[Windows] Fix access denied issue in OVS cert import #6529
Conversation
|
/test-windows-all |
wenyingd
force-pushed
the
cert_access_denied
branch
from
2af0434
to
e8e90db
Compare
| # performed on a fresh Windows 2022 Node. | ||
| $CertStore = Get-Item cert:\LocalMachine\TrustedPublisher | ||
| $CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite") | ||
| $CertStore.Add($(Get-Item $CertificateFile).FullName) |
There was a problem hiding this comment.
Import the certificate from the file into an X509Certificate2 object and then adds that object to the store !
| $CertStore.Add($(Get-Item $CertificateFile).FullName) | |
| # Load the certificate from the file into an X509Certificate2 object | |
| $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 | |
| $certificate.Import($certificateFilePath) | |
| # Add the certificate to the store | |
| $certStore.Add($certificate) | |
There was a problem hiding this comment.
@rajnkamr , I have verified that my solution does work. I don't think it is necessary to explicitly create a new object for the certificate, instead, when we use a file path to add into the cert store, Windows OS would load the cert automatically. My current solution (using a file path as parameter) is supported by Windows.
|
/test-windows-all |
|
/test-all |
tnqn
added
the
action/release-note
hack/windows/Install-OVS.ps1
Outdated
| # (issue #6530) is possibly hit when the import-certificate to trusted publisher store is firstly | ||
| # performed on a fresh Windows 2022 Node. |
There was a problem hiding this comment.
| # (issue #6530) is possibly hit when the import-certificate to trusted publisher store is firstly | |
| # performed on a fresh Windows 2022 Node. | |
| # may occur when `Import-Certificate` is used to import a certificate to the trusted publisher | |
| # store for the first time on a fresh Windows 2022 Node. See issue #6530. |
|
Does this need to be backported? |
I don't think so, the changes to import cert into both trusted store and root store for all versions (including both signed and unsigned cert) is introduced in this version (v2.1), and the "Access is denied" is seen on Windows Server 2022 which is firstly supported in v2.1 too. So it shall be OK to keep the change in this version. |
An "Access is denied" error is possibly returned when importing certificate into the trusted publishers store at the first time on a fresh Windows 2022 Node. To resolve the issue, this change uses the "Add" method provided by certificate stre as an alternative when importing to trusted publishers. Signed-off-by: Wenying Dong <wenyingd@vmware.com>
wenyingd
force-pushed
the
cert_access_denied
branch
from
e8e90db
to
1ecdba0
Compare
|
/test-windows-all |
Got it, then I will remove |
tnqn
removed
the
action/release-note
|
All windows tests are passed in our CI testbed (I tried 3 rounds of test, and all passed), and the change is also verified on a setup with fresh Windows 2022 Nodes. Can we move it forward? @tnqn |
An "Access is denied" error is possibly returned when importing certificate into the trusted publishers store at the first time on a fresh Windows 2022 Node.
To resolve the issue, this change uses the "Add" method provided by certificate stre as an alternative when importing to trusted publishers.
Fix: #6530