Support for SSL
doggy8088 opened this issue · 10 comments
Are you going to support SSL with custom certificate & private key?
Wasn't planning on it, but it wouldn't be hard to add. Why do you ask?
It because I have my own Test Root CA in my dev box and it's been installed into my Trusted Root CA. I normally genereate my testing certificate for local development usage. Some of the HTML5 features need valid certificate to do the testing.
Ok. This seams reasonable. What format is your cert stored in? On disk in a .pfx, .pem, or .cer file? In the Windows cert store? Something else?
I run node.js for local server most of time. It usually accept .cer for certificate, .key for private key. All in PEM format. For cross platfom consideration, I think .pem/.cer is much better than .pfx or Windows cert store.
Ok, I looked into this more. I think the big challenge here is providing a sensible default for configuring TLS. There are a handful of cert formats and storage mechanisms. I'm not totally sure what users will expect, but here is what I'm thinking.
Find a cert for me (ideal usage)
dotnet serve -S
When specifying -S|--tls
, dotnet-serve will try to find an appropriate certificate using the following heuristic.
- Config file: If a dotnet-serve config file exists and has certificate config, use those settings.
- PKCS#1: If a file name "cert.{cer,crt,pem}" exists in the current directory and a file named "private.{key,pem}" exists, load those. 1
- PKCS#12: If a file name "cert.{pfx,p12}" exists in the current directory, load that (no password)
- Cert store: If the host == 'localhost' and the ASP.NET Core developer cert exists (a cert with extension 1.3.6.1.4.1.311.84.1.1), use that
Specify a cert in config
TBD See #10
Specify a cert/key in a PKCS#1 files
dotnet serve --cert mycert.pem --key mykey.pem
1Unfortunately, .NET Core still has pretty limited API for loading private keys from PEM encoded PKCS#1 files. They may add it in the future: https://github.com/dotnet/corefx/issues/20414. I'll have to hunt for a way to read private keys. I think there are some open source APIs.
Specify a cert in a PKCS#12 file
No password
dotnet serve --cert mycert.pfx
With password
dotnet serve --cert mycert.pfx --cert-pwd <password>
Specify a cert from the store
dotnet serve --cert-thumbprint BABD9E4752AE8C159967C18814357D61A40BEE85 --cert-store <CurrentUser|LocalMachine>
Not supported
For now, no plans to support loading a cert from PKCS#8, or cert chains from PKCS#7 files (.p7b)
The Find a cert for me is good. No config is a trend.
For the Specify a cert/key in a PKCS#1 files, I think it can add a --pwd PASSWORD
or --key-pwd PASSWORD
to specify the private key's password because the private key could be in a encrypted format.
For the Specify a cert in a PKCS#12 file, I think use --pfx mycert.pfx
might be more readable because PFX contains both key and certificates.
Are you plan to support all the above usage? Or choose one?
For the Specify a cert/key in a PKCS#1 files, I think it can add a --pwd PASSWORD or --key-pwd PASSWORD to specify the private key's password
If I recall correctly, a PEM encoded key with a passphrase is actually the PKCS#8 format. .NET Core doesn't have native API for reading this. We might have to look for a third-party to parse these, or wait until https://github.com/dotnet/corefx/issues/20414
Are you plan to support all the above usage? Or choose one?
I'm thinking let's start with pfx and the developer cert. These two are built-in to .NET Core. Separate PEM files for the cert/key and PKCS#8 are not supported by .NET Core. Those can come later if demand warrants it and we find a suitable way to implement reading those formats.
FYI I started work here ce31cc0. It definitely needs more work, like tests, good error messages, docs, and middleware that filters the raw certificate/key files from being served.
Ok, I tried to make .PEM cert parsing work. I got it almost all the way done but ran into https://github.com/dotnet/corefx/issues/24454. It appears PKCS#12 is really the only way to use file-based certificates in .NET Core, even with 3rd party APIs like BouncyCastle.
Closing this as done in 0.4.0, which I will publish soon.
Was able to workaround https://github.com/dotnet/corefx/issues/24454. I've added support for loading PEM encoded cert/key files, in addition to pfx files.