Export does not exports whole chain

[Thijs5]

When exporting a certificate using a task, not the whole chain of issuers gets exported.

Inspecting the exported certificate using Keystore Exporer

Inspection the same certificate exported using mmc

This is also impacting the export to Azure Keyvault plugin since Azure Keyvault does not accept the exported certificate using CTW. Both using the plugin as manual upload.

[webprofusion-chrisc]

Hi, the Azure Key Vault export definitely does work currently, we have a task doing exactly that. Can you review your managed certificate log to see if more error detail is logged? Key Vault requires specific naming rules. Are you setting a password or leaving the default (blank)?

Generally a certificate export would not export the root certificate because the root is for the client to trust, it is not something you serve. We do have a PEM export option for the chain that does include the root if you want it, but our PFX does not.

[Thijs5]

Hey Chris, thanks for getting back to me so quickly. When trying to upload the exported certificate to Azure Key Vault (either using a normal export task and with the Azure Portal, or directly with the Azure Key Vault upload task), we get this exception:

2023-10-27 16:21:47.962 +02:00 [INF] ---- Performing Task [On-Demand or Manual Execution] :: devdomaincom----
2023-10-27 16:21:47.965 +02:00 [INF] Task [devdomaincom] :: Task is enabled and primary request was successful.
2023-10-27 16:21:48.349 +02:00 [ERR] Failed to deploy certificate [devdomaincom] to Azure Key Vault :Azure.RequestFailedException: Unable to parse X5c certificate chain and locate leaf certificate
Status: 400 (Bad Request)
ErrorCode: BadParameter

Content:
{"error":{"code":"BadParameter","message":"Unable to parse X5c certificate chain and locate leaf certificate"}}

Headers:
Pragma: no-cache
x-ms-keyvault-region: westeurope
x-ms-client-request-id: a125bbd3-273a-4a85-9b6c-c27b0a9fd216
x-ms-request-id: 598eda67-57ae-44aa-bf95-8cdcf538478c
x-ms-keyvault-service-version: 1.9.1036.1
x-ms-keyvault-network-info: conn_type=Ipv4;addr=212.3.231.129;act_addr_fam=InterNetwork;
x-ms-keyvault-rbac-assignment-id: REDACTED
x-ms-keyvault-rbac-cache: REDACTED
X-Content-Type-Options: REDACTED
Strict-Transport-Security: REDACTED
Content-Length: 111
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Fri, 27 Oct 2023 14:21:48 GMT
Expires: -1

   at Azure.Security.KeyVault.KeyVaultPipeline.<SendRequestAsync>d__29.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Security.KeyVault.KeyVaultPipeline.<SendRequestAsync>d__19`2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Security.KeyVault.Certificates.CertificateClient.<ImportCertificateAsync>d__35.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Plugin.DeploymentTasks.Azure.AzureKeyVault.<Execute>d__6.MoveNext()
2023-10-27 16:21:48.349 +02:00 [ERR] Key Vault Deployment Failed```

[webprofusion-chrisc]

Thanks @Thijs5 sorry I missed your reply.

Just for info, for actual support tickets it's best to log a ticket with support {at} certifytheweb.com as github isn't our ticketing system.

We have not been able to reproduce this issue yet, in all our tests the certs are uploading to keyvault OK. Is the task trying to replace an existing certificate in keyvault? There's a possibility that's causing some kind of conflict on their side if so. You could try uploading the cert with a different cert name so it doesn't try to upload over an existing cert.

Otherwise you would need microsoft to tell you why their system is rejecting the PFX in this case.

[webprofusion-chrisc]

It's also worth adding that the "leaf certificate" is your actual domain certificate, not the root/issuer.

[webprofusion-chrisc]

I'm also assuming that you're not using a custom CSR: https://learn.microsoft.com/en-us/answers/questions/1314131/unable-to-parse-x5c-certificate-chain-and-locate-l

[Thijs5]

Hi @webprofusion-chrisc,

Good to know I better use the email address as helpdesk in the future.

We tried both. Both as a new certificate and as an update to the existing certificate. Neither one works in our case. It's a good suggestion to take this up with Microsoft. I'm going to try that route. Thanks for the responses and thank you for the work you did on the product. It's a great product!

Thijs

[webprofusion-chrisc]

Thanks @Thijs5 if you don't get anywhere with microsoft we can investigate this further via support {at} certifytheweb.com - we would need to examine the pfx the app generates etc.