Posh-ACME icon indicating copy to clipboard operation
Posh-ACME copied to clipboard

Published 20 hours ago verified publisher icon rmbolger

Use modern PBES2 for private keys in PFX (fixes #446)

Open ChlorideCull opened this issue 1 year ago • 2 comments

Fixes #446

This raises security a bit, allows OpenSSL 3.x to read it without legacy mode, and in general is just a good idea.

As for compatibility, it should be well supported. OpenSSL, as far as I know, supports it since 1.1.1, and all earlier versions are out of support upstream. Windows also has no issues with it.

ChlorideCull avatar Aug 05 '22 10:08 ChlorideCull

My fear with making this the new default is that it will unintentionally break folks who might still be using OpenSSL 1.0.x for some reason. Might need to add support behind a flag associated with the order at least until the next major module version (at which point it can become the new default and the flag can revert to legacy mode).

rmbolger avatar Aug 05 '22 20:08 rmbolger

My fear with making this the new default is that it will unintentionally break folks who might still be using OpenSSL 1.0.x for some reason.

Debian buster was the last version of Debian to ship 1.0.x, and the LTS support for that ended in June. I think the only major Linux distro still shipping 1.0.x is RHEL 7, which is two major versions behind. Given that 1.0.x is EOL from upstream as well, whoever is still relying on it might deserve a bit of a wake up call 😉

That being said, it's your call to decide :)

ChlorideCull avatar Aug 06 '22 21:08 ChlorideCull

I really do appreciate the work on figuring this out, @ChlorideCull. But out of an abundance of caution, I'm going to gate it behind a per-order opt-in flag until the next major version of the module. With the changes I just pushed, you can do any of the following:

# Enable on new cert
New-PACertificate 'example.com' -UseModernPfxEncryption

# Enable on new order
New-PAOrder 'example.com' -UseModernPfxEncryption

# Enable on existing order. This will also re-write existing PFX files.
Set-PAOrder -UseModernPfxEncryption

# Disable on an existing order. This will also re-write existing PFX files.
Set-PAOrder -UseModernPfxEncryption:$false

Like most other order properties, Submit-Renewal will also carry over the flag to renewals as well.

Let me know how this works for you and I'll get it merged.

rmbolger avatar Aug 14 '22 21:08 rmbolger

Can confirm this works with your changes!

ChlorideCull avatar Aug 24 '22 11:08 ChlorideCull