Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support CNG certificates #483

Closed
wants to merge 1 commit into from
Closed

Support CNG certificates #483

wants to merge 1 commit into from

Conversation

taliesins
Copy link

Description

Anything below .Net 4.61 does not have the ability to deal with CNG certificates correctly. This means powershell does not have the ability either. Places with strict security set this to default, so when the cert is created and added it will default to CNG. When trying to set permissions on certificate, powershell can't access private key so it can't set permissions.

  • When installing a certificate, can now choose to use PFX default provider or override with CNG provider, so you not at the mercy of AD policies
  • Can read private key of CNG certificates, which allows ACL permissions on private key to be set.
  • The rewrite of applying ACL permissions will allow things like acl_delete, so ACL permissions can be turned into its own resource.

Issues Resolved

#481

Check List

README has been updated to include new features

Works on my machine badge. But I haven't run all the tests. Hoping for pull request to flesh out any issues.

Directly use Windows API to install pfx certificate. This way you can…
5ed3945 
… specify if CNG should be used when importing pfx.

Expose the following extra options:
* pfx_exportable - mark private key as exportable
* pfx_prefer_cng_ksp - use ksp if preference is not specified
* pfx_always_cng_ksp - force ksp certificate

Signed-off-by: Taliesin Sisson <[email protected]>
@taliesins taliesins mentioned this pull request May 24, 2018
Open
@sergeydeg
Copy link

as I see def cert_script(persist) implementation doesn't changed, and it deletes private key on second run.

@tas50
Copy link
Contributor

tas50 commented May 29, 2018

We're in the process of converting the certificate resources to use the win32-certstore gem, which will allow us to add a lot of the functionality here without having to get crazy complex in the resources themselves. That first bit of work landed in #558. Take a look and please let us know if there's anything you need that we can add.

@tas50 tas50 closed this May 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@taliesins @sergeydeg @tas50