Release 2.4 to main

CHANGELOG.md

@@ -1,3 +1,17 @@
+2.4.1
+* Modified the CertUtil logic to use the -addstore argument when no password is sent with the certificate information.
+* Added additional error trapping and trace logs
+
+2.4.0
+* Changed the way certificates are added to cert stores.  CertUtil is now used to import the PFX certificate into the associated store.  The CSP is now considered when maintaining certificates, empty CSP values will result in using the machines default CSP.
+* Added the Crypto Service Provider and SAN Entry Parameters to be used on Inventory queries, Adding and ReEnrollments for the WinCert, WinSQL and IISU extensions.
+* Changed how Client Machine Names are handled when a 'localhost' connection is desiered.  The new naming convention is:  {machineName}|localmachine.  This will eliminate the issue of unqiue naming conflicts.
+* Updated the manifest.json to now include WinSQL ReEnrollment.
+* Updated the integration-manifest.json file for new fields in cert store types.
+
+2.3.2
+* Changed the Open Cert Store access level from a '5' to 'MaxAllowed'
+
 2.3.1
 * Added additional error trapping for WinRM connections to allow actual error on failure.
 

IISU/Certificate.cs

@@ -13,6 +13,8 @@
 // limitations under the License.
 
 using System;
+using System.Linq;
+using System.Text.RegularExpressions;
 
 namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore
 {
@@ -22,5 +24,35 @@ public class Certificate
         public byte[] RawData { get; set; }
         public bool HasPrivateKey { get; set; }
         public string CertificateData => Convert.ToBase64String(RawData);
+        public string CryptoServiceProvider { get; set; }
+        public string SAN { get; set; }
+
+        public class Utilities
+        {
+            public static string FormatSAN(string san)
+            {
+                // Use regular expression to extract key-value pairs
+                var regex = new Regex(@"(?<key>DNS Name|Email|IP Address)=(?<value>[^=,\s]+)");
+                var matches = regex.Matches(san);
+
+                // Format matches into the desired format  
+                string result = string.Join("&", matches.Cast<Match>()
+                    .Select(m => $"{NormalizeKey(m.Groups["key"].Value)}={m.Groups["value"].Value}"));
+
+                return result;
+            }
+
+            private static string NormalizeKey(string key)
+            {
+                return key.ToLower() switch
+                {
+                    "dns name" => "dns",
+                    "email" => "email",
+                    "ip address" => "ip",
+                    _ => key.ToLower() // For other types, keep them as-is
+                };
+            }
+
+        }
     }
 }

IISU/CertificateStore.cs

@@ -41,10 +41,12 @@ public void RemoveCertificate(string thumbprint)
         {
             using var ps = PowerShell.Create();
             ps.Runspace = RunSpace;
+
+            // Open with value of 5 means:  Open existing only (4) + Open ReadWrite (1)
             var removeScript = $@"
                         $ErrorActionPreference = 'Stop'
                         $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store('{StorePath}','LocalMachine')
-                        $certStore.Open('MaxAllowed')
+                        $certStore.Open(5)
                         $certToRemove = $certStore.Certificates.Find(0,'{thumbprint}',$false)
                         if($certToRemove.Count -gt 0) {{
                             $certStore.Remove($certToRemove[0])

IISU/ClientPSCertStoreInventory.cs

@@ -46,21 +46,37 @@ public List<Certificate> GetCertificatesFromStore(Runspace runSpace, string stor
                                 $certs = $certStore.Certificates
                                 $certStore.Close()
                                 $certStore.Dispose()
-                                foreach ( $cert in $certs){{ 
-                                    $cert | Select-Object -Property Thumbprint, RawData, HasPrivateKey
+                                    $certs | ForEach-Object {{
+                                        $certDetails = @{{
+                                            Subject = $_.Subject
+                                            Thumbprint = $_.Thumbprint
+                                            HasPrivateKey = $_.HasPrivateKey
+                                            RawData = $_.RawData
+                                            san = $_.Extensions | Where-Object {{ $_.Oid.FriendlyName -eq ""Subject Alternative Name"" }} | ForEach-Object {{ $_.Format($false) }}
+                                        }}
+
+                                        if ($_.HasPrivateKey) {{
+                                            $certDetails.CSP = $_.PrivateKey.CspKeyContainerInfo.ProviderName
+                                        }}
+
+                                        New-Object PSObject -Property $certDetails
                                 }}";
 
                 ps.AddScript(certStoreScript);
 
                 var certs = ps.Invoke();
 
                 foreach (var c in certs)
+                {
                     myCertificates.Add(new Certificate
                     {
                         Thumbprint = $"{c.Properties["Thumbprint"]?.Value}",
                         HasPrivateKey = bool.Parse($"{c.Properties["HasPrivateKey"]?.Value}"),
-                        RawData = (byte[])c.Properties["RawData"]?.Value
+                        RawData = (byte[])c.Properties["RawData"]?.Value,
+                        CryptoServiceProvider = $"{c.Properties["CSP"]?.Value }",
+                        SAN = Certificate.Utilities.FormatSAN($"{c.Properties["san"]?.Value}")  
                     });
+                }
 
                 return myCertificates;
             }