Add support for PEM format SSL certificates #4706
Comments
Which APIs does core have for this? Do you end up with one or two X509Certificate2 instances? Note Kestrel uses SslStream for all of it's TLS negotiation, we're constrained by what it can do. |
|
SslStream doesn't care how you get your x509Certificate2 generally. As for the PEM issue not sure if you can construct the instance from two separate files but you can in theory (eg I modified core tondo it with openssl). If it can't be done today it's most likely an ask for an API extension in .net corefx that is needed. |
|
I will test it tonight because I had an example for Linux of this working. |
|
@Drawaes Any updates ?? |
|
@Praveen-Rai I recommend filing a bug on dotnet/corefx repo to track SSL format support ask. It's on their side to implement this. |
|
@muratg , @Tratcher I already created an issue earlier dotnet/corefx#32367 . The comments on the issue seems to convey that there's already some ground work done in Core and Kestrel needs to implement the changes to be able to support the PEM format. CopyWithPrivateKey() was cited in one of the comments. Request you to please review the issue once and correct me if i got it wrong and i will raise another issue specific to PEM format Support. For your reference the API doc for CopyWithPrivateKey() : |
|
Ah, since the X509Certificates2 APIs already exists then you can already load the certificates, combine them, and pass them to Kestrel. What kind of additional Kestrel API do you anticipate is needed here? An overload of UseHttps that accepted two certificate paths? Additional config file parameters for specifying the second cert? Show us how you want to use it. |
|
@Tratcher Referring to Kestrel Listen Options
` ` Quoting the statement below the sample :
All i am looking forward is something as example below : ` "HttpsPEMCertificate": { ` Presently most of the certificate providers issue a pair of *.crt and *.key file ( as far as my knowledge goes ). But as Kestrel configuration needs *.pfx file, one needs to combine *.crt & *.key using OpenSSL to generate *.pfx file. |
|
@Tratcher do we need to add a sample/doc or are we missing a necessary API? |
|
Both. Anything Kestrel can do with certs can also be done in app code (needs a sample), but Kestrel could also provide more first class APIs and config for this scenario. |
|
@Tratcher Any timelines for this issue ?? |
|
@Praveen-Rai no, we're just starting our 3.0 planning so that's the earliest release that could include something like this. Putting together a sample of how devs would do this in Program.Main would be a good place to start. Kestrel's wouldn't be doing anything special here, only integrating and simplifying what devs can already do themselves. https://github.com/dotnet/corefx/issues/32367#issuecomment-423671246 mentions the functionality being available in the corefx master branch. That also corresponds to the 3.0 release. That might be challenging to work with prior to the first preview release, you might need to revisit this issue after that. |
@guardrex , @shirhatti Can we please have a document on how to read and load CRT format certificates using X509Certificates2 APIs and pass them to Kestrel ? |
aspnet-hello
added
area-servers
feature-kestrel
help wanted
|
@Tratcher Now that we have .Net Core 3.0 preview 1 released, can you please re-look into this issue ? |
|
This is on our backlog, we don't plan to investigate it for 3.0. It's marked as up-for-grabs as a likely candidate for community involvement. |
|
@Tratcher So as an alternative we'll have to put up a sample in the Docs. Can you please help on the same ? |
|
That would be almost the same work and is triaged with the same result. We'll review anything the community comes up with here but don't plan to investigate it ourselves right now. |
|
For future readers who might need something similar, this PR (Soluto/kamus#307) shows an example of loading a pem file for HTTPS handling in Kestrel. It was a bit ugly, but not that hard - once you collect all the different parts of information :) a documentation PR will be appreciated? |
|
Any plans for this available in .net core 2.2 and below? |
No, as a rule we do not backport new features or API. We haven't even scheduled this for a future release yet. That said, you should already be able to write app code for this in 3.0. If somebody works out a sample we'd be happy to add it to the docs. |
|
I have a question about using pem as is. |
|
@brzezinol $ sudo certbot certonly \
-d <DOMAIN NAME> \
--deploy-hook cert-renew-hookWhere #!/usr/bin/env bash
openssl pkcs12 \
-inkey /path/to/privkey.pem \
-in /path/to/cert.pem \
-export -out /etc/letsencrypt/live/<DOMAIN NAME>/cert_pfx.pfx \
-passout pass:Then in my Kestrel config I reference the new pfx at the above directory. This may be a bit naive as pfx requires a password but this example sets a blank string. |
|
@Tratcher - based on where we are now - what's the right fix for this look like? Is this something we'd want an API from CoreFx for? An API in ASP.NET? It seems like the approach that's obvious is a way to load a |
|
Would really like to see support for this - since Let's Encrypt is quickly gaining traction, it is becoming increasingly common to have a And a Kestrel should support these formats natively, especially if it just means concatenating the files or something trivial like that. |
|
Some updates on the status here. dotnet/runtime is tracking an issue for .NET 5.0 to expose a simple API for creating a cert from these file kinds - dotnet/runtime#31944 Feedback is definitely encouraged from the community on whether that meets the goals. This would allow you to pass in a certificate to the overloads of Additionally, we want to make it possible to pass in a certificate via configuration. Straw man proposal from @Tratcher "Kestrel": {
"Endpoints": {
"HttpsPemCertFile": {
"Url": "https://localhost:5002",
"Certificate": {
"Path": "<path to .pem file>",
"PemKey": "<path to key file>"
}
},
}
Personal note: I like the better the idea of |
If you're already doing code based config then you can call the new CreateFromPemFile API and pass in the cert. I'm not concerned about one extra line. |
Right, but we still have to think about how |
|
I'd like to think people are smarter than passing actual certificate data into a parameter called |
I meant for people passing the filePath of |
|
Ah, hmm... would it be too difficult to auto-detect the file type and use it (given some list of known supported types), or create an overload that takes an enum that specifies the type (e.g. |
|
Any ideas on when a solution would happen here? PEM cert reads would be ideal. Thank you! |
|
Moving this out of backlog into 5.0.0 |
|
Dependent on dotnet/runtime#31944 |
|
This is now merged into master and will be available in preview8 |
ghost
locked as resolved and limited conversation to collaborators
amcasey
added
area-networking
Presently, Kestrel configuration supports only the PKCS12 ( *.pfx ) format certificates. Whereas, PEM seems to be much more widely used format ( Public and Private keys are stored in two different files ) and most often one needs to convert the certificate format using OpenSSL before they can be used with Kestrel.
Referring to : https://github.com/dotnet/corefx/issues/32367#issuecomment-423671246
It looks like that the core already has api's to load public and private keys from two different files. Can we leverage them and add the support for the PEM certificate formats ?
The text was updated successfully, but these errors were encountered: