![]() ![]() I quote what openssl pkcs12 command (converting from PFX to PEM) says about it in the doc, Other libs/tools honor the PFX order by default but they give work arounds so the users can re-order their certs if they want. The problem happens when we load PFX from KV but ask the CSI driver to convert it to PEM. Ensuring the safe bag order in the original PKCS12 certs are not always possible. Either they are signed by the integrated CA or they are provided by the customer. ![]() In some cases we don't have the control over the original PFX certs in KV. ![]() However, I still feel the scope is under the CSI KV driver rather than the KV team and below are my reasons, I also understand it's because of the safebag order in the PKCS12 file and the CSI KV driver just honors it by default.Ĭhecking some similar issues under the repo, I found the solution is to propose to the KV team to ensure the order on the download secret API. Some of the cert chain order is wrong (wrong means the client cert is not the first one and some softwares assume that). With key vault api, we could easily manipulate the content to generate PEM from PFX but this is not possible today with CSI Hi, we also ran into the issue recently. There is no way we could ask them to recreate certificates in PEM. The format expected in the environment is PEM and a lot of customers have PFX certificates stored in their key vault. We deploy CSI driver for our customers to sync certificates from key vault. Reply to this email directly, view it on GitHub, or unsubscribe. Jack Lichwa From: Rita Zhang Sent: Monday, Aug6:29 PM To: Azure/secrets-store-csi-driver-provider-azure Cc: Jack Lichwa Mention Subject: Re: PEM certificate extracted from PFX is in the wrong order ( #156) cc - You are receiving this because you were mentioned. CSI Driver should have “no logic” and reflect Key Vault functionality, if there is an issue in Vault it should be routed to us. Rita, We have to come up with routing issues to us. We have recently merged a PR to add support for writing the base64 encoded PFX data instead of encoding in PEM format. This solution does the same as many applications migrating to Kubernetes rely on this behavior. Running az keyvault secret download writes all the contents to a single file. This aligns with the current Key Vault design and was recommended by the Key Vault team. Write out the cert and key as separate files. Constructing the chain in the order is definitely a great enhancement to have so the PEM format is usable ootb for chain of certs not uploaded in the right order. The Azure Key Vault provider for Secrets Store CSI Driver aligns closely with the current Key Vault behavior ( az keyvault secret download) which returns the exact content uploaded by the user. It just grabs the data from the PFX and writes if out in the I'm going to use the x509 chain functionality in go toĬonstruct the chain and write it out to a pem file. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |