Invoke-RestMethod and Invoke-WebRequest don't support client certificate authentication with certificate files #4544
Comments
|
Just verifying. When this is attempted with |
|
Thanks for asking. Yes, once with and once without a password. The same cert is successfully used within the browser.
…On Do., Aug. 10, 2017 at 3:47 PM, Mark Kraus ***@***.***> wrote:
Just verifying. When this is attempted with Get-PfxCertificate the .pfx file that is imported included the both the private key and certificate?
|
|
Ok. I see a |
|
I was able to use a certificate on Windows without having the cert imported in the cert store. BUT the exact same command on Ubuntu fails. The certificate is valid and used within the browser but is not working with Could someone confirm having the same issues on Linux/Ubuntu with a valid certificate? Otherwise its probably no PowerShell issue at all. |
|
@Karneades Yes, it is currently not possible in 6.0.0-beta.5 on Linux. I was saying that I was able to locate the issue in the source code and implement code changes to make it work. I'm working on everything that is needed to make a proper Pull Request. This will likely be available in future versions (whether it is from my pull request or some other work). |
|
Our comments just overlapped before.
Thanks a lot for digging into the code, your feedback and your engagement to solve this open issue! It would be awesome to have it working in the OpenSource version of PowerShell.
…On Do., Aug. 10, 2017 at 7:51 PM, Mark Kraus ***@***.***> wrote:
***@***.***(https://github.com/karneades) Yes, it is currently not possible in 6.0.0-beta.5 on Linux.
I was saying that I was able to locate the issue in the source code and implement code changes to make it work. I'm working on everything that is needed to make a proper Pull Request. This will likely be available in future versions (whether it is from my pull request or some other work).
|
|
@Karneades No problem! If you want. you can clone from my fork, build it and test it. mkdir ~/gittest
cd ~/gittest/
git clone --recursive https://github.com/markekraus/PowerShell.git
cd PowerShell/
git checkout WebClientCerts
git remote add upstream https://github.com/powershell/powershell.git
powershell -noprofile -ExecutionPolicy bypass -command 'Import-Module ./build.psm1; Sync-PSTags; Start-PSBootstrap; Start-PSBuild'The last line of output will give you the binary path of the newly built powershell. Run that and then try to use |
|
Awesome! What a nice small change to make that important feature work! Tested successfully both on Windows 10 and Ubuntu 16.04 with your fork. Hope your PR will make it into the next beta. Thanks so much! |
* [Feature] Add Certificate Authentication Support for WebCmdlets #4544 * Add Certificate Comments * Set Certificate Options * [feature] Post-rebase White-space correction * [feature] mark certauth tests pending
Invoke-RestMethodandInvoke-WebRequestrequires the certificate specified by -Certificate to be imported in the certificate store. Both methods do not allow using certificates from files. This breaks client certificate authentication on non-Windows platforms.Proposal: Support the use of certificate files for the client authentication by adding a new parameter -CertificateFile or by using the x509 object from
Get-PfxCertificatedirectly.This was tested on Ubuntu 16.04 with PowerShell 6.0.0-beta.5 and on Windows with PowerShell 5.0.
Ref: #473 and #1865
The text was updated successfully, but these errors were encountered: