Share via

Kestrel SNI certificate choosing (SSL/TLS)

Parsa99 0 Reputation points
2023-08-25T07:13:26.05+00:00

I have a YARP gateway which uses the following configuration:

{
  "Kestrel": {
  "Endpoints": {
    "Http": {
      "Url": "http://+:80"
    },
    "HttpsInlineCertAndKeyFile": {
      "Url": "https://+:443",
      "Certificate": {
        "Path": "/tls/bundle.crt",
        "KeyPath": "/tls/cert.key"
      }
    }
  }
}

I added a new website with a new domain and now another certificate needs to be used for that site. The documentation shows this config:

{
  "Kestrel": {
    "Endpoints": {
      "MySniEndpoint": {
        "Url": "https://*",
        "SslProtocols": ["Tls11", "Tls12"],
        "Sni": {
          "a.example.org": {
            "Protocols": "Http1AndHttp2",
            "SslProtocols": ["Tls11", "Tls12", "Tls13"],
            "Certificate": {
              "Subject": "<subject; required>",
              "Store": "<certificate store; required>",
            },
            "ClientCertificateMode" : "NoCertificate"
          },
          "*.example.org": {
            "Certificate": {
              "Path": "<path to .pfx file>",
              "Password": "$CREDENTIAL_PLACEHOLDER$"
            }
          },
          "*": {
            // At least one subproperty needs to exist per SNI section or it
            // cannot be discovered via IConfiguration
            "Protocols": "Http1",
          }
        }
      }
    },
    "Certificates": {
      "Default": {
        "Path": "<path to .pfx file>",
        "Password": "$CREDENTIAL_PLACEHOLDER$"
      }
    }
  }
}

but is has nothing in common with my current config and I'm afraid I'm gonna mess it up. What is the correct configuration for this scenario:

Main website -> *.site-a.com [everything works]
New website -> site-b.com [I got the .crt and .key files]

Allow HTTP (80) traffics, they will be redirected with app.UseHttpsRedirection(). For HTTPS (443) traffics, if it's site-b.com use b-bundle.crt and b-cert.key files, for anything else (which currently means site-a.com and its subdomains use bundle.crt and cert.key files.

Developer technologies | ASP.NET | ASP.NET Core
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.