Aspnetcore: [EPIC]: HTTPS and Certificate Handling in Kestrel

Created on 5 May 2020  路  8Comments  路  Source: dotnet/aspnetcore

This epic tracks all the work required in Kestrel to improve certificate management.

Epic area-servers
Source
picture davidfowl
🎉9 👍2 👀1

All 8 comments

cc @wfurt @karelz @bartonjs @vcsjones

davidfowl picture davidfowl on 5 May 2020

Do you want to add caching of certificate validation for certificate auth? https://github.com/dotnet/aspnetcore/issues/12324

blowdart picture blowdart on 5 May 2020

Yea let me add that

davidfowl picture davidfowl on 5 May 2020

I added it because you didn't :p

blowdart picture blowdart on 12 May 2020
👍1

HItY

blowdart picture blowdart on 12 May 2020
😄1

I don't know if it's already tracked (or considered out of scope) but a common pattern for certificate use is to fetch them from a broker such as a central cert service or secrets store (using any method - http api, ACME etc - but this may be a very long async wait) then re-fetch and re-apply them as expiry looms. The local X509Store (if any) may just be considered a local cache.

It would be ideal if a standard interface for cert request & renewal could be provided (with custom providers for specific scenarios/implementations).

All domain/host certs have expiry (which can be hours away or weeks away, but will happen during app uptime), users may wish to start to request renewal after a fixed time period e.g. every 30 days or a set period before cert expiry, e.g. 48 hrs before expiry). Initial renewal failures may be transient but repeated failures require escalation.

Fetching may fail if the client no longer has permission to request the cert for that domain or other validation has failed, therefore the service would continue to use the expiring/expired certificate and retry etc.

As a service may have multiple domain/port bindings, the state of a certificate will vary per binding (some may be closer to expiry than others, may be refreshed using other means). Certs may be issued by public CAs or internal CAs (per binding). This is somewhat related to #21300 and #20981 but not completely and is really just a question of whether this scenario should be a concern for the core framework or left entirely to third-party middleware.

webprofusion-chrisc picture webprofusion-chrisc on 18 May 2020
👍1

That鈥檚 pretty much why we leave policy out of the framework and push users to a callback model. That will be what we enable before doing anything more advanced. We may be able to integrate more as we get a feel for what customers do with it and if it鈥檚 common enough and difficult, we could bake something in

davidfowl picture davidfowl on 18 May 2020
👍1

Done for 5.0

jkotalik picture jkotalik on 9 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

guardrex picture guardrex  路  3Comments
snebjorn picture snebjorn  路  3Comments
groogiam picture groogiam  路  3Comments
UweKeim picture UweKeim  路  3Comments
markrendle picture markrendle  路  3Comments