Store certificate securely in a web application and docker env

Question

This is a general question about the best strategy and technology for certificate (like the X509) retention.

In a development environment I use to keep my .pfx files in a project folder. But in a real scenario this is not raccomanded of course.

How to store these files securely? Suppose to have many docker containers with a asp net WEB Api applications run on it.

These applications have to share securely a private key and/or a certificate file.

Answer 1

First, you don't need to worry about keeping your certificate secure, you do need to worry about keeping the key secure though.

Second, you should be aware of the shortcomings of the PKCS#12 / PFX format, I documented some of them here: http://unmitigatedrisk.com/?p=543

As for how to keep the private key secure, if you have resigned yourself to using a file vs. keeping the key in the CryptoAPI managed store you want to make sure the "password" is really a solid cryptographic key and not some random string.

Next, you should move the PFX into a folder, maybe named "keys", that you would change the ACLs on. You want the owner to be able to read and write, and the user your application runs as to be able to read. In linux this would look like:

chown root:keys and chmod 640

In Windows it would look something like: icacls "c:\keys" /grant root:(OI)(CI)F /T icacls "c:\keys" /grant app:(OI)(CI)R /T

Ideally, the part of the code that accesses the key runs as its own user.

This leaves you the question of how you protect the "password", the answer to that is largely "its turtles all the way down" but take a look at Hashicorp Vault. You can (and probably should) store the PFX in there also.