In some cases, the PEM-certificate and private key can be combined into a single file, but for most platforms certificate and private key must be separated from each other.ĭER format - a binary form of a certificate. Certificates in PEM format used by different servers, including Apache and others. PEM-format can store server certificates, intermediate certificates and private keys. They are Base64-encrypted ASCII-files and contain the lines "- BEGIN CERTIFICATE -" and "- END CERTIFICATE -". We have to use scripts or manually update the secrets on the cluster.PEM format - this is one of the most used and popular formats of certificate files. With that being said, I wonder if the CSI KV driver could at least provide an option to re-order the cert? Currently we just cannot use the PFX cert in many cases, such as the ingresss controller, which reports the MD5 of the public key and private key don't match. If the CA certificates are required then they can be output to a separate file using the -nokeys -cacerts options to just output CA certificates. Using the -clcerts option will solve this problem by only outputting the certificate corresponding to the private key. Certain software which requires a private key and certificate and assumes the first certificate in the file is the one corresponding to the private key: this may not always be the case. There is no guarantee that the first certificate present is the one corresponding to the private key. If none of the -clcerts, -cacerts or -nocerts options are present then all certificates will be output in the order they appear in the input PKCS#12 files. I quote what openssl pkcs12 command (converting from PFX to PEM) says about it in the doc, Other libs/tools honor the PFX order by default but they give work arounds so the users can re-order their certs if they want. The problem happens when we load PFX from KV but ask the CSI driver to convert it to PEM. Ensuring the safe bag order in the original PKCS12 certs are not always possible. Either they are signed by the integrated CA or they are provided by the customer. In some cases we don't have the control over the original PFX certs in KV. However, I still feel the scope is under the CSI KV driver rather than the KV team and below are my reasons, I also understand it's because of the safebag order in the PKCS12 file and the CSI KV driver just honors it by default.Ĭhecking some similar issues under the repo, I found the solution is to propose to the KV team to ensure the order on the download secret API. Some of the cert chain order is wrong (wrong means the client cert is not the first one and some softwares assume that). With key vault api, we could easily manipulate the content to generate PEM from PFX but this is not possible today with CSI Hi, we also ran into the issue recently. There is no way we could ask them to recreate certificates in PEM. The format expected in the environment is PEM and a lot of customers have PFX certificates stored in their key vault. We deploy CSI driver for our customers to sync certificates from key vault. Reply to this email directly, view it on GitHub, or unsubscribe. Jack Lichwa From: Rita Zhang Sent: Monday, Aug6:29 PM To: Azure/secrets-store-csi-driver-provider-azure Cc: Jack Lichwa Mention Subject: Re: PEM certificate extracted from PFX is in the wrong order ( #156) cc - You are receiving this because you were mentioned. CSI Driver should have “no logic” and reflect Key Vault functionality, if there is an issue in Vault it should be routed to us. Rita, We have to come up with routing issues to us. We have recently merged a PR to add support for writing the base64 encoded PFX data instead of encoding in PEM format. This solution does the same as many applications migrating to Kubernetes rely on this behavior. Running az keyvault secret download writes all the contents to a single file. This aligns with the current Key Vault design and was recommended by the Key Vault team. Write out the cert and key as separate files. Constructing the chain in the order is definitely a great enhancement to have so the PEM format is usable ootb for chain of certs not uploaded in the right order. The Azure Key Vault provider for Secrets Store CSI Driver aligns closely with the current Key Vault behavior ( az keyvault secret download) which returns the exact content uploaded by the user. It just grabs the data from the PFX and writes if out in the I'm going to use the x509 chain functionality in go toĬonstruct the chain and write it out to a pem file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |