ACMESharp icon indicating copy to clipboard operation
ACMESharp copied to clipboard

Published 20 hours ago verified publisher icon ebekker

Cannot export PKCS12; Issuer certificate hasn't been resolved

Open oblaise opened this issue 9 years ago • 6 comments

Hi,

I successfully issued two certificates using 2 different manual methods (http and dns) but when I'm trying to export certificate in pkcs#12 I'm getting an error:

PS C:\inetpub\wwwroot> Get-ACMECertificate myalias -ExportPkcs12 test.p12 Get-ACMECertificate : Cannot export PKCS12; Issuer certificate hasn't been resolved At line:1 char:1

  • Get-ACMECertificate myalias -ExportPkcs12 test.p12
  • - CategoryInfo          : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException
- FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificat

oblaise avatar Feb 03 '16 07:02 oblaise

I also experienced this problem. The issue for me was that the LE intermediate certificate (Let's Encrypt Authority X1) was not in my intermediate certificates store. So I downloaded this and imported it. For me, doing so also added the certificate 'DST Root CA X3' into the Trusted Root CA store.

After adding the these certificates I was able to export the PKCS12 file.

bseddon avatar Feb 03 '16 14:02 bseddon

@bseddon how did you do it? Having same problem here.

skfd avatar Feb 25 '16 07:02 skfd

Make sure you have issued the Update-ACMECertificate command.

When you issue the command Get-ACMEVault what do you see?

My guess is that that output will show a blank where the issuer certificates are shown. One of the actions of the update command is to fill in this blank.

bseddon avatar Feb 25 '16 08:02 bseddon

Thank you, that actually did the trick. My steps were:

  1. save 'DST Root CA X3' certificate from Let's Encrypt site and install it.
  2. Update-ACMECertificate myCert

skfd avatar Feb 26 '16 06:02 skfd

Same here, @skfd steps fixed the issue. Thanks

afermon avatar Apr 23 '16 20:04 afermon

It's all a bit hit and miss for me, after installing CAX3 and calling update the export works. Trying to then create another one fails with invalid data if that cert is installed for some reason. Shouldn't the code pull the latest certs from their site?

P.S I'm using the route53 provider. It would also be nice if it removed the TXT after itself as i could end up with a lot left behind. Almost all the time (98% of it) i seem to be stuck in an "invalid" loop, is there a bug perhaps somewhere in the validation logic? In my code i let this go on for 300 seconds and then call it quits.

terraslate avatar Apr 27 '17 07:04 terraslate