2

I implemented a internal REST Service which consumes another (external) REST Service. The external service is secured with HTTPS with client certificate (and Tokens).

In the first implementation it was a service based on .NET Framework (4.6.2 of course windows) and the code looked like that:

        var certificate = new X509Certificate2("./ExternalCert.pfx", "supersecurepassword764689");
        var httpClientHandler = new HttpClientHandler
        {
            ClientCertificateOptions = ClientCertificateOption.Manual,
            ClientCertificates =
            {
                certificate
            },
            CookieContainer = this.cookieContainer,
        };
        this.httpClient = new HttpClient(httpClientHandler)
        {
            BaseAddress = new Uri(url)
        };

And it worked quite well. Now we are switching to ASP.NET Core 2 (based on .NET Core) and Docker. During development on my windows machine the code above worked aswell with .NET Core.

But now if I execute it inside of the docker container (of course linux) it doesn´t work anymore (SSL Error). (For now the certificate is copied into the container image, but it´s planed to store it with docker secrets).

I did some research and it seems *.pfx don´t work on linux and you have to generate a *.pem-file based on pfx. So I generated it with this command:

openssl pkcs12 -in ExternalCertificate.pfx -out ExternalCertificate.pem -nodes

Afterwards I replaced the following line:

var certificate = new X509Certificate2("./NewExternalCert.pem", "supersecurepassword764689");

and also tried:

var certificate = new X509Certificate2(File.ReadAllBytes("./NewExternalCert.pem"), "supersecurepassword764689");

Now I still get an error from the external service that the client certificate is missing but there is no exception in my application.

So what am I doing wrong? How can I send the certificate on linux? Is there a possiblity to do it on both OS the same way?

Thank you in advance for any advice!

Improve this question
4
  • Sounds like that part has many issues, github.com/dotnet/corefx/…✓ You might dig further to see which you hit and if there is already a solution. Open a new one if none matches yours. Commented Dec 13, 2017 at 19:51
  • Yeah, read a lot of them and tried some "solutions". I spent a lot of time trying different things and now I´m not sure if I miss something too obvious. Commented Dec 13, 2017 at 19:56
  • A quick way is to dig Microsoft unit test cases for that part, and see if they work on Linux. Then you get an idea whether Microsoft has already implemented it. Commented Dec 13, 2017 at 19:58
  • Thank you, I will give it a try with a clear head Commented Dec 13, 2017 at 20:31

1 Answer 1

Reset to default
5

I figured it out. You have to set up the linux environment as you have to install the certificate on windows.

I copied the certificates as part of the container image (Dockerfile) with:

COPY ExternalCert.pem /etc/ssl/certs/ExternalCert.pem

Afterwards the code works like intended

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Are you able to make request to your service ( I suppose which is running on docker) with client certificate after that fixed? Seems there is already open issue for that (github.com/dotnet/corefx/issues/30989). I am facing same things right now that described on that issue. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.