Kestrel Secure HTTPS X509 Cert from KeyVault
I want to secure my API with a pfx cert which I have stored in my KeyVault however for some reason this doesn't seem to work the way I expected. If I have the cert installed on my machine it works perfectly. I was wondering if its possible to store the cert in KeyVault and then secure it this way as opposed to looking it up in the certificate store.
The scenario is I have a .NET Core Web API which talks to KeyVault. This KeyVault contains my PFX certificate, which when I uploaded prompted for my password. So everything seems fine at this point.
I have the following code to retrieve and apply the cert:
var client = new KeyVaultClient(new KeyVaultCredential(GetToken));
var cert = client.GetCertificateAsync("https://somekeyvaultsomewhere.vault.azure.net/", "my_tls_cert").Result;
var certificate = new X509Certificate2(cert.Cer);
var host = new WebHostBuilder()
.UseKestrel(options =>
{
const int PortNumber = 5001;
options.Listen(
new IPEndPoint(IPAddress.Any, PortNumber),
listenOptions =>
{
listenOptions.KestrelServerOptions.AddServerHeader = false;
listenOptions.UseHttps(certificate);
});
})
.CaptureStartupErrors(true)
.UseStartup<Startup>()
.Build();
host.Run();
I am expecting to be able to hit my API via https and on port 5001. Instead I get no response (site cannot be reached).
Seems like everything is running but can't hit anything.
Is this possible to do?
Packages consumed:
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.6" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="2.1.3" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel.Https" Version="2.1.3" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions" Version="2.1.3" />
</ItemGroup>
I think this is because the certificate that you have downloaded is not the complete certificate, but only the public key. The lack of a private key will prevent the SSL handshake from completing. You can download the entire certificate as a secret and then convert the secret to an X509Certificate2 object. I've explained in this blog post:
https://azidentity.azurewebsites.net/post/2018/07/03/azure-key-vault-certificates-are-secrets
- Could not establish trust relationship for SSL/TLS secure channel -- SOAP
- SET SSL_VERIFY as NO to download CSV file from KDB
- nifi 3 node docker + ssl getting Untrusted proxy CN=localhost, OU=NIFI
- TLS 1.2 set cipher list
- How to properly create a secure web server with Dart?
- Nginx redirect http://www and naked http/https to https://www
- How do I fix "Certificate verify failed self signed certificate" when trying to connect to an API?
- LetsEncrypt SSL on IP Address
- PHP ignoring curl.cainfo setting in php.ini (apparently)
- Convert .crt file to .cer and .key
- whatsapp sniffing ssl traffic with wireshark
- MongoDB Atlas ServerSelectionTimeoutError: SSL handshake failed
- CERTIFICATE_VERIFY_FAILED with jenkins API
- Not able to connect to outlook.com SMTP using Nodemailer
- List specific information of all LEAF certificates from java store JKS
- cURL error 60: SSL certificate: unable to get local issuer certificate
- How to import self-signed certificate.ca with private keys in android phone?
- How to make Python use CA certificates from Mac OS TrustStore?
- IIS10 SSL Configuration for Multiple Sites and more than one SSL Cert
- Forget which client certificate is used by Chrome for an URL
- Accessing Certificate from within a C# Azure function
- What's the best Node.js mysql module for connecting to mysql over ssl?
- Tomcat server AND HTTP Client accepting expired self-signed certificate
- How to pin the Public key of a certificate on iOS
- Cannot connect Apache Spark to MongoDB with SSL
- Google Managed SSL Certificate Stuck on FAILED_NOT_VISIBLE
- How to connect securely to Elasticsearch with existing certificates?
- Apache HttpClient - SSL failures
- Setting up SSL certificate in Visual Studio
- Using JavaMail with SSL and TLS