Auto-deploy certificates to Windows certificate store in AWS Elastic Beanstalk deployments?

Question

We have an ASP.NET MVC5 application that requires two certificates:

1. An X509 elliptic curve certificate and it's corresponding private key (*.PFX)
2. An X509 elliptic curve certificate (*.CER)

to be available in the Windows Server 2012 R2's Certificate Store ("Local Machine" account, "Personal" store). To clarify, these certificates are used by the MVC5 app's code and have nothing to do with SSL/TLS/HTTPS.

Question: How can I configure AWS Elastic Beanstalk, so that after deploying the MVC5 app, it already has those certificates and private keys in the certificate store? AWS has configured the EC2 Windows Servers auto-provisioned via Elastic Beanstalk such that the ASP.NET apps run in IIS under the IIS_IUSR user permission, so we also would need to give IIS_IUSR permission to access the certificate private key. I'm not clear if IIS_IUSR is actually follows the principle of least-privilege or if I'm granting the wrong account the permission - but it does work (see below). We are currently deploying via AWS Toolkit for Visual Studio 2013 but are open to other deployment techniques if that helps the main problem.

---

Currently, we have an ugly, manual workaround which is

• remote into each instance, and in each instance do the following
• upload the certificate files (*cer and *pfx)
• manually run a batch file to load them into the cert stores (also have to add them to the Root store since they are self-signed certificates). The batch file looks like

certutil -f -addstore Root OurCert-SS.cer // just a CER version of the PFX below 
certutil -f -addstore Root RemoteCert-SS.cer 
certutil -f -p test -importPFX MY OurCert-SS.pfx 
certutil -f -addstore MY RemoteCert-SS.cer

• Manually Open MMC => Certificates (Local Machine) => Give IIS_IUSRS the Full control permission for the certificate's private key (otherwise the ASP.NET app can't get the private key). Details in this post

Obviously this vastly kills the abstraction PaaS is supposed to provide because anytime instances scale or get recycled, we have to do the above :( ... so would appreciate any help on this.

Answer 1

Did you get this resolved?

Could you do something like what is described here https://forums.aws.amazon.com/thread.jspa?messageID=591375, ignoring the web binding pieces and adding the permissions for the IIS_IUSR.

I thought I'd update with what we ended up doing.

We set up an ebextension to load the cert from s3 and then assign the required permissions. I realize we did not have the .cer file to deal with so this may not work for you.

---
files:  
  "c:\\init_scripts\\install_cert.ps1":  
   content: |  
    $env = $args[0]   
    $pwd = $args[1]
    $securePwd = ConvertTo-SecureString -String $pwd -Force -asplaintext
    $certName="$($env).auth.cert.pfx"
    $certFilePath = "C:\$($certName)"
    Read-S3Object -BucketName ourcertsbucket -Key $certName -File $certFilePath
    $cert = Import-PfxCertificate -FilePath $certFilePath cert:\localmachine\my -Password $securePwd
    # Now that we have the cert we need to grant access to the IIS user for the cert
    Try
    {
      $WorkingCert = Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match $env} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP
      $TPrint = $WorkingCert.Thumbprint
      $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
    }
    Catch
    {
      "        Error: unable to locate certificate for $($env)"
      Exit
    }
    $keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"
    $fullPath=$keyPath+$rsaFile
    $acl=Get-Acl -Path $fullPath
    $permission="IIS_IUSRS","Read","Allow"
    $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.AddAccessRule($accessRule)
    Try 
    {
     Set-Acl $fullPath $acl
      "        Success: ACL set on certificate"
    }
    Catch
    {
      "        Error: unable to set ACL on certificate"
        Exit
    }
container_commands:  
  01_install_cert:  
   command: powershell -ExecutionPolicy RemoteSigned -File .\\install_cert.ps1 %Environment% %CertPassword% 
   cwd: c:\\init_scripts  
   waitAfterCompletion: 0

Thanks to this link for the power shell permissions script