[EPIC]: HTTPS and Certificate Handling in Kestrel #21512
Description
This epic tracks all the work required in Kestrel to improve certificate management.
- - Support specifying a full certificate chain in HttpsConnectionAdapterOptions - Support specifying a full certificate chain in HttpsConnectionAdapterOptions #21513
- - SSLStream should support taking a pre-validated immutable full certificate chain - SSLStream should support taking a pre-validated immutable full certificate chain runtime#35844 - SslStream API improvements for enhanced use cases runtime#37933
- - Add support for PEM format SSL certificates - Add support for PEM format SSL certificates #4706
- - Add support for loading entire key chains from PFX and PEM files. [Kestrel] Certificate chains support #23623
- - Consider support for SNI certificate selection from X509Store - Consider support for SNI certificate selection from X509Store #21300
- - ServerCertificateSelector callback needs to be async - ServerCertificateSelector callback needs to be async, otherwise any async work in callback may cause deadlock with threadpool (eg. logging failure to disk). #20981
- - Enable SslStream server options per-hostname - Enable SslStream server options per-hostname (in callback) runtime#31097
- - Support SNI via config - Support SNI via config #15144
- OCSP Stapling Support - OCSP Stapling support for Kestrel #4762
- -
Configure certificate by thumbprint - Configure certificate by thumbprint #4385-
The problem with thumbprints is it'll allow you to choose an expired certificate. Using subject names is better because it will pull a valid one (assuming it exists), with the longest validity period. Thumbprint selection should die.
-
- - Cache certificate validation results in Certificate Auth Performance improvements for Client Certificate auth #12324
- - Enable setting the ClientCertificateMode from an appsettings.json file - Setting the ClientCertificateMode Kestrel server option from an appsettings.json file. #18660