Search code examples
dockerubuntusslpem.net-core-3.1

How to use PEM passphrase/TrustedRoot/TLS Mutual Auth Cert/Private Key in a .netCore 3.1 Ubuntu container


I am trying to write .netCore 3.1 API in an Ubuntu Linux container that runs the equivalent of this Curl command.

WORKING LINUX CONTAINER CURL COMMAND:

 curl --cacert /etc/root/trustedroot.crt --cert /etc/mutualauth/tls.crt --key /etc/mutualauth/tls.key
--header "SOAPAction:actionName" --data @test.xml https://this.is.the/instance --verbose

 Enter PEM pass phrase: *****

 <Success...>

We use Windows development laptops so everything starts with Windows.

So far, I have the following HttpClientHandler that my HttpClient is using on a Windows development machine. This code works on Windows with the cert in my local machine and current user personal stores and does not work in Linux:

WORKING WINDOWS HTTPCLIENTHANDLER CODE:

 X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
 store.Open(OpenFlags.ReadOnly);
 try
 {
      var cert = store.Certificates.Find(X509FindType.FindByThumbprint, "<<cert thumbprint here>>", true);

      var handler = new HttpClientHandler
      {
          ClientCertificateOptions = ClientCertificateOption.Manual,
          SslProtocols = SslProtocols.Tls12,
          AllowAutoRedirect = false,
          AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip
      };
      handler.ClientCertificates.Add(cert[0]);
 }
 catch (Exception e)
 {
      //Handle errors
 }
 finally
 {
      store.Close();
 }

The cert I imported was .PFX format so as I understand it, the password went in at the time of import and the code for Windows doesn't need to be concerned with it.

The Curl command mentioned above works from the container. So by that logic, if coded or configured properly, the code should be able to do the same thing. As I see it, the Curl command shown above contains four elements that I need to account for in my HttpClientHandler somehow:

  • The Trusted Root(CA) Certificate: /etc/root/trustedroot.crt
  • The TLS Certificate: /etc/mutualauth/tls.crt
  • The Private Key - /etc/mutualauth/tls.key
  • The PEM Passphrase

I have been reading into this for a couple of months now and have seen various articles and stack overflow posts but there is a staggering amount of variables and details involved with SSL and I cant find anything that directly addresses this in a way that makes sense to me with my limited understanding.

I also have the option of running a Linux script at the time of deployment to add different/other formats of certs/keys to the stores/filesystem in the container. This is how I get the certs and keys into the container in the first place, so I have some control over what I can make happen here as well:

LINUX CONFIG SCRIPT:

 cp /etc/root/trustedroot.crt /usr/share/ca-certificates
 cp /etc/mutualauth/tls.crt /usr/share/ca-certificates

 cp /etc/mutualauth/tls.key /etc/ssl/private

 echo "trustedroot.crt" >> /etc/ca-certificates.conf
 echo "tls.crt" >> /etc/ca-certificates.conf

 update-ca-certificates

 dotnet wsdltest.dll --environment=Production --server.urls http://*:80

I do not believe I can get the binary .PFX file into the container due to security policies and limitations, but I definitely can get its string encoded cert and key formats into the container.

...so if there is a way of using different styles of certs that I can extract from the .PFX or specifying password and cert when the server 'spins up' to make my code not require a password, that would work too - I might just be missing something basic in the Linux config.

Would anyone be so kind as to point me in the proper direction to find out how I can uplift my HttpClientHandler code OR Linux config to be able to make this API call? Any ideas are welcome at this point, this has been a thorn in my side for a long time now... Thank you so much!


Solution

  • This was not the right approach.

    The correct approach was an NGINX reverse proxy terminating mutual auth TLS so that Dotnetcore doesn't have to.

    Save yourself some time and go NGINX!. :D