SSL certificates and trust stores for dotnet core app on OpenShift
Introduction
Imagine you are developing your dotnet core application to run in container on OpenShift or Kubernetes. You need to either call an external web service or internal web service that is secured using SSL certificate.
If your dotnet core app does not trust the root CA who issues the certificate, web service call from your app will fail with certificate not trusted error or similar.
You can find multiple references as how you write code to load root CA certificate in truststore for your dotnet core application. Let me remind you, the way trust stores work on Windows is different that they work in Linx env.
Let’s see an alternate easier way to work with truststore and SSL certificates for your containerized dotnet core app.
The approach is based on openssl’s out of the box support to manage certificates. The OpenSSL libraries use environment variables to override the compiled-in default paths for various data. You see, openssl supports two ENV variables, SSL_CERT_DIR and SSL_CERT_FILE. As the name suggests, this specifies the default directory or file containing CA certificates. You can read more about it /docs/man3.0/man7/openssl-env.html
So, at high level, here are the steps
- Get root CA certificate
- Store the certificate in secret and expose it as a volume mount in linux container
- Set ENV variables to point to the location where certificate is mounted
- The dotnet app uses the certificates as trust certificates when SSL communication is established with your internal or external web services.
Lets see a bit of implementation details..
How to I get root CA certificate?
Simple, you can export it from your browser. You can find many references on how to export from Chrome or Edge browser. Ensure that you export the root CA certificate. If you are exporting intermidiate CA certificate, you also need to get the chain into the certificate.
Storing certificate in secret
Lets say your downloaded certificate is in file root-ca.cer. To create a secret containing this certificate is pretty simple using oc command line
oc create secret generic ca-cert-secret --from-file=path/to/root-ca.cerInfact you can specify multiple certificate files in the same command. For more information see OpenShift CLI developer command reference — OpenShift CLI (oc) | CLI tools | OpenShift Container Platform 4.10
Mounting secret in container and ENV variables
Update your deployment yaml to mount the above secret to say /app/certs
...
spec:
containers:
- image: image-name
name: my-container
volumeMounts:
- name: ca-certs
mountPath: "/app/certs"
readOnly: true
env:
- name: SSL_CERT_DIR
value: "/app/certs"
volumes:
- name: ca-certs
secret:
secretName: ca-cert-secret # name of the secretIn the above snippet, we have mapped secret as volume mount at mount point /app/certs. The certificate in the secret will be available as /app/certs/root-ca.cer
The ENV variable SSL_CERT_DIR is set to /app/certs When the container is launched, the root CA certificate in /app/certs will be trusted and you should be able to call external or internal web services that uses a SSL certificate trusted by root CA.
Please leave your comments / feedback if any
