All geek questions in one place

What is the best way to store a token signing certificate for an AWS web application?

I am using IdentityServer4 with .NET Core 2.0 on AWS ElasticBeanstalk. I have a certificate for signing tokens. What is the best way to save this certificate and get it from the application? Should I just attach it to application files? Throw it into an environment variable somehow?

Edit: just to be clear, this is a token signing certificate , not an SSL certificate.

+4
source share
2 answers

I don’t really like the term “token signing certificate” because it sounds so soft. You have a private key (as part of the certificate), and everyone knows that you must protect your private keys!

I would not save this in your application files. If someone receives the source code, they should also not receive the keys to your confidential data (if someone has your signature certificate, they can generate any token that they like and pretend to be one of your users).

AWS. , . AWS, - Devs ! .

. /.

. Stu.

2 AWS Nuget

  • AWSSDK.Extensions.NETCORE.Setup
  • AWSSDK.SimpleSystemsManagement

2 AWS SSM Store, :

  • /MyApp/Staging/SigningCertificate, - .pfx Base64.
  • /MyApp/Staging/SigningCertificateSecret, - .pfx

:

// In Startup class
private X509Certificate2 GetSigningCertificate()
{
    // Configuration is the IConfiguration built by the WebHost in my Program.cs and injected into the Startup constructor
    var awsOptions = Configuration.GetAWSOptions();
    var ssmClient = awsOptions.CreateServiceClient<IAmazonSimpleSystemsManagement>();

    // This is blocking because this is called during synchronous startup operations of the WebHost-- Startup.ConfigureServices()
    var res = ssmClient.GetParametersByPathAsync(new Amazon.SimpleSystemsManagement.Model.GetParametersByPathRequest()
    {
        Path = "/MyApp/Staging",
        WithDecryption = true
    }).GetAwaiter().GetResult();

    // Decode the certificate
    var base64EncodedCert = res.Parameters.Find(p => p.Name == "/MyApp/Staging/SigningCertificate")?.Value;
    var certificatePassword = res.Parameters.Find(p => p.Name == "/MyApp/Staging/SigningCertificateSecret")?.Value;
    byte[] decodedPfxBytes = Convert.FromBase64String(base64EncodedCert);
    return new X509Certificate2(decodedPfxBytes, certificatePassword);
}

public void ConfigureServices(IServiceCollection servies)
{
    // ...
    var identityServerBuilder = services.AddIdentityServer();
    var signingCertificate = GetSigningCertificate();
    identityServerBuilder.AddSigningCredential(signingCertificate);
    //...
}

, / IAM EC2, SSM.

: - SSL- beanstalk . S3. AWS : Amazon S3

+3

AWS Certificate Manager (ACM) SSL. , AWS, .

Amazon:

ACM - , . ACM ACM AWS. ACM, . ACM . ACM . " AWS".

.

0

Source: https://habr.com/ru/post/1692282/

More articles:


All Articles