kubernetes-client · k8s-ci-robot · Jul 19, 2023 · Jul 19, 2023
diff --git a/src/KubernetesClient/CertUtils.cs b/src/KubernetesClient/CertUtils.cs
@@ -36,7 +36,10 @@ public static X509Certificate2Collection LoadPemFileCert(string file)
                 //
                 foreach (Org.BouncyCastle.X509.X509Certificate cert in certs)
                 {
-                    certCollection.Add(new X509Certificate2(cert.GetEncoded()));
+                    // This null password is to change the constructor to fix this KB:
+                    // https://support.microsoft.com/en-us/topic/kb5025823-change-in-how-net-applications-import-x-509-certificates-bf81c936-af2b-446e-9f7a-016f4713b46b
+                    string nullPassword = null;
+                    certCollection.Add(new X509Certificate2(cert.GetEncoded(), nullPassword));
                 }
 #endif
             }
@@ -96,13 +99,17 @@ public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)
             // see https://github.com/kubernetes-client/csharp/issues/737
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
+                // This null password is to change the constructor to fix this KB:
+                // https://support.microsoft.com/en-us/topic/kb5025823-change-in-how-net-applications-import-x-509-certificates-bf81c936-af2b-446e-9f7a-016f4713b46b
+                string nullPassword = null;
+
                 if (config.ClientCertificateKeyStoreFlags.HasValue)
                 {
-                    cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12), "", config.ClientCertificateKeyStoreFlags.Value);
+                    cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12), nullPassword, config.ClientCertificateKeyStoreFlags.Value);
                 }
                 else
                 {
-                    cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12));
+                    cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12), nullPassword);
                 }
             }
 
@@ -172,13 +179,17 @@ public static X509Certificate2 GeneratePfx(KubernetesClientConfiguration config)
 
             store.Save(pkcs, new char[0], new SecureRandom());
 
+            // This null password is to change the constructor to fix this KB:
+            // https://support.microsoft.com/en-us/topic/kb5025823-change-in-how-net-applications-import-x-509-certificates-bf81c936-af2b-446e-9f7a-016f4713b46b
+            string nullPassword = null;
+
             if (config.ClientCertificateKeyStoreFlags.HasValue)
             {
-                return new X509Certificate2(pkcs.ToArray(), "", config.ClientCertificateKeyStoreFlags.Value);
+                return new X509Certificate2(pkcs.ToArray(), nullPassword, config.ClientCertificateKeyStoreFlags.Value);
             }
             else
             {
-                return new X509Certificate2(pkcs.ToArray());
+                return new X509Certificate2(pkcs.ToArray(), nullPassword);
             }
 #endif
         }

diff --git a/src/KubernetesClient/KubernetesClientConfiguration.ConfigFile.cs b/src/KubernetesClient/KubernetesClientConfiguration.ConfigFile.cs
@@ -308,8 +308,11 @@ private void SetClusterDetails(K8SConfiguration k8SConfig, Context activeContext
             {
                 if (!string.IsNullOrEmpty(clusterDetails.ClusterEndpoint.CertificateAuthorityData))
                 {
+                    // This null password is to change the constructor to fix this KB:
+                    // https://support.microsoft.com/en-us/topic/kb5025823-change-in-how-net-applications-import-x-509-certificates-bf81c936-af2b-446e-9f7a-016f4713b46b
+                    string nullPassword = null;
                     var data = clusterDetails.ClusterEndpoint.CertificateAuthorityData;
-                    SslCaCerts = new X509Certificate2Collection(new X509Certificate2(Convert.FromBase64String(data)));
+                    SslCaCerts = new X509Certificate2Collection(new X509Certificate2(Convert.FromBase64String(data), nullPassword));
                 }
                 else if (!string.IsNullOrEmpty(clusterDetails.ClusterEndpoint.CertificateAuthority))
                 {