Vaultsharp & Pki : how to generate certificat on-the-fly for Kestrel

[theazyfa]

Hi,
I try to combine Vault's Pki and .net5.
My goal is to generate a new certificat each time my app (.net 5) start.

So I confiture Pki secret engin on Vault (https://learn.hashicorp.com/tutorials/vault/pki-engine).
And now I'm stuck on the .net part.
I can call my vault's instance and I get a CredentialSecret (maybe not a good idea.... don't know)

Now.... I don't know how to convert all this to a X509Certificate2....
Any ideas?

Mike.

[theazyfa]

Hi,
i find it.
If someone want to do it (c# 6.0 / Kestrel /SSL on-the-fly)
/!\ Warning : it's a poc, not a clean code ;)

Vault part

https://learn.hashicorp.com/tutorials/vault/pki-engine

.Net part

Somewhere in your starter files , you give SSL Certificat to kestrel :

...
webBuilder
    .UseConfiguration(Program.Configuration)
    .UseStartup<Startup>()
    .UseKestrel(options =>
    {
        options.Listen(IPAddress.Loopback, 44327, listenOptions =>
        {
            var serverCertificate = LoadCertificate();
            listenOptions.UseHttps(serverCertificate);
        });
    })
...

and the method call to generate the certificat.

        private static X509Certificate2 LoadCertificate()
        {
            try
            {
                //Get Certificate from Vault
                VaultHelper.Instance.Initialize(Configuration["Vault:Url"], Configuration["Vault:RoleId"], Configuration["Vault:SecretId"], Configuration["Vault:MountPoint"], Configuration["Vault:Path"]);
                var data = VaultHelper.Instance.GetCertificate().Result;

                //Create X509Certificate2 with Public Key
                byte[] publicPemBytes = Encoding.ASCII.GetBytes(data.Data.CertificateContent);
                using var publicX509 = new X509Certificate2(publicPemBytes);

                //Get private Key, parse it and attach it to the X509Certificate2
                var privateKeyText = data.Data.PrivateKeyContent;
                var privateKeyBlocks = privateKeyText.Split("-", StringSplitOptions.RemoveEmptyEntries);
                var privateKeyBytes = Convert.FromBase64String(privateKeyBlocks[1]);

                using RSA rsa = RSA.Create();
                if (privateKeyBlocks[0] == "BEGIN PRIVATE KEY")
                {
                    rsa.ImportPkcs8PrivateKey(privateKeyBytes, out _);
                }
                else if (privateKeyBlocks[0] == "BEGIN RSA PRIVATE KEY")
                {
                    rsa.ImportRSAPrivateKey(privateKeyBytes, out _);
                }
                X509Certificate2 keyPair = publicX509.CopyWithPrivateKey(rsa);


                //Bug : https://github.com/dotnet/runtime/issues/45680#issuecomment-739912495
                // Force Certificate format with a Export/Import
                return new System.Security.Cryptography.X509Certificates.X509Certificate2(
                            keyPair.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12));

            }
            catch (Exception ex)
            {
                throw ex;
            }
        }