Supplied PFX Password Not Cached

[rick-bennett]

For certain instances, we have to supply a specific password to be used when creating the PFX cert. The overall cert request process seems to work just fine, and we can successfully use the specific password to view the contents of the obtained PFX cert (we just use an OpenSSL .exe command against the .pfx file to quick verify things).

However, we cannot find the specific password within the cache on the device after it was originally obtained. When we explore using the GUI all we see is what we assume is the built-in random password:

1. Launch wacs.exe GUI on the device
2. Pick menu option A
3. Pick menu option D
4. The listed ".pfx password: HUhipXXXXXXXFatO9SkUEMwk+NzW13OXXXXXXb98FbM=" field is NOT our specific password (I replaced some characters in the line here of course)

This was on 64-bit Windows Server 2022 using version 2.2.5.1541 of the WACS client.

Our assumption is that the ".pfx password:" field would contain our specific password so that we could retrieve it at a later date if needed. Is this a bug where the incorrect password is getting cached...?

[WouterTinus]

Look for the password at the store section, not at the top, which is the cache password.

[rick-bennett]

Maybe my coffee hasn't kicked in yet, but I don't see anything within the "Show details for renewal" section that lists the specific PFX password we supplied:

`- -----------------------------------------------------------------

Id: mXG-UsExxxxxxxxxxxxRgA
File: mXG-UsExxxxxxxxxxxxRgA.renewal.json
Account: Default account
FriendlyName: xxxxxxxx
.pfx password: HxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxbM=
Expires: Unknown
Renewal due: 2025/2/26 19:32:20
Renewed: 9 times
Command: wacs.exe --source manual --host
xxxxxxxx.company.com,zzzzzzz.company.com
--friendlyname xxxxxxxx

Plugins -----------------------------------------------------------------

Source: Manual
- Description: Manual input
Validation: SelfHosting
- Description: Serve verification files from memory
Order: Single
- Description: Single certificate
Csr: RSA
- Description: RSA key
Store: PemFiles
- Description: PEM encoded files (Apache, nginx, etc.)
Installation: None
- Description: No (additional) installation steps

Orders -----------------------------------------------------------------`

Is there something we're missing? The specific supplied pfx password should be cached and accessible, right? Or is there a method to get the renewal process to pass the specific password to a post-renewal script? When we try things that way, all we seem to get is the random password when using {CachePassword}.

Thanks!

[WouterTinus]

So from this information that you've shown, it doesn't seem that you've actually chosen a password. To get a .pfx with a chosen password you have to use the PfxFile store plugin: https://www.win-acme.com/reference/plugins/store/pfxfile

[rick-bennett]

This is the manual command I tried:
"C:\ProgramData\win-acme\wacs.exe" --closeonfinish --source Manual --installation Script --commonname device01.company.com --friendlyname device01 --host device01.company.com,mve.company.com --store pfxfile --pfxfilepath "E:\Certs\Test" --pfxpassword "OurPasswordGoesHere" --script "E:\Programs\ABC\XYZ\our-post-cert-renewal-script.ps1" --scriptparameters "-certCred '{CachePassword}'"

And this is the output from WACS after the process completed:
`- -----------------------------------------------------------------
Renewal 1/1 -----------------------------------------------------------------

---

Id: mXG-xxxxxxxxxxxxxxxxxxx
File: mXG-xxxxxxxxxxxxxxxxxxx.renewal.json
Account: Default account
FriendlyName: device01
.pfx password: YYYYYYYYYYYYYYYYYYYYYYYYYY
Expires: Unknown
Renewal due: 2025/3/2 18:24:08
Renewed: 10 times
Command: wacs.exe --source manual --host
device01.company.com,mve.company.com --store
pfxfile --pfxfilepath E:\Certs\Test
--pfxpassword ******* --installation script --script
E:\Programs\ABC\XYZ\our-post-cert-renewal-script.ps1
--scriptparameters "-certCred '{CachePassword}'"
--friendlyname device01

Plugins -----------------------------------------------------------------

Source: Manual
- Description: Manual input
Validation: SelfHosting
- Description: Serve verification files from memory
Order: Single
- Description: Single certificate
Csr: RSA
- Description: RSA key
Store: PfxFile
- Description: PFX archive
Installation: Script
- Description: Start external script or program

Orders -----------------------------------------------------------------`

The password that is passed to the post-renewal PS1 script file is the one from the ".pfx password:" field. And we don't see any listing of the specific password we supplied in the command within the output from the WACS GUI. Are we missing something obvious? Is it not caching the specific password, but only the random one...?

Thanks!