damienbod
commented
4 years ago Hi @sourishkrout
Thanks fr your feedback. I try to answer as best I can, understand.
• In the chained example, why is the root ca cert being used as the server's cert?
This is just an example, you could use the intermediate or a self signed directly.
• Why is the root cert not set to CA=1 and define a pathlength=1 which would allow an intermediate cert to be used?
Need to check this, not sure why
• Is it generally required to install the generated root/intermediate cert into the local trust store? I couldn't find an option to specify a root cert pool for private CA usage which is a common use case.
If you’re using self signed, yes. If you create your certs from a cert which is trusted, ie from a CA, then this should just work. A lot of these configurations are because we use self signed certs
• Following code appears to have no effect... any idea why? https://github.com/damienbod/AspNetCoreCertificateAuth/blob/master/AspNetCoreCertificateAuthApiChained/Startup.cs#L53-L75
This is the code used for custom validation. If the cert is accepted, then this code will execute.
• When a server cert is specified it appears IIS Express/Kestrel serves the auto-provisioned self-signed dev-cert irrespective of the cert in Program.cs?
This does not make sense to me, or I don’t understand this or have this problem. I need to check this.
‘It appears the certs in the repo are inconsistent, both in the Certs folder, and in the respective projects' folders. Initially I've tried to get it running on macOS but have switched to Windows with the same results.’
Should not be, but I need to clean this up and reuse the same instance of the cert. Thanks for the pointer.
‘Overall I found the implementation of TLS in .NET Core to be incompatible with established best practices including the inability to use intermediate certs for server auth in Kestrel.’
Could you help me here? I would like to understand this better. Thanks
After testing again and validating the git repo should work as it is. All certs are trusted on my operating system.
I have added 3 examples which work as expected
When the example doesn’t work for you, some of the runtime logs give extra info why the cert validation failed. If the certs fail, the validation part never runs.
Hope this helps, looking forward to your feedback
Greetings Damien
It appears the certs in the repo are inconsistent, both in the
Certsfolder, and in the respective projects' folders. Initially I've tried to get it running onmacOSbut have switched to Windows with the same results.I've slightly modified the certificate generation Powershell steps to be able to fully execute them without manual intervention here: https://github.com/sourishkrout/AspNetCoreCertificateAuth/blob/master/Certs/README.md
Here are more concrete problems/questions:
Overall I found the implementation of TLS in .NET Core to be incompatible with established best practices including the inability to use intermediate certs for server auth in Kestrel.
Any help and pointers would be much appreciated. We'd love to add .NET Core to the
Hello mTLSdocumentation: https://smallstep.com/hello-mtlsThanks @damienbod!