PSPKI
PSPKI copied to clipboard
Improvement: Add ECDSA support into Convert-PemToPfx
When talking about PKI, for decades RSA was the de-facto algorithm. Since it is no more, adding support for EC-algorithms would be advised.
Suggestions for implementation can be taken from my tool https://github.com/HQJaTu/RDP-cert-tools/blob/main/update-RDP-cert.ps1. It has readily implemented functions __composeEcDsaPrivateKeyBlob
and __attachECPrivateKey
. Also there exists enough logic for guessing if RSA or ECDSA material should be imported from a set of PEM-files.
It should be relatively easy to implement something similar into PSPKI.
Fair enough. However, this in most cases is kind of tricky, because private key must have NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
flag enabled and which is not always set for exportable key. That is, you can export key in PFX bag, but cannot extract raw key material. This happens when you import certificate from PFX. For some reasons this flag is not enabled and the function fails and even NCryptSetProperty
doesn't help.
Yes, I agree on what you said about PKCS #12 and #7 -import. However, the code is generic and can import EC-certificate and key from a set of PEM-files too. All of these sources can be supported with relative ease, as I've implemented them into my RDP-tooling.
My suggestion is: Being the popular option, PSPKI should have this support also for everybody in The Net to enjoy.