Request for Improvement in read-certificate-data command

[tinsep19]

Description:

We propose the following improvements for the read-certificate-data or --cert-selector option.

Request Details

Background

OS: Windows 10
Certificate Store: OS-specific secure stores.

Consider the following certificate in the certificate store:

PS C:\> Get-Item Cert:\CurrentUser\My\2C8972C2DDEB93E22633CDC46E52396D1B41EF0C | fl Subject, Issuer, SerialNumber, Thumbprint
Subject      : E=who@example.com, CN=xxxxxxxx, OU=Employees, DC=example, DC=com
Issuer       : CN=EXAMPLE-CA, DC=example, DC=com
SerialNumber : 2B0004984811E47C4DFCD2C63E000000049848
Thumbprint   : 2C8972C2DDEB93E22633CDC46E52396D1B41EF0C

The selector obtained by executing read-certificate-data is as follows:

2c8972c2ddeb93e22633cdc46e52396d1b41ef0c "CN=xxxxxxxx,OU=Employees,1.2.840.113549.1.9.1=#<HEX([email protected])>,0.9.2342.19200300.100.1.25=#<HEX(example)>,0.9.2342.19200300.100.1.25=#<HEX(com)>"

1.2.840.113549.1.9.1 represents E (emailAddress), and 0.9.2342.19200300.100.1.25 represents DC (domainComponent).
#<HEX(some string)> represents the hexadecimal representation of the UTF-8 string.

I believe this output follows RFC2253, but it may be difficult to understand without familiarity with ASN.1 or RFC2253. Moreover, the Issuer's selector cannot be confirmed using read-certificate-data.

Proposed Improvements

We would like to request either or both of the following improvements:

1. Modify the read-certificate-data command to also output the Issuer's value, making it easier to specify selectors.
2. Improve the current matching process for selectors, which currently selects based on matching Subject, Issuer, and SerialNumber, to allow users to specify selectors more intuitively.

We believe these improvements will make it easier for users to select the correct certificate. Thank you for your consideration.