✅ Can .NET handle SSL certificates at runtime?
Hello,
I need to issue/handle SSL certificates for every domain that points to my own domain (users can add their domains to trough a Web API at runtime).
Is it possible to provide certificates when requests come in from different domains?
21 Replies
I'm assuming you're planning to use something like LetsEncrypt to issue the certificates?
(as opposed to self-signing or something)
Yes that is waht I am planning to use
ACME Client Implementations
Last updated: Jul 2, 2024 | See all Documentation Let’s Encrypt uses the ACME protocol to verify that you control a given domain name and to issue you a certificate. To get a Let’s Encrypt certificate, you’ll need to choose a piece of ACME client software to use.
The ACME clients below are offered by third parties. Let’s Encrypt does not control...
There are also some more options if you google for ".net acme"
Hmm, looks like some of the C# implementations on that page are tagged as "C#", some as ".net", and some are just in the "Windows" section
This is double, thanks. What is not yet clear to me: a https request is made towards the API to return certain entities from the database, but the API is the also the one handling the certificates. Before even the request reaches the API the secure connection (handshake) should be established between the client and server. It is only after that when the endpoint is reacted.
Isn't it how it works?
If you're making a HTTPS / TLS connection, yes the certificate exchange and validation is done before anything else
When you talk about "the API", is that an API accessed using your domain, or one of the domains which a user has added?
One of the domains which a user has added
And what do you mean by "the one handling certificates"?
"handling" in what sense?
It should obtain an ssl certificate for a domain added by a user, and also present it to a client (e.g. browser) when the domain is reached. Since their domain points to mine, the API is reached trough their domain
Why would you need a dedicated API to give the certificate to the user? Certificate exchange happens on any HTTPS connection
LetsEncrypt's HTTP-01 challenge (where you put a token in a special file, and they request that file and read the token) happens over HTTP, not HTTPS. They will follow a redirect (e.g. to a HTTPS URL), but they don't care if the certificate you give is invalid
So you don't need to worry about needing HTTPS set up (with a valid certificate) in order for the certificate issuance process with LetsEncrypt to work. Otherwise it would be impossible to ever get a certificate from them!
https://letsencrypt.org/docs/challenge-types/#http-01-challenge
Thank you so much, I will need to inform myself a bit more in this topic
$close
If you have no further questions, please use /close to mark the forum thread as answered
Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>.
Does this mean the process of obtaining SSL certificates can happen on multiple threads simultaneously, since the URL has a dynamic parameter
TOKEN?I think threads are irrelevant, but yes you can get certificates for multiple domains at the same time
The TOKEN is there so that the verification for one domain isn't confused with the verification for another domain
The certificate exchange is unclear to me. I understand that I can obtain a certificate for the domains, but what then? Shouldn't it be stored, how does the protocol know where to pull the certificate from in order to have a secure communication?
The client makes a TLS connection, and says "Hello, I would like to connect to xyz.com", and your server says "Hello, I am the server for xyz.com, and this is my certificate to prove it". They then do some crypto stuff which lets the server prove that it is the machine named in the certificate, and the client does some crypto stuff to verify that the certificate was issued by someone that it trusts, like LetsEncrypt
In a server such as Apache / Nginx, you can set up "virtual hosts", which map a domain name onto a set of configuration, including the certificate (and key) to use for that domain
If asp.net is the thing handling HTTPS, I'm honestly not sure how you could dynamically configure it to use different certificates for different domains.
If you're using Kestrel, this looks relevant: https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.kestrel.https.httpsconnectionadapteroptions.servercertificateselector?view=aspnetcore-8.0
You could also have a single certificate which has all of the domains you want to secure as Subject Alternate Names, and you re-issue the entire certificate whenever anyone adds/removes a domain, but 1) This means that anyone can see all of the domains which you support, and 2) You might be re-issuing it a lot, and 3) There is a limit to the total number of Subject Alternate Names
I needed to go away from home, I will look into the Kestrel one once I get home.
A single certificate is not the right solution. As far as I know I can configure many domain/certificate in an Nginx config, but that would be a static file
It really depends on what is doing your TLS termination
Whether that's nginx, apache, kestrel, IIS, cloudflare, AWS, etc
They'll all have their own ways of letting you specify the cert to use for a domain
Apparently something like this exists for nginx: https://diarmuid.ie/blog/setup-mass-dynamic-virtual-hosts-on-nginx
Yeah, I have already tried out Cloudflare, but since they are already a reverse proxy I can't manage certificates individually, only if big bucks are paid
You helped me a lot, thank you very much
$close
If you have no further questions, please use /close to mark the forum thread as answered