Rationale
Based on a different method of extracting pfx files, I have found it useful to focus on all the certificates that support Server Authentication with keys at once. I can then use all of these to support Server Name Identification (SNI).
Alternative
- Add a function to querying which stores are available at runtime.
- Add an option to
exportSystemCertificates to only export X509 certificates if they have a private key.
- Add an example to the readme.
The first allows for programmatically querying all stores. The second, because X509 certificates in Node do not contain information about if a private key exists or not. It avoids the attempt to export all certificates which do not have private keys.
Alternatives Which Do Not Work
This is limited to a hard-coded list of stores, and provides no indication of which store a certificate came from, or if it has a private key.
Function To Export All Certificates And Private Keys
Smart cards have private keys, and attempting to export them, even when they are not exportable, triggers a user popup. This is undesirable, especially when the key cannot be used for my intended use case.
My Approach
This is not directly relevant, but may be useful/interesting.
node-powershell and the following extract all exportable certs and private keys.
$serverAuth = [Microsoft.PowerShell.Commands.EnhancedKeyUsageRepresentation]::new('Server Authentication', '1.3.6.1.5.5.7.3.1')
$certs = $(Get-ChildItem -Path 'Cert:\\' -Recurse).Where({$_.HasPrivateKey -and $_.EnhancedKeyUsageList.contains($serverAuth) -and $_.Verify()})
$certs.ForEach({try{[System.Convert]::ToBase64String($_.Export('Pfx', $pw))} catch{''}}).Where({$_.length -gt 0})
Rationale
Based on a different method of extracting pfx files, I have found it useful to focus on all the certificates that support Server Authentication with keys at once. I can then use all of these to support Server Name Identification (SNI).
Alternative
exportSystemCertificatesto only export X509 certificates if they have a private key.The first allows for programmatically querying all stores. The second, because X509 certificates in Node do not contain information about if a private key exists or not. It avoids the attempt to export all certificates which do not have private keys.
Alternatives Which Do Not Work
tls.getCACertificates("system")
This is limited to a hard-coded list of stores, and provides no indication of which store a certificate came from, or if it has a private key.
Function To Export All Certificates And Private Keys
Smart cards have private keys, and attempting to export them, even when they are not exportable, triggers a user popup. This is undesirable, especially when the key cannot be used for my intended use case.
My Approach
This is not directly relevant, but may be useful/interesting.
node-powershell and the following extract all exportable certs and private keys.