Option to get Certificate directly from Azure Key Vault

[clairernovotny]

Moved from https://github.com/aspnet/KestrelHttpServer/issues/2288 as per @davidfowl

With the new certificate capabilities 2.1, it would be very useful if Kestrel could get certificates directly from Azure Key Vault. This is especially true because Key Vault can auto-renew certificates from providers already.

If done with Managed Service Identities, this can be transparent as well.

[davidfowl]

@onovotny This is for self hosting Kestrel on Azure running in a VM?

/cc @javiercn @pakrym

[clairernovotny]

It should be anywhere Kestrel runs that needs HTTPS. Web Apps already front-ends this, but other places don't.

Even without running on Azure, it could still authenticate to azure and get a cert from Key Vault.

[javiercn]

This is probably possible if you write your own kestrel configuration options.

The interesting part comes with the renewal (which I actually thought of) but that requires Kestrel being able to update its configuration/options without shutting down.

Specifically for the certs part, I can see Kestrel getting its options updated with a new certificate, draining the existing TLS connections using the old existing certificate and moving to use the updated certificate for new connections.

Another cool scenario for this would be that updating the cert at runtime without downtime would allow to create and renew certificates through ACME (letsencrypt) without having to reboot the server.

The question is how much value does this work add, what the cost of it is, and what the priority is compared to other improvements we can do to Kestrel?

What is the percentage of people running Kestrel on the edge vs running it behind IIS/nginx or some other reverse proxy and doing HTTPS termination at the proxy level.

[davidfowl]

I think minimally kestrel can add a callback for getting a cert for a connnection. We’ve held off on that because we’re waiting to see what SNI Support looks like on SSLStream but maybe it doesn’t matter yet

[pherbel]

We also would like to use this feature. Would be great when you want host a Kestrel based service without proxy inside or outside Azure.

e.g. Kestrel service in Service Fabric hosting

[muratg]

@glennc @danroth27 please triage.

[danroth27]

@DamianEdwards Sounds like something worth doing, but I don't think this is required for 2.1.

[DamianEdwards]

Now that we're revisiting SNI support for 2.1.0, maybe we can do what @davidfowl suggests above and just add a callback for getting the cert from wherever.

[analogrelay]

We have a callback now (HttpsConnectionAdaptorOptions.ServerCertificateSelector). The docs for Kestrel endpoint configuration show how to use it (you have to scroll down to "Kestrel support for SNI" unfortunately, I can't deep link it).

The delegate isn't async (intentionally since it would block connections) so what you'd probably want to do for something like Key Vault is to fetch the certificate during your startup process (in Program.Main, etc.) and store it in a thread-safe global of some kind, then pull it out in your callback. You can use a background task to keep it up-to-date as well

I'm moving this issue to the Backlog milestone. We can reasses in future releases.

[guardrex]

I'm updating the docs so that at least it doesn't recommend/show keeping the cert physically in the app. The updates on Update AKV config provider for new Azure process (aspnet/AspNetCore.Docs #12396) have the dev keep the cert in the cert store. We did show that approach, but it was in a section further down the topic. Now, it will be THE recommended approach.

@anurse remarked on the review:

Might be worth filing a bug to have us update the provider to support reading the certificate out of the store ourselves rather than forcing the user to do it.

Since this issue deals with how the provider handles the cert storage generally (and perhaps not having the cert on the local machine at all), I'll leave his remark here.

Side note: Currently, only a PFX (or a cert store-loaded cert) works on the app-side while Azure AD only allows CER, CRT, and PEM uploads. They used to allow PFX uploads. The doc updates address this now. It just seems a bit hard to reason on.

[jkotalik]

@davidfowl has this been resolved in our work with certs for 5.0?

[davidfowl]

No this is asking for something that is coupled to key vault. That would need to be another package

[davidfowl]

This might make sense as an Azure SDK package @Petermarcu @pakrym ?

[davidfowl]

cc @blowdart

[blowdart]

Yea this should firmly fall under the azure sdk now like everything else

[adityamandaleeka]

Triage: we should document how to set things up such that there's an async retrieval of cert from Key Vault as part of startup, and only if it succeeds do we proceed with host building.

As for the Key Vault interaction itself, that should already exist: https://docs.microsoft.com/en-us/dotnet/api/overview/azure/security.keyvault.certificates-readme#retrieve-a-certificate