(IdentityServer4) How Do I Load A X509 Certificate Inside An Asp.Net Core Application Running In A Docker Container

Question

I need to load a signing certificate for IdentityServer4 in the Startup() class of an asp.net core application.

I'm deploying as a docker container to an existing Kubernetes cluster on GKE.

I'm unsure of the best way to generate (cert-manager?), store and access the certificate via the IdentityServer asp.net startup class.

If I can figure out the basics I can then learn how to deploy and rotate/expire the keys.

Answer 1

You can do this several ways I think. Personally, I chose to store this credential in a Secret. I'm using a .pfx file, which I did not generate, so you'll have to sort that part out.

Once you have generated the certificate and loaded it into a secret using:

kubectl create secret generic <secret name> --from-file=<path to file>

In your deployment.yaml configure a volume for your container:

spec:
  volumes:
  - name: secrets-volume
    secret:
      secretName: <secret name>
  containers:
    volumeMounts:
    - name: secrets-volume
      mountPath: app/secrets
      readOnly: true

Lastly, in your Startup.cs you can add something similar to this:

X509Certificate2 rsaCertificate = null;
try
{
     rsaCertificate = new X509Certificate2(
          Path.Combine(Environment.ContentRootPath, "secrets/certificate.pfx"),
          "password!123"
          );
}
catch (System.Exception)
{
    // logs
}

if (Environment.IsDevelopment())
{
    builder.AddDeveloperSigningCredential();
}
else
{
    if (rsaCertificate == null)
    {
         throw new System.Exception("Signing Credential not found");
    }

    builder.AddSigningCredential(rsaCertificate);
}