I want to secure my API with a pfx cert which I have stored in my KeyVault however for some reason this doesn't seem to work the way I expected. If I have the cert installed on my machine it works perfectly. I was wondering if its possible to store the cert in KeyVault and then secure it this way as opposed to looking it up in the certificate store.
The scenario is I have a .NET Core Web API which talks to KeyVault. This KeyVault contains my PFX certificate, which when I uploaded prompted for my password. So everything seems fine at this point.
I have the following code to retrieve and apply the cert:
var client = new KeyVaultClient(new KeyVaultCredential(GetToken));
var cert = client.GetCertificateAsync("https://somekeyvaultsomewhere.vault.azure.net/", "my_tls_cert").Result;
var certificate = new X509Certificate2(cert.Cer);
var host = new WebHostBuilder()
.UseKestrel(options =>
{
const int PortNumber = 5001;
options.Listen(
new IPEndPoint(IPAddress.Any, PortNumber),
listenOptions =>
{
listenOptions.KestrelServerOptions.AddServerHeader = false;
listenOptions.UseHttps(certificate);
});
})
.CaptureStartupErrors(true)
.UseStartup<Startup>()
.Build();
host.Run();
I am expecting to be able to hit my API via https and on port 5001. Instead I get no response (site cannot be reached).
Seems like everything is running but can't hit anything.
Is this possible to do?
Packages consumed:
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.6" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="2.1.3" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel.Https" Version="2.1.3" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions" Version="2.1.3" />
</ItemGroup>
I think this is because the certificate that you have downloaded is not the complete certificate, but only the public key. The lack of a private key will prevent the SSL handshake from completing. You can download the entire certificate as a secret and then convert the secret to an X509Certificate2 object. I've explained in this blog post:
https://azidentity.azurewebsites.net/post/2018/07/03/azure-key-vault-certificates-are-secrets
Related
After deploy asp.net core mvc 6 to iis server the user in case submit a true login not redirected to the controller and not authenticated, when I tracked the cookie in developer tools there is a ! mark on .AspNetCore.Identity.Application and when hover on it there is a message show (This cookie was blocked because it had the "Secure" attribute and the connection was not secure).
What I tried Before
Changing the cookie configuration
Exchange return LocalRedirect(returnUrl) To return RedirectionToAction("Index","Home")
Add [AllowAnonymous] attribute on LoginModel in Areas.Identity.Pages.Account
Remove Use.HttpsRedirection(); from program.cs
Because there are many apps host in the server so the browser blocked the cookie cause the other apps have the same cookie name which .AspNetCore.Identity.Application. So simply the issue can be solved by changing the name of the cookie:
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
});
builder.Services.ConfigureApplicationCookie(options => options.Cookie.Name = "AppNameForExample");
Your cookies are configured to require an HTTPS connection. When you try to set them on a non-secure connection, they will be rejected. You can try these steps:
Obtain a valid SSL certificate: You'll need a certificate that is trusted by the browsers you're targeting. Check your web.config file settings for:
<httpCookies requireSSL="true" />
Configure IIS to use HTTPS: This involves binding the SSL certificate to the IIS website and enabling HTTPS.
Update your ASP.NET Core application to use HTTPS: In the Startup.cs file, you can use the following code to redirect all HTTP traffic to HTTPS:
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Rewrite;
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
var options = new RewriteOptions().AddRedirectToHttps();
app.UseRewriter(options);
// rest of the code...
}
I'm trying to send a request to a web api in Xamarin.Forms. The api requires a client certificate. I attempted to add the client certificate in the core project and in the native project as e.g. described here xamarin.android adding client certificate. However, I always get the response "400 No required SSL certificate was sent". If I send the request via e.g. Postman or openSSL, everything works fine. I've tested the request on Android and on iOS, but I always get the 400. Can anyone help?
Note: For Android, I am using the HttpClient implementation 'Android' and the TLS implementation 'Native TLS 1.2+'
The code I am using in the core project:
var handler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
SslProtocols = System.Security.Authentication.SslProtocols.Tls12,
ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => true
};
//clientCertificateFileName is the location where the certificate is saved
var clientCertificate = new X509Certificate2(clientCertificateFileName, "password");
handler.ClientCertificates.Add(clientCertificate);
client = new HttpClient(handler);
var response = await client.GetAsync(targetUrl);
I am developing a web api and a web app locally. I am having trouble calling the web api from the web app.
When I call it I keep getting the error: "The remote certificate is invalid according to the validation procedure."
Both apps are built with ASP.Net Core and are running on kestrel. The webapp is callable as https://mylibrary.com:5003 and the Web API is callable as https://api.mylibrary.com:5001.
How can I get them working together with valid certificates?
Edit: Come to realise that the issue is that the apps are using localhost certs by default. I want to be able to use my own self signed cert.
If someone can point me to somewhere that explains how to set up two apps to use a self-signed certificate in .net core web projects please do :)
If you need to work around the cert validation using HttpClient, you could do it by creating a HttpClientHandler and passing it to HttpClient as per Rohit Jangid's answer to The SSL connection could not be established
HttpClientHandler clientHandler = new HttpClientHandler();
clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; };
// Pass the handler to httpclient(from you are calling api)
HttpClient client = new HttpClient(clientHandler)
Avoid accidentally circumventing certificate validation in production by checking if it is in development environment:
HttpClient httpClient = new HttpClient();
if (env.IsDevelopment())
{
HttpClientHandler clientHandler = new HttpClientHandler();
clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, ssl) => { return true; };
httpClient = new HttpClient(clientHandler);
}
Inject information about webhostenvironment by injecting it in the handler/action:
public async Task OnGet([FromServices] IWebHostEnvironment env)
Please try to use RestSharp library to make the webapi request and set the cert validation to true. see here
or you can install the dotnet dev certs by executing dotnet dev-certs https --trust in a command promt or powershell
I got a Xamarin Forms project and inside the MainPage.xaml.cs file i want to perform a request to my server. The server is written in ASP.NET Core 2 and is running with a self-signed certificate.
To buy a certificate isn't a solution for my problem, because customers don't want it and application only running in LAN.
In my MainPage.xaml.cs file the Http-request looks like this:
HttpClient m_Client = new HttpClient();
var uri = new Uri(myURL);
var response = await m_Client.GetAsync(uri);
if (response.IsSuccessStatusCode)
{
...
}
So far so good. If I bring the app on Android and try to perform the request, Android throws a SSL Exception for not finding a CA for my certificate.
How can I communicate with my server using a self-signed certificate?
I looked up the problem and find a lot of solutions like:
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
If you add this code to your MainActivity.cs file in your Android project, it should accept all certificates. But that is not working for me. It seems like this method never gets called.
Any suggestions how to make the communication happen?
Regards
One option is to work on the certificate, which has been discussed in the comments above.
However, I think an option to ignore the certificate validation in code is always faster, and you just need this,
var handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
HttpClient client = new HttpClient(handler);
For some unknown reasons, you cannot use the global event handler of ServicePointManager.ServerCertificateValidationCallback like you discovered, but HttpClient has its own handler.
I would like to something like this:
<microsoft.identityModel>
<service>
<serviceCertificate>
<certificateReference filename="App_Data/my.domain.com.crt" />
</serviceCertificate>
</service>
</microsoft.identityModel>
According to the Documentation, no. To decrypt a SAML token, WIF needs access to a certificate's private key. By placing the certificate and it's private key on the filesystem (especially under a folder managed by IIS - regardless of the protections offered) is generally a Bad Idea(tm). By placing the cert in the certificate store, you can much more tightly control and manage access to the certificate.
You can, but as Bobby suggests you are better off with the cert being installed on the mahcine store. In fact, this was a workaround when deploying applications using WIF on Windows Azure when it didn't support uploding certificates. That limitation is long gone.
I figured it out. Comment out this part in web.config
<!--<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>-->
Add this code to global.asax
protected void Application_Start()
{
Microsoft.IdentityModel.Web.FederatedAuthentication.ServiceConfigurationCreated += new EventHandler
<Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs>(AttachCert);
}
protected void AttachCert(object sender, Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)
{
var filename = string.Format("{0}\\{1}\\{2}", System.Web.Hosting.HostingEnvironment.ApplicationPhysicalPath, "App_Data\\certificates", "CERTNAME.pfx");
var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(filename, "YOURPASSWORD");
var _configuration = e.ServiceConfiguration;
_configuration.ServiceCertificate = cert;
var certificates = new List<System.IdentityModel.Tokens.SecurityToken> { new System.IdentityModel.Tokens.X509SecurityToken(
_configuration.ServiceCertificate) };
var encryptedSecurityTokenHandler =
(from handler in _configuration.SecurityTokenHandlers
where handler is Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler
select handler).First() as Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler;
_configuration.ServiceTokenResolver = encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
System.IdentityModel.Selectors.SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
}