Developer technologies | ASP.NET | ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
How to do Identity Certificate and Its Passphrase management in .net core
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 50%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Ashutosh Pareek
26
Reputation points
Hello,
Currently in one of my .net application I use identity certificate for App-App authentication to sign the token payload. Certificate file(.pfx) get deployed with the application and its passphrase is stored in appSettings.json. As we can see there are security concerns.
What is the standard way to handle this situation?
Appreciate your help
Developer technologies | ASP.NET | ASP.NET Core
Developer technologies | C#
Developer technologies | C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 98%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Rena Ni - MSFT 2,066 Reputation points2021-06-04T07:11:29.303+00:00 Hi @Ashutosh Pareek , Actually I think it is the default recommend way to configure certificate authentication. If you think it has security concerns, what about using Azure key vault certificate ?
-
Ashutosh Pareek 26 Reputation points
2021-06-04T07:38:33.34+00:00 @Rena Ni - MSFT We are not on cloud. I don't think its recommended to store passphrase in appSettings.json. Could you guide me to some documentation which says so.
-
AgaveJoe 30,406 Reputation points2021-06-04T10:47:38.82+00:00 ASP.NET Core comes with several options to secure configuration and covered in the official docs.
-
Ashutosh Pareek 26 Reputation points
2021-06-04T13:50:25.257+00:00 @AgaveJoe - But which one to use? What is recommended or industry standard is my main question
-
Rena Ni - MSFT 2,066 Reputation points
2021-06-22T01:21:13.75+00:00 Hi @Ashutosh Pareek , As what AgaveJoe shared, you could choose any one of these ways , they are all the recommended ways. Why do you think appsettings.json is not recommended?
-
Ashutosh Pareek 26 Reputation points
2021-06-22T05:11:42.307+00:00 @Rena Ni - MSFT storing the password for private key in source control is big security risk, it should be stored somewhere which protected by some password vault such as cyberark. I have stored by password there for now but I know that not everyone has access to such vaults hence i wanted know what is the best practice around it. I am fairly certain that it shouldn't be stored in appsettings.json, it will be flagged in any security code scan tool.
-
Rena Ni - MSFT 2,066 Reputation points
2021-06-28T05:02:21.29+00:00 Hi @Ashutosh Pareek , As far as I know, I think Azure Key Vault is a better way to store but you have rejected to use it. I think you could check the custom providers which support asp.net core in this document: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-5.0#configuration-providers . It provides several ways for you.
Sign in to comment
Sign in to answer