search

aspnet / KestrelHttpServer

[Archived] A cross platform web server for ASP.NET Core. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
2.63k stars 528 forks source link

Kestrel Server HTTPS using Certificate Pulled from KeyVault #3065

Closed OnamChilwan closed 5 years ago

OnamChilwan commented 5 years ago

I want to secure my API with a PFX cert which I have stored in my Key Vault and want to secure my API with it, however for some reason this doesn't seem to work the way I expect.

If I have the cert installed on my machine it works perfectly. I was wondering if its possible to store the cert in Key Vault and then secure my API with it as opposed to looking it up in the certificate store on my machine?

Scenario The scenario is I have a .NET Core Web API which talks to Key Vault. This Key Vault contains my PFX certificate, which when I uploaded prompted for my password. So everything seems fine at this point.

Implementation Secure the API using the PFX certificate I pull down from Key Vault using the following code:

            var client = new KeyVaultClient(new KeyVaultCredential(GetToken));
            var cert = client.GetCertificateAsync("https://somekeyvaultsomewhere.vault.azure.net/", "my_tls_cert").Result;
            var certificate = new X509Certificate2(cert.Cer);

            var host = new WebHostBuilder()
                .UseKestrel(options =>
                {
                    const int PortNumber = 5001;
                    options.Listen(
                        new IPEndPoint(IPAddress.Any, PortNumber),
                        listenOptions =>
                        {
                            listenOptions.KestrelServerOptions.AddServerHeader = false;
                            listenOptions.UseHttps(certificate);
                        });
                })
                .CaptureStartupErrors(true)
                .UseStartup<Startup>()
                .Build();

            host.Run();

running app

Expected Behaviour When I browse to https://localhost:5001/ I am expecting the browser to prompt me to except the certificate and continue (Chrome).

Actual Behaviour I get no response and no prompt to accept the certificate. In fact I get content is not reachable.

Tratcher commented 5 years ago

Does the cert work when you load it from a local file?

What shows up in the logs when you try to connect?

muratg commented 5 years ago

I'm assuming the cert was bad since we did not receive any response on this issue. Closing.