-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GDS Client] Fix Certificate Request when private Key of existing Certificate is not exportable #607
base: master
Are you sure you want to change the base?
[GDS Client] Fix Certificate Request when private Key of existing Certificate is not exportable #607
Conversation
If the configuration file specifies the store for the ApplicationCertificate to be StoreType=Directory, then the public and private key are stored in the certs and private folder. If I recreate an existing certificate with this configuration the public and private key will be added to theses folders. Would it not be better that the existing public and private key are replaced with the new ones? |
@mregen i am not shure about replacing existing certs, what is your opinion? |
It depends, it could be that the cert was signed. Then it should not be updated. But we should definitely consider the option to delete the old certificate. Problem for self signed certs is that the client/server may loose trust with our applications. |
The preference is always to use a CSR to avoid that a private key must be sent over the wire. |
@mregen @sveinfolkeson please see my updated PR that now creates a tempoary cert in memory to create a csr from that. I still need to test if a certificate update is handled correctly, but this will take some more time. |
Proposed changes
The GDS Client uses a Certificate Signing Request (CSR) when a new CA signed Certificate is requested from the GDS and an older cert exists.
The CSR can be executed however applying the existing private key to the new Certificate fails when the old Certificates private Key is not exportable. This is the case e.g. for many certs in the Windows X509 Certificate Store.
With this fix the GDS Client uses a KeyPair Request instead of a Certificate Signing Request to request a new CA signed Cert from the GDS, when the private key of the existing cert is not exportable.
Related Issues
Types of changes
Checklist
Further comments