12
• CyberArk Version: 10.5

Expected Behaviour

Would it be possible to add support for the -certificate parameter which is supported by Powershell's Invoke-RestMethod to Get-CCPCredential?   e.g.

    Get-CCPCredential -AppID $AppName -Certificate $CertThumbPrint -URL $Url -Object $Object

When calling Get-CCPCredential, the -Certificate and -CertificateThumbPrint parameters would be mutually exclusive. 

Current Behaviour

Get-CCPCredential currently supports the -certificatethumbprint parameter when passing parameters to the Invoke-RestMethod function.   It appears that there's a limitation with that approach in that the certificate must reside within a user's certificate store.  Invoking Get-CCPCredential using -certificatethumbprint and passing it a thumbprint of a certificate stored within the localmachine cert store will result in the "Unable to retrieve certificates..." error message.  The same restriction does not exist when utilizing the -Certificate parameter when calling Invoke-RestMethod.

Possible Solution

Steps to Reproduce (for bug reports)

1 .

2 .

3 .

4 .

Sample Output

1 . When the client certificate exists within the local users cert store, the get-ccpcredential call completes

    1a) Verify that the cert is within the local users cert store
            PS C:\Users\someuser> Get-ChildItem -path Cert:\CurrentUser\My | Where-Object {$_.Subject -eq "CN=xxxushc2cy31vp.xxxco.com"}

            PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
            Thumbprint                                Subject                                                                                                                               
            ----------                                -------                                                                                                                               
            5468AE4DF0F0FE23690191DB64B70F0CCD4DA4AC  CN=xxxushc2cy31vp.xxxco.com                                                                                                           

    1b) Check for the existence of the cert in the localmachine cert store
            PS C:\Users\someuser> Get-ChildItem -path Cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=xxxushc2cy31vp.xxxco.com"}

    1c) invoke get-ccpcredential
            PS C:\Users\someuser> Get-CCPCredential -AppID AAM-la_wsrv-auto_us -CertificateThumbPrint "54 68 ae 4d f0 f0 fe 23 69 01 91 db 64 b7 0f 0c cd 4d a4 ac" -URL "https://cyberarkccp.xxxco.com" -Object "Operating System-xxx-AD_generic-xxxco.com-s-cyberark-lawsrv-us"

            Content                 : ********************
            PolicyID                : xxx-AD_generic
            Name                    : Operating System-xxx-AD_generic-xxxco.com-s-cyberark-lawsrv-us
            [...snip...]

2 . The certificate is moved from the local users cert store into the local machine cert store, the same get-ccpcredential call fails

    2a) Verify that the cert is no longer within the local users cert store
            PS C:\Users\someuser> Get-ChildItem -path Cert:\CurrentUser\My | Where-Object {$_.Subject -eq "CN=xxxushc2cy31vp.xxxco.com"}

    2b) Check for the existence of the cert in the localmachine cert store
            PS C:\Users\someuser> Get-ChildItem -path Cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=xxxushc2cy31vp.xxxco.com"}

            PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
            Thumbprint                                Subject                                                                                                                               
            ----------                                -------                                                                                                                               
            5468AE4DF0F0FE23690191DB64B70F0CCD4DA4AC  CN=xxxushc2cy31vp.xxxco.com                                                                                                           

    2c) invoke get-ccpcredential
            PS C:\Users\someuser> Get-CCPCredential -AppID AAM-la_wsrv-auto_us -CertificateThumbPrint "54 68 ae 4d f0 f0 fe 23 69 01 91 db 64 b7 0f 0c cd 4d a4 ac" -URL "https://cyberarkccp.xxxco.com" -Object "Operating System-xxx-AD_generic-xxxco.com-s-cyberark-lawsrv-us"

            Get-CCPCredential : System.Security.Cryptography.CryptographicException: Unable to retrieve certificates because the thumbprint is not valid. Verify the thumbprint and retry. 
               at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.PrepareSession()
               at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
            At line:1 char:1
            + Get-CCPCredential -AppID AAM-la_wsrv-auto_us -CertificateThumbPrint " ...
            + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
                + FullyQualifiedErrorId : WebCmdletCertificateException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand,Get-CCPCredential

3 . Call Invoke-RestMethod directly using all of the same parameters but replacing -certificatethumbprint w/ -certificate

    PS C:\Users\someuser> 
    $CertThumbPrint = "54 68 ae 4d f0 f0 fe 23 69 01 91 db 64 b7 0f 0c cd 4d a4 ac"
    $CertThumbPrint = $CertThumbPrint.replace(' ','')
    $ClientCertificate = Get-ChildItem -Path Cert:\LocalMachine\My\$CertThumbPrint

    Invoke-RestMethod -Method Get -Uri  "https://cyberarkccp.xxxco.com/AIMWebService/api/Accounts?AppID=AAM-la_wsrv-auto_us&Object=Operating%20System-xxx-AD_generic-xxxco.com-s-cyberark-lawsrv-us"  -ContentType application/json -Certificate $ClientCertificate

            Content                 : ********************              PolicyID                : xxx-AD_generic
            Name                    : Operating System-xxx-AD_generic-xxxco.com-s-cyberark-lawsrv-us
            [...snip...]

Context

Allow client certificates stored within the localmachine cert store to be used for authentication when calling get-ccpcredential. One of our company's IT staff members developed a powershell script that leverages Get-CCPCCPCredential & the -certificatethumbprint parameter. He'd added the client certificate to his cert store and encountered no issues when testing interactively. He next created a scheduled job that launched the powershell script using the system account. The scheduled job failed to complete when the script was unable to retrieve the certificate. Adding the certifcate to the localmachine cert store made no difference. Once the powershell script was modified to call Invoke-RestMethod directly using the -Certificate parameter, the scheduled job was able to complete successfully.

[pspete]

Thanks for reporting this @jduban Certificate parameter now available in Get-CCPCredential. Published to the PowerShell Gallery, and the master branch.

[jduban]

My pleasure. Thanks for turning it around so quickly.

From: Pete Maan [mailto:notifications@github.com] Sent: Thursday, December 12, 2019 1:55 PM To: pspete/CredentialRetriever CredentialRetriever@noreply.github.com Cc: John Duban John_Duban@ajg.com; Mention mention@noreply.github.com Subject: Re: [pspete/CredentialRetriever] Enhancement Request - Add the -certificate paramater as an option to Get-CCPCredential (#9)

[EXTERNAL]

Thanks for reporting this @jdubanhttps://github.com/jduban Certificate parameter now available in Get-CCPCredential. Published to the PowerShell Gallery, and the master branch.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/pspete/CredentialRetriever/issues/9?email_source=notifications&email_token=AN7EAPAQV26WE2WOSJ6W2ZTQYKJH5A5CNFSM4JZXU6O2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGX2SUA#issuecomment-565160272, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AN7EAPGDROVA6YV5QBYC6L3QYKJH5ANCNFSM4JZXU6OQ.