-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Auth supports accessing windows certificate store for the private key with the id of the private key #2434
Comments
This likely will need an outside PR as I don't think any of the core developers is using Windows which will make working on this a lot harder. I have also close to zero experience with certificate stores and can't even tell you if this is only a windows feature or should we be supporting other stores as well. Additionally, |
In grafana/k6-docs#616 I am exploring some workaround using outside tools. Can you maybe try to figure out if this is viable alternative for your case as well 🙇 ? |
Hi @mstoykov , thank you very much for spending time for finding alternative solutions for me! However, I would assume if we pass certificate as environment variables, we would still need to have access to clear text certificate, and load them into terminal environment variables. However, for our production system, it's simply forbidden to export clear text private certificate once it's imported into the system certificate store. So this still won't work for us. Again, much appreciated for your effort for researching this! In my opinion, this will be a very useful feature if implemented. Similar to windows, I believe MacOS also has keychain which stores certs. If K6 can support making TLS https requests by accessing system-wide cert store, it will improve K6's security drastically. |
Hi, this was a long standing bug/gap in java, fixed recently. from the Java code commit :
The following keystore types were also added, allowing developers to make it clear they map to the current user:
|
After an internal discussion, k6 core decided to close this issue for now since we are unlikely to work on this shortly. |
Feature Description
Currently, the TLS Auth section of the Options inside the javascript only supports clear text private key. This is generally considered insecure in a production environment.
For the Windows platform, usually, the certificate is installed into the windows local certificate store. I would like to request that K6 supports accessing the Windows certificate store for accessing the private key instead of providing a cleartext private key.
For example, something like below:
On a Windows machine, this Powershell command can be used to list all the certs installed in the local machine's certificate store:
Get-ChildItem -path cert:\LocalMachine\My
And the thumbprint string from above output for a specific cert would be the string to use in the configuration.
A library I have found online implemented in GO seems to have this functionality already: https://github.com/google/certtostore/blob/master/certtostore_windows.go
Suggested Solution (optional)
No response
Already existing or connected issues / PRs (optional)
No response
The text was updated successfully, but these errors were encountered: