Install Intermediate Certificates when calling Install-PACertificate

[FISHMANPET]

This request is somewhat related to #396, in that I think it's only a problem in the case where a server does not have access to the internet. The Install-PACertificate command will install the web server certificate itself, but it won't install any intermediate certificates. On a system with internet access, the cert manager and IIS seem to be smart enough to just figure it out and get the intermediate certs from the information in the server certificate itself. In the case of a system without internet access, it's not able to do this. In my case at least, with our commercial certificate vendor, the intermediate certificates are created and downloaded along with the server certificate itself. The GUI is smart enough to place all the certificates in their correct places, but the command line doesn't, so even if you import the full chain into the my cert store (as the command currently does) it will only get the server certificate itself, and not do anything with the intermediates.

I would propose (and again I would work on this change as well) adding an "Intermediate" flag to Install-PACertificate, and if that is specified, it would load the chain certificates into the Intermediate store, in addition to adding the web server certificate itself to the My or otherwise specified store.

If there's a better way to implement this, or a way to accomplish this without modifying the module I'm open to that as well.

[rmbolger]

Hi @FISHMANPET. I definitely like this idea and had been contemplating similar ideas particularly after all of the DST root expiration and chain wrangling stuff that happened with Let's Encrypt recently. There are a couple things I haven't fully fleshed out in my head yet though.

Part of me wonders whether an explicit switch is even necessary. As we know, the intermediates are pulled down automatically on an internet-connected machine by default anyway. The code that would be installing the intermediates would undoubtedly check to see if they exist first and only install if necessary. But do we think there's a case where a user would not want the intermediates installed (knowing they don't really have a choice on a normally connected machine)?

If we add this functionality to Install-PACertificate, should we also add it to the code that runs if the Order has the Install flag set to $true? I'm thinking yes if Install-PACertificate is doing it without an explicit switch.

The other thing I mildly worry about is that since these intermediates are installed system-wide (or per-user), by adding this functionality to Install-PACertificate we may give users the mistaken impression that they can control them on a per-certificate basis.

The other thing is that due to the way the current LE chains work, simply adding the intermediates to the Intermediate store doesn't actually force Windows to use that chain. Even if you add R3 and the cross-signed ISRG Root X1 cert to Intermediate certs, Windows will still only serve R3 as the only intermediate. So the entire concept sort of muddies the water in terms of what Posh-ACME can affect.

[FISHMANPET]

I'm not sure there is a case where you wouldn't want the intermediate certificates installed. My case is, I suspect, a comparatively rare one, where I'm not using LE or any of the other "free" vendors but a paid vendor, InCommon in our case. For our certs, there are two intermediates between the issued certificate and the trusted root (Sectigo) and the certificate isn't functional without those intermediates.

I've read about the alternate chains for LE but don't really understand it much, certainly not well enough to say how importing the provided intermediates would impact it (maybe not at all).

My initial thought was that adding Intermediate certs would be an "advanced" option, so it would be a flag on Install-PACertificate but not done when using the -Install parameter in New-PACertificate because that command looks like it's meant to be "easy mode" and installing Intermediate certs wouldn't be part of easy mode. Maybe the inverse is true, maybe Install-PACertificate should install the intermediates by default, unless there's a -NoIntermediates parameter or something. Then using the -Install flag in New-PACertificate would install the Intermediates, and if you didn't want to install the Intermediates, you wouldn't use the -Install parameter and instead explicitly call Install-PACertificate with the -NoIntermediates parameter.

But ultimately I think we're both stuck on the question of "is there a cause where you wouldn't want the intermediates installed?".

As for the "mistaken impression" part I'd say I don't have enough experience to know people's expectations are (and caring about specific trust chains seems to only be a concern with LE and is treated as an "advanced" concept). The GUI appears to already import the intermediate certificates somewhat automatically and silently, so at the very least it's a mistaken impression that the Cert Manager GUI is already spreading, so maybe it's not a concern regardless.

[rmbolger]

I've got a preliminary version of this feature in the main branch now if you want to test it out. It works for explicit calls to Install-PACertificate as well as orders that have the Install flag set. The code also respects the StoreLocation parameter so the chain certs will go into LocalMachine\CA or CurrentUser\CA depending on the value of that param.

[rmbolger]

This is now live in 4.11.0