-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EPIC]: HTTPS and Certificate Handling in Kestrel #21512
Comments
Do you want to add caching of certificate validation for certificate auth? #12324 |
Yea let me add that |
I added it because you didn't :p |
I don't know if it's already tracked (or considered out of scope) but a common pattern for certificate use is to fetch them from a broker such as a central cert service or secrets store (using any method - http api, ACME etc - but this may be a very long async wait) then re-fetch and re-apply them as expiry looms. The local X509Store (if any) may just be considered a local cache. It would be ideal if a standard interface for cert request & renewal could be provided (with custom providers for specific scenarios/implementations). All domain/host certs have expiry (which can be hours away or weeks away, but will happen during app uptime), users may wish to start to request renewal after a fixed time period e.g. every 30 days or a set period before cert expiry, e.g. 48 hrs before expiry). Initial renewal failures may be transient but repeated failures require escalation. Fetching may fail if the client no longer has permission to request the cert for that domain or other validation has failed, therefore the service would continue to use the expiring/expired certificate and retry etc. As a service may have multiple domain/port bindings, the state of a certificate will vary per binding (some may be closer to expiry than others, may be refreshed using other means). Certs may be issued by public CAs or internal CAs (per binding). This is somewhat related to #21300 and #20981 but not completely and is really just a question of whether this scenario should be a concern for the core framework or left entirely to third-party middleware. |
That’s pretty much why we leave policy out of the framework and push users to a callback model. That will be what we enable before doing anything more advanced. We may be able to integrate more as we get a feel for what customers do with it and if it’s common enough and difficult, we could bake something in |
Done for 5.0 |
This epic tracks all the work required in Kestrel to improve certificate management.
Configure certificate by thumbprint - Configure certificate by thumbprint #4385The text was updated successfully, but these errors were encountered: