Skip to content

Commit

Permalink
link to intermediate certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
leefine02 authored and leefine02 committed Jan 18, 2024
1 parent 2df89ce commit 460ae06
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 43 deletions.
54 changes: 20 additions & 34 deletions CitrixAdcOrchestratorJobExtension/CitrixAdcStore.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
using System;
using System.IO;
using System.Linq;
using System.Collections.Generic;
using System.Runtime.ConstrainedExecution;
using System.Security.Cryptography.X509Certificates;
using System.Text;
Expand Down Expand Up @@ -551,43 +552,23 @@ public void UpdateBindings(string keyPairName, string virtualServerName, string

public void LinkToIssuer(string cert, string privateKeyPassword, string keyPairName)
{
int pageSize = 50;
sslcertkey certKey = sslcertkey.get(_nss, keyPairName);

filtervalue[] filters = new filtervalue[0];
filters[0] = new filtervalue("certificatetype", "ROOT_CERT|INTM_CERT");
int caTotal = Convert.ToInt32(sslcertkey.count_filtered(_nss, filters));
if (caTotal == 0)
throw new Exception("No CA certificates were found in Netscaler instance. Certificate successfully added but not linked to its issuer.");

int pageCount = (caTotal / pageSize) + 1;
options o = new options();
o.set_pagesize(50);

X509Certificate2 x509Cert = new X509Certificate2(Encoding.ASCII.GetBytes(cert));
bool certFound = false;
for (int i = 1; i <= pageCount; i++)
sslcertificatechain chain = sslcertificatechain.get(_nss, keyPairName);
if (chain.chaincomplete == 1)
{
if (certFound)
break;
o.set_pageno(i);
sslcertkey[] caCerts = sslcertkey.get_filtered(_nss, filters);

foreach(sslcertkey caCert in caCerts)
{
if (caCert.subject == x509Cert.Issuer)
{
certKey.linkcertkeyname = caCert.certkey;
certFound = true;
break;
}
}
Logger.LogDebug($"Certificate {keyPairName} already linked to {chain.chainlinked}");
return;
}

if (certFound)
sslcertkey.link(_nss, certKey);
else
throw new Exception("No issuing CA certificate was found for the added certificate. Certificate successfully added but not linked to its issuer.")
if (chain.chainpossiblelinks == null || string.IsNullOrEmpty(chain.chainpossiblelinks[0]) || chain.chainpossiblelinks.Length == 0)
{
string msg = $"Certificate added, but link not performed. No Issuing CA Certificate exists for {keyPairName}.";
Logger.LogWarning(msg);
throw new LinkException(msg);
}

sslcertkey certKey = sslcertkey.get(_nss, keyPairName);
certKey.linkcertkeyname = chain.chainpossiblelinks[0];
sslcertkey.link(_nss, certKey);
}

private (byte[], byte[]) GetPemFromPfx(byte[] pfxBytes, char[] pfxPassword)
Expand Down Expand Up @@ -893,4 +874,9 @@ public void SaveConfiguration()
}
}
}

public class LinkException : Exception
{
public LinkException(string message) : base(message) { }
}
}
4 changes: 2 additions & 2 deletions CitrixAdcOrchestratorJobExtension/Inventory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,12 +85,12 @@ private JobResult ProcessJob(CitrixAdcStore store, InventoryJobConfiguration job
_logger.LogDebug("Getting file list...");
var files = store.ListFiles();

Dictionary<string, string> existing = jobConfiguration.LastInventory.ToDictionary(i => i.Alias, i => i.Thumbprints.First());
///////Dictionary<string, string> existing = jobConfiguration.LastInventory.ToDictionary(i => i.Alias, i => i.Thumbprints.First());
// ReSharper disable once CollectionNeverQueried.Local
HashSet<string> processedAliases = new HashSet<string>();

//union the remote keys + last Inventory
List<String> contentsToCheck = files?.Select(x => x.filename).Union(existing.Keys).ToList() ?? new List<string>();
List<String> contentsToCheck = files?.Select(x => x.filename).ToList() ?? new List<string>();

_logger.LogDebug("Getting KeyPair list...");
var keyPairList = store.ListKeyPairs();
Expand Down
38 changes: 31 additions & 7 deletions CitrixAdcOrchestratorJobExtension/Management.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@
using Microsoft.Extensions.Logging;
using Newtonsoft.Json;
using System.IO;
using static Org.BouncyCastle.Math.EC.ECCurve;
using com.citrix.netscaler.nitro.resource.config.pq;

namespace Keyfactor.Extensions.Orchestrator.CitricAdc
{
Expand Down Expand Up @@ -141,9 +143,9 @@ private JobResult ProcessJob(CitrixAdcStore store, ManagementJobConfiguration jo
_logger.LogDebug("Begin Add...");
var virtualServerName = (string)jobConfiguration.JobProperties["virtualServerName"];
var sniCert = (string)jobConfiguration.JobProperties["sniCert"];
var linkToIssuer = false;
if (jobConfiguration.JobProperties.ContainsKey("linkToIssuer"))
linkToIssuer = (bool)jobConfiguration.JobProperties["linkToIssuer"];

dynamic properties = JsonConvert.DeserializeObject(jobConfiguration.CertificateStoreDetails.Properties.ToString());
var linkToIssuer = properties.linkToIssuer == null || string.IsNullOrEmpty(properties.linkToIssuer.Value) ? false : Convert.ToBoolean(properties.linkToIssuer.Value);

//Check if Keypair name exists, if so, we need to append something to it so we don't get downtime
var keyPairName = jobConfiguration.JobCertificate.Alias;
Expand Down Expand Up @@ -186,14 +188,26 @@ private JobResult ProcessJob(CitrixAdcStore store, ManagementJobConfiguration jo
if (x?.Thumbprint == _thumbprint)
{
_logger.LogTrace($"Thumbprint Match: {_thumbprint}");
foreach (var sBinding in binding.sslcertkey_sslvserver_binding)
if (binding.sslcertkey_sslvserver_binding == null)
{
_logger.LogTrace(
$"Starting PerformAdd Binding Name: {sBinding.servername} kp.certkey: {kp.certkey}");
$"Starting PerformAdd Binding kp.certkey: {kp.certkey}");
PerformAdd(store, jobConfiguration.JobCertificate, kp.certkey,
sBinding.servername, true,sniCert, linkToIssuer);
virtualServerName, true, sniCert, linkToIssuer);
_logger.LogTrace(
$"Finished PerformAdd Binding Name: {sBinding.servername} kp.certkey: {kp.certkey}");
$"Finished PerformAdd kp.certkey: {kp.certkey}");
}
else
{
foreach (var sBinding in binding.sslcertkey_sslvserver_binding)
{
_logger.LogTrace(
$"Starting PerformAdd Binding Name: {sBinding.servername} kp.certkey: {kp.certkey}");
PerformAdd(store, jobConfiguration.JobCertificate, kp.certkey,
sBinding.servername, true, sniCert, linkToIssuer);
_logger.LogTrace(
$"Finished PerformAdd Binding Name: {sBinding.servername} kp.certkey: {kp.certkey}");
}
}
}
}
Expand Down Expand Up @@ -231,6 +245,16 @@ private JobResult ProcessJob(CitrixAdcStore store, ManagementJobConfiguration jo
};
}
}
catch (LinkException ex)
{
//Status: 2=Success, 3=Warning, 4=Error
return new JobResult
{
Result = OrchestratorJobStatusJobResult.Warning,
JobHistoryId = jobConfiguration.JobHistoryId,
FailureMessage = ex.Message
};
}
catch (Exception ex)
{
//Status: 2=Success, 3=Warning, 4=Error
Expand Down

0 comments on commit 460ae06

Please sign in to comment.