Working with pkcs12 is poorly documented #2281
Description
Hey!
I ran in to some issues following the documentation around parsing pkcs12 in to TLS Kubernetes secrets.
Following the pkcs12 example under the TLS Cert example under Guides, I wasn't able to make it work.
(The common-k8s-secret-types Guide also mentions removed functions pemCertificate and pemPrivateKey, which should be fixed).
This seems to be the same issue faced by other Go projects:
- Support for PKCS12 certificates that use SHA256 HMAC hashicorp/terraform-provider-azurerm#19374
- * the Client Certificate Path is not a valid pfx file: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1 hashicorp/terraform-provider-azurerm#16228
- Error converting PKCS#12 archive file to PEM blocks: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1 Venafi/vcert#272
And a bunch of other similar issues.
Some fixes (seem to) include moving to a different package, since apparently the crypto/pkcs12 package is not maintained: hashicorp/go-azure-sdk#328
Personally I ran the example script from the templating document and got the following error initially:
Warning UpdateFailed 2s external-secrets could not apply template: could not execute template: could not execute template: unable to execute template at key tls.crt: unable to execute template at key tls.crt: template: tls.crt:1:9: executing "tls.crt" at <pkcs12cert>: error calling pkcs12cert: unable to decode pkcs12 certificate with password: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1
I am running OpenSSL version 3.0.2:
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
After trying the suggested fixes in the other issues found after searching for the error message, I first tried to generate it without a password, and adding -legacy, separately. Got vague errors with both options.
openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -legacy -export -macalg sha1 -keypbe NONE -certpbe NONE -nomaciter -out certificate.p12 -inkey certkey.pem -in ca.pem
Gave me:
Warning UpdateFailed 5s (x10 over 11s) external-secrets could not apply template: could not execute template: could not execute template: unable to execute template at key tls.crt: unable to execute template at key tls.crt: template: tls.crt:1:9: executing "tls.crt" at <pkcs12cert>: error calling pkcs12cert: unable to decode pkcs12 certificate with password: don't know how to convert a safe bag of type 1.2.840.113549.1.12.10.1.1
Finally, using the options described in https://discuss.hashicorp.com/t/azure-service-principal-client-certificate-error/32037/2 linked from one of the Azure issues, PLUS making sure to set a blank password with either just pressing enter when prompted, or adding -passout "pass:", I got it to work.
So, final working command on OpenSSL 3.0.2:
openssl pkcs12 -passout "pass:" -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1 -out certificate.p12 -inkey certkey.pem -in ca.pem
External Secrets should probably either make sure that the more recent versions of OpenSSL works out-of-the-box, or to make it very clear in the two places where this is mainly discussed: