Import Existing Certificates

[smokey7722]

Is it possible to use your module to import existing certificates? Looks like from the SDK that would be "POST Certificates/Import" and/or "POST Discovery/Import". I am looking to import existing Base64 certificates (no private keys available), followed by manually setting them as User Certificate type (this part I haven't found in the SDK on how to manually set).

Before I go down the rabbit hole of coding this without using your module, I figured it would be worth posting and asking.

Thanks in advance for all your great work!

[gdbarron]

Hey there @smokey7722. Sorry for the delay, holidays and such :)

Is this still a need? If so, just let me know and I can start looking into it. As of today, this functionality doesn't exist.

[smokey7722]

Yup still needed. I've been working on doing it manually but haven't gotten it working entirely yet so would love to see if it could be added to your module if not too difficult!

[gdbarron]

Here's an initial cut at the code. Could you test this out a bit and see what's missing/not working?

[smokey7722]

I feel extremely stupid asking this but I don't see a change in that branch? I downloaded the code and looked through but am not seeing an update in it?

[gdbarron]

Sorry about that, it wasn't you. Not sure what happened with vscode, but it was unhappy about something and supposedly uploaded the files, but didn't. Should be good now. Here are the updates.

[smokey7722]

Thanks! I'll try to take a look at this today.

[smokey7722]

I was able to get some testing in today and it looks like the creation does work perfectly! I'm going to run some tests to see how updating a cert functions but so far this all looks great.

Update: I ran a few tests for updating/replacing a certificate and it looks to work exactly as expected. So far I have not found any issues at all.

[smokey7722]

Some further testing I think I am running into an issue. This is the process I followed:

Expected behavior:
Import two certificates into two uniquely named Venafi objects

Steps:

1. Import-TppCertificate using a specific certificatepath, unique name and unique certificatedata passed to the cmdlet. Creates successfully
2. Import-TppCertificate using the same certificatepath, a new unique name and and new unique certificatedata passed to the cmdlet.

Result: This is putting this new certificatedata into step 1's Venafi object and does not create a second object as expected based on the unique name and certificatedata.

Initially I ran steps 1 and 2 immediately after each other and saw the issue. I then went back and ran Step 1, then opened a new powershell prompt and tppsession and ran Step 2. The result is the same though.

[gdbarron]

Can you please run the command with -verbose and send me those details and errors received?

[smokey7722]

I'll have the output to you later today, thanks!

[smokey7722]

Below are the two imports. Unfortunately to me they don't seem to include any useful data but maybe they do to you.

FYI I did have to sanitize the cert data (corp security team requirements even though its a public cert) in the log entries below.

[smokey7722]

I'm trying to troubleshoot this on my side but haven't found any leads yet. Let me know if you haven't been able to reproduce or if could use any additional info.

There aren't any errors, its just the multiple certs are being added to the same Venafi object rather than creating individual objects.

[gdbarron]

One thing I would try is to use the -Overwrite option and see if that makes a difference. Outside of that, I'm not seeing anything wrong with the code so we might be best served by logging a ticket on the venafi forum and ensure this isn't expected behavior or perhaps their documentation needs updating.

[smokey7722]

I just tried it with -Overwrite and it seems to actually have worked this time.

[smokey7722]

Playing with it more, I am guessing this may be due to the Common Name matching between these certificates. These are all Azure application certificates so the Common Name will always be "Microsoft Azure Federated SSO Certificate". By adding -Overwrite it does create the individual tppobjects. Let me know if you think the solution to this use case would be to just always use -Overwrite or if, due to the Common Name's matching, there is something else that can be done?

[gdbarron]

What's interesting is that Venafi has the default as overwrite/replace, but that didn't make sense to me as it's more destructive. I'm inclined to keep it as is, but let me know your thoughts. Here is the description of the parameter as they document it...

The setting to control certificate and corresponding private key replacement:

false: Default. Import and replace. Import the certificate into the PolicyDN regardless of whether a past, future, or same version of the certificate exists in Trust Protection Platform.
true: Import, but use newest. Only import the certificate into the PolicyDN when no Certificate object exists with a past, present, or current version of the imported certificate. If a match is found between the Certificate object and imported certificate, activate the certificate with the most current 'Valid From' date. Archive the unused certificate, even if it is the imported certificate, to the History tab.

[smokey7722]

The interesting thing is that when I have it set to -Overwrite it will not add any updated certificates to an existing tppobject. I was able to import any single certificate object but if one had 2 certificates (one active and one inactive, being prepared to go active), then using -Overwrite actually causes this to fail which I would have assumed would be the opposite.

[gdbarron]

Yeah, that is odd, overwrite should "import and replace". I'm thinking my parameter name of overwrite should change even though that's how the documentation reads. Let me give this some thought as to how to approach. Sounds like a ticket should be opened with them to confirm either way.

@tr1ck3r or @BeardedPrincess, can you see the last couple of messages and provide your thoughts please?

[BeardedPrincess]

@gdbarron and @smokey7722

Sorry it took me so long to notice this! Your parameter -Overwrite is engaging the reconcile parameter in the TPP function by setting it to false. This parameter was added specifically to force TPP to not try and reconcile certificates into history (so each cert imported would be a unique object).

I've attached the reconciliation logic from the TPP docs, hopefully that will help understand how it's doing that logic.

I think the issue is that if you tell the system not to reconcile certs, you get the ability to tell which object they get imported into. If you allow TPP to reconcile, then a new object will only get created if the cert being imported is not already "related" to some other cert in the system.

[gdbarron]

@smokey7722, it's been a while, but I have added this functionality, https://www.powershellgallery.com/packages/VenafiTppPS/2.0.1. I've decided to go with the approach Venafi took and provide a -Reconcile option which follows the defaults of the api; the -Overwrite option has been removed. I've tried to document as much as I can in the hopes that people learn from our experience here :) Thanks for working through this!

@BeardedPrincess, thanks as always for the great info.

[smokey7722]

Thanks, I'll take a look, modify my usage accordingly and let you know if I run into any issues!