Application Server Certificate Management
Application Server infrastructure provides several very easy ways to add TLS traffic protection to the server application.
This topic will cover several most common scenarios for TLS certificate management.
Self-Signed Certificate
Remoting SDK provides a set of classes for generating self-signed certificates.The most simple scenario is to auto-generate a self-signed certficate for traffic encryption purposes.
The RemObjects.SDK.Server.CertificateBuilderFactory class factory provides access to platform-specific self-signed certificate builder (.NET, .NET Core, .NET Standard, and Mono are supported). This certificate builder can be used to generate a self-signed certificate.
However in most cases there is no need to use these classes directly as ApplicationServer infrastructure hides this complexity. All what is needed to set the following options:
AutoCreateSelfSignedCertificateenables optional generation of a self-signed certificate on server startup. If no certificate file was found in the server application folder then a new certificate is generated.NetworkServer.UseTLSenables TLS traffic protection of the server channel used by the application.
static class Program
{
public static int Main(string[] args)
{
ApplicationServer server = new ApplicationServer("SampleServer");
server.AutoCreateSelfSignedCertificate = true;
server.NetworkServer.UseTLS = true;
server.Run(args);
return 0;
}
}
Custom Certificate
The ApplicationServer infrastructure provides a number of ways to use a certificate file obtained from 3rd sources.
The most obvious way of using such certificate is to load it from many source as a X509Certificate2 instance and then assign it directly to the corresponding property:
static class Program
{
public static int Main(string[] args)
{
ApplicationServer server = new ApplicationServer("SampleServer");
// Load certificate here...
server.NetworkServer.UseTLS = true;
server.NetworkServer.Certificate = ...;
server.Run(args);
return 0;
}
}
Another option is to provide certificate properties and let the ApplicationServer to actually load it. Available certificate loading options are:
- Load certificate from file
server.NetworkServer.CertificateFileName = ...; - Load certificate from certificate store by its thumbprint
server.NetworkServer.CertificateThumbprint = "..."; server.NetworkServer.CertificateStore = "...certificate store name..."; // Optional - Load certificate from certificate store by its subject
server.NetworkServer.CertificateSubject = "..."; server.NetworkServer.CertificateStore = "..."; // Optional
Note that CertificateStore parameter is optional. If not set then the default X.509 certificate store will be used.
Certificate loader first tries to load certificate from the current user certificate store and then from the certificate store assigned to the local machine.
Certificate Watcher
Certificate Watcher is one of the more advanced features of ApplicationServer infrastructure.
The purpose of this feature is very simple - to automatically reload used TLS certificate without restarting the server application if it has been changed.
If the TLS certificate has been set up via file name or certificate subject then ApplicationServer starts an internal timer. Every 15 minutes the certificate is reloaded from the source file or certificate store. If the certificate differs from the one currently used then the server channel is automatically reconfigured to use the freshly loaded certificate.
It is possible to adjust the certificate check period or even to provide own certificate watcher implementation using the SetCertificateWatcher method:
// Set certificate watcher check period to 600 seconds
server.NetworkServer.SetCertificateWatcher(new CertificateWatcherFactory(600));
The SetCertificateWatcher method accepts parameter of type ICertificateWatcherFactory. It is possible to provide custom implementations of this interface. It exposes a single method that accepts certificate check period, a number of certificate description parameters, and a callback method that should be called once the watcher detects certificate change.