Bind Kestrel options to config by default

[danroth27]

From @danroth27 on April 17, 2017 20:5

Since config is in DI now by default we should support binding the Kestrel options to config by default (for UseKestrel()).

  "Kestrel": {
    "Endpoints": [ // Order matters!
      {
        "Address": "localhost",
        "Port": "44316",
        "Certificate": { // Implies HTTPS
          "Subject": "danroth27.com", // Pick the cert that matches the subject name with the latest expiry
          "StoreName": "My",
          "StoreLocation": "CurrentUser"
        }
      },
      {
        "Address": "localhost",
        "Port": "8080"
      },
      {
        "Address": "localhost",
        "Port": "44317",
        "Certificate": {
          "Path": "./mysslcert.pfx",
          "Password": "abc!123" // In user secrets: Kestrel:Endpoints:2:Certificate:Password
        }
      }
    ]
  }

Copied from original issue: aspnet/KestrelHttpServer#1703

[danroth27]

@glennc @Tratcher @DamianEdwards @davidfowl

[danroth27]

From @muratg on April 17, 2017 20:53

👀

[danroth27]

Or you can name your endpoints:

  "Kestrel": {
    "Endpoints": {
      "CertFromStore": {
        "Address": "localhost",
        "Port": "44316",
        "Certificate": { // Implies HTTPS
          "Subject": "danroth27.com", // Pick the cert that matches the subject name with the latest expiry
          "StoreName": "My",
          "StoreLocation": "CurrentUser"
        }
      },
      "LocalhostWithPort": {
        "Address": "localhost",
        "Port": "8080"
      },
      "CertFromFile": {
        "Address": "localhost",
        "Port": "44317",
        "Certificate": {
          "Path": "./mysslcert.pfx",
          "Password": "abc!123" // In user secrets: Kestrel:Endpoints:CertFromFile:Certificate:Password
        }
      }
    }
  }

[danroth27]

We decided to do this in the new static WebHost API.

[danroth27]

@muratg Please assign for preview1

[muratg]

@JunTaoLuo could you take this? Please sync up with @Tratcher.

[danroth27]

A couple of updates:

• We will need to be able to configure certificates for multiple purposes: SSL, token signing, etc.
• It would be nice if you could reference a certificate configuration
• It would make the model simpler if the source of the certificate is explicit (Store, File)

Proposed update:

{
    "Kestrel": {
        "Endpoints": {
            "LocalhostWithPort": { // Just a name, not schema
                "Address": "localhost",
                "Port": "8080"
            },
            "CertReferenced": { // Just a name, not schema
                "Address": "localhost",
                "Port": "44316",
                "Certificate": "IIS Express" // Reference cert by name
            },
            "CertInline": { // Just a name, not schema
                "Address": "localhost",
                "Port": "44317",
                "Certificate": {
                    "Source": "File",
                    "Path": "./mysslcert.pfx",
                    "Password": "abc!123" // In user secrets: Kestrel:Endpoints:CertInline:Certificate:Password
                }
            }
        }
    },
    "Certificates": {
        "IIS Express": { // Just a name, not schema
            "Source": "Store",
            "Subject": "localhost", // Pick the cert that matches the subject name with the latest expiry
            "StoreName": "My",
            "StoreLocation": "LocalMachine"
        },
        "SigningCertificate": { // Just a name, not schema
            "Source": "File",
            "Path": "./mycert.pfx",
            "Password": "abc!123" // In user secrets: Certificates:SigningCertificate:Password
        }
    }
}

[danroth27]

@javiercn

[muratg]

@CesarBS Please sync up with @Tratcher and @davidfowl to get the design.

[danroth27]

Please note that the logic for loading the Certificates section should be surfaced as an API that can be used in other contexts. For example, we will need to be able to get the list of certificates so that we can select one for signing purposes.

[danroth27]

@CesarBS Looks like @JunTaoLuo merged the WebHostBuilderContext overloads today: aspnet/Hosting#1020. So I think this is now unblocked.

[danroth27]

Note that we will want to use the same cert loading logic in other places (ex signing certs). Some examples:

{
    "Authentication": {
        "Identity": {
            "SigningCertificates": { // Multiple inline
                "MySigningCert1": {
                    "Source": "File",
                    "Path": "cert1.pfx",
                    "Password": "*****"
                },
                "MySigningCert1": {
                    "Source": "File",
                    "Path": "cert2.pfx",
                    "Password": "*****"
                }
            }
        }
    }
}

{
    "Authentication": {
        "Identity": {
            "SigningCertificates": { // Single inline
                "Source": "File",
                "Path": "cert1.pfx",
                "Password": "*****"
            }
        }
    }
}

{
    "Certificates": {
        "MySigningCert1": {
            "Source": "File",
            "Path": "cert1.pfx",
            "Password": "*****"
        },
    },
    "Authentication": {
        "Identity": {
            "SigningCertificates": "MySigningCert1" // Single referenced
        }
    }
}

{
    "Certificates": {
        "MySigningCert1": {
            "Source": "File",
            "Path": "cert1.pfx",
            "Password": "*****"
        },
        "MySigningCert2": {
            "Source": "File",
            "Path": "cert2.pfx",
            "Password": "*****"
        }
    },
    "Authentication": {
        "Identity": {
            "SigningCertificates": "MySigningCert1 MySigningCert2" // Multiple referenced, space separated
        }
    }
}

[cesarblum]

@danroth27 Can you file an issue for the follow-up CertificateLoader changes?

[danroth27]

#69