Hi Michael, *If you want to rapidly add pervasive encryption in your app*, check out crypteron.com/docs. Only mentioning it because it's a lot simpler than writing custom code to orchestrate data flows, crypto libraries etc with Azure Vault and AWS KMS for most use cases.
*If you just want to keep separate versions of info in your web/app.config file(s)*, best to leverage https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure/#application-settings. Compared to rolling your own solution, this has the extra benefit that only your Azure admin can access those settings, NOT your dev team. *If you want to create custom x509 certificates*, try the openssl command line or TinyXCA (it's a GUI wrapped around the OpenSSL lib). Again, I don't fully understand your underlying problem but if you're entering this zone for any production usage - it's typically worth reviewing the overall architecture. Only rarely is it a good situation. It's a long term commitment (cert validity or business lifetime of app). It's also very laborious to setup and manage that PKI. Basically, don't reinvent the wheel when tools/platforms exist. Lastly, since this is the developer list of one of my favorite projects, my mandatory disclosure: I am one of the founders at Crypteron, mentioned above. Hope that helps, Sid > From: mich...@dragonspark.us > To: dev-crypto-csharp@bouncycastle.org > CC: bouncycas...@nedharvey.com > Subject: [dev-crypto-csharp] RE: Dynamically Signing X509 Certificates at Runtime > Date: Mon, 22 Feb 2016 14:08:41 +0000 > > Hi Edward, > > Thank you for your reply. You are indeed correct that I do not understand much at all about this. This is one of those topics where I learn a bunch, don't use it for a few years (or much longer) and then revisit it only to learn that I have forgotten it all. :) > > In this case, I am not only learning self-signing certificates (and all of their implications), but I am also learning about the Azure Key Vault, which suggests using certificates in addition to sending a client id when making requests. You can see more about this here with a sample article: > https://github.com/Azure/azure-content/blob/master/articles/key-vault/key-vault-use-from-web-application.md#authenticate-with-a-certificate-instead-of-a-client-secret > > The root of the problem I am trying to solve is that I do not want to check in sensitive information into (public, ala github) source control, but yet have an elegant system that allows me to retrieve necessary data for both local development and for production environments. > > The path I *was* taking was to generate self-signed certificates that also have additional needed information embedded in the certificate's extensions. Additional information would be the client ID as mentioned above along with the root URL in which the vault is stored. As you state, this is something that is personal to my process and would not be shared online. > > The problem I am facing now is that I do not know if creating a new certificate extension is the best guidance. :D > > Additionally, I found out this morning after some digging that Azure provides "Application Settings" that replace configuration settings provided with the app.config after deployment. In my case, the application I am running is a Console Application. While I knew that "Application Settings" worked for Web Applications (web.config), I did not know that you can also deploy a Console Application as an Azure Web Job and get the same benefits. It will also account for the App.config -> Web.config conversion as well. You can see more here: > https://azure.microsoft.com/en-us/documentation/articles/websites-dotnet-deploy-webjobs/ > > Anyways, long story short here... I think I have what I need to continue with the core problem, but it is nice to know I have a resource here and also with the link you suggest below, which I will definitely use going forward. :) > > Thank you for your advice and feedback! > Michael > > -----Original Message----- > From: Edward Ned Harvey (bouncycastle) [mailto:bouncycas...@nedharvey.com] > Sent: Monday, February 22, 2016 8:41 AM > To: Michael DeMond <mich...@dragonspark.us>; dev-crypto-csharp@bouncycastle.org > Subject: RE: Dynamically Signing X509 Certificates at Runtime > > > From: Michael DeMond [mailto:mich...@dragonspark.us] > > > > Apologies if I have or am already breaking any sort of rules and/or > > protocol here in reaching out to you here. > > Your email is completely appropriate here. There is also a strong community on stackoverflow, and http://crypto.stackexchange.com/ > > > > Anyways, my question is actually the same as the question asked within > > the comments of this blog post, and that is: is it possible to > > generate a certificate from a provided CA root certificate? I am > > learning about all of this, and I > > *mostly* have things working in the test environment, but at some > > point I will have to put the big boy pants on, and use a trusted > > certificate from an external source (from what I understand). Will I > > be able to use this approach with that certificate? > > Unless I miss my guess, you seem to not really understand how certificates work, or even, what exactly they are. My first response is to say: > > If what you want is the academic learning experience, start by reading Cryptography Engineering, and/or attend an intro to cryptography class. There is a free video course on coursera, and probably other locations too. I've done both of these, and personally I think the book is better, but the coursera class is also very good. > > If your goal is to use something practical, rather than learn everything about cryptography, you should probably just get a real cert from a trusted CA. Free certs are available from https://startssl.com or https://letsencrypt.org. There are also various low-cost cert providers (like $11/yr) for example https://namecheap.com. > > You can create a self-signed cert, but then you should never expose it to the internet, so what's the point. If you know enough to tell me the nuances of when it would be ok and my overly broad generalized statement here is wrong - then you wouldn't be asking this question. ;-) > > You can create your own private CA, and build and deploy a private key infrastructure (PKI), but if you want to do this, you really should have a solid understanding of cryptography first. It's a lot of work, very complex, with lots of ways to shoot yourself. Most likely you wouldn't do that in a programming language such as C#; most likely you would use some preexisting tools such as openssl. >
