9

I am trying to deploy an ASP.NET Core 2 web application to AWS Elastic Beanstalk.

The application is actually IdentityServer4 for which I need to have access to a certification to sign and validate tokens.

There is a tutorial how to configure the use of certificates for Azure web applications HERE but I haven't found anything similar for AWS.

Whatever I search about AWS and its certificates, I always find articles and documentation about SSL/TLS connections for HTTPS. I am aware on how to do that and will do that separately, I already have a cert available in AWS Certificate Manager and I can set it in Elastic Beanstalk for the Load Balancer but ACM documentation states that:

  • ACM does not provide certificates for anything other than the SSL/TLS protocols.
  • You cannot use ACM Certificates for code signing or email encryption.

So if I want to use a cert in my code, it seems ACM Cert is not meant for that.

I can create a self-signed certificate with OpenSSL but I don't know what's the best way to access it from my ASP.NET Core 2 web application inside the Elastic Beanstalk instance. I can't put the certificate file in my code repository, I want to inject it to the environment through the AWS somehow but I don't know where or how can I access it in my application?

V. Samma
  • 2,558
  • 8
  • 30
  • 34
  • You can use the local cert store if the hosting machine is running windows. Otherwise you'd have to write a custom token creation service. Inheriting from this class can definitely help: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Services/DefaultTokenCreationService.cs .Also, while talking about azure vault, this could help you: https://github.com/IdentityServer/IdentityServer4/issues/1537 – cheesemacfly Nov 15 '17 at 18:08
  • @cheesemacfly Yeah, I am using a windows instance for my Elastic Beanstalk environment so I already tried just transfering the cert with remote desktop to the instance's local cert store and it worked. But although it's easy to do it, it's manual work and I would like to inject it automatically somehow because I am not sure if this is the correct and secure approach, especially as I am using a load balancer and I don't know yet if the cert will be available in added instances as well. – V. Samma Nov 16 '17 at 07:46
  • I see. I know in azure you can install the cert from the vault to the instance when it's created so you won't have to manually do it. I'm not familiar enough with aws to know but there's probably a way to do the same. It's probably an easier and better solution than creating a new token creation service. – cheesemacfly Nov 16 '17 at 16:28
  • @cheesemacfly That's exactly what I've been searching for from Google, SO, AWS docs etc for the better part of the last week. Everything regarding "aws" and "certs" points to SSL/TLS and HTTPS certs and configuration or AWS certifications and courses etc. It is possible to import your own certs to AWS Certificate Manager or to IAM and I think these can be accessed through AWS SDK, but I don't know if they are correct. As I mentioned in my question, ACM Certs are not meant for anything other than SSL/TLS. – V. Samma Nov 20 '17 at 11:30

1 Answers1

0

I lost some time searching for that too.

What I ended up doing was to store a base64 of the certificate and the certificate password in Secrets Manager and read in the app at Startup with Kralizek's AWSSecretsManagerConfigurationExtensions.

private X509Certificate2 CreateSigningCredential()
{
    if (_signingCertificate != null)
        return _signingCertificate;

    var certBytes = Configuration.GetValue<string>("Auth:Certificate");
    if (string.IsNullOrEmpty(certBytes))
    {
        return null;
    }

    var password = Configuration.GetValue<string>("Auth:CertificatePassword");
    if (string.IsNullOrEmpty(password))
    {
        return null;
    }

    var certificate = Convert.FromBase64String(certBytes);
    _signingCertificate = new X509Certificate2(certificate, password);

    return _signingCertificate;
}
Sérgio Azevedo
  • 313
  • 1
  • 4
  • 13
  • Hmm, this certainly seems like a smart solution, but it's been so long since my post so there is no way for me to validate it. At the time, I think, I just copied the cert to the AWS EB machine manually and then used it this way. Not the best solution, but worked at the time. Of course there would be issues when you need to start a new machine or renew the cert but unfortunately I didn't work on it long enough to reach those problems. – V. Samma Mar 17 '20 at 14:02