0

I have an ASP.NET Core 2.2 web app running on Ubuntu. The web app is served by Kestrel configured as an Ubuntu service, running as www-data user.

The web app uses a PFX certificate for signing custom responses. So, obviously I need to give www-data full read access to the PFX certificate+key pair. This seems not safe enough.

I like how nginx is doing it (I have nginx running as a reverse proxy for the web app). Nginx reads private keys and their passwords as root user when nginx process is starting up, so it's possible to set the strictest permissions on the private key of my https cert+key pair, leaving only the public .crt part accessible to www-data, and it works just fine.

I'm wondering if there is some way to achieve similar mechanism with the ASP.NET Core app, so I don't have to give read access to the PFX private key to www-data user?

JustAMartin
  • 13,165
  • 18
  • 99
  • 183
  • I think, you are messing web application and web proxy. They are a bit different things. If you need to sign the data within your app in runtime, you need to have an access to private key. The only reliable way to protect private key in the case of web app compromise is to use HSM. – Crypt32 Aug 25 '19 at 19:35
  • @Crypt32 I know they are different, I was just wondering if there's some way to store private keys in some kind of special key storage where only root user has physical access to the files. The closest thing I could find is `Data Protection system` https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2 but I'm not sure how it might help with PFX use. – JustAMartin Aug 25 '19 at 20:07
  • You can break up your PFX file to a key file and the certificate, just like the files consumed by nginx, and then ASP.NET Core 3.0/Kestrel can consume them https://stackoverflow.com/questions/48077748/how-to-use-pem-certificate-in-kestrel-directly – Lex Li Aug 26 '19 at 04:16
  • @LexLi thanks, so I'll have to wait for Core 3 then. – JustAMartin Aug 26 '19 at 08:04

0 Answers0