Certificates in .NET Core on Linux and Docker

Disclaimer: I am in no stretch of the imagination a savant in the field of cryptography nor do I know Linux and Docker inside out. I’m simply a .NET C# developer who has embraced the opportunity to explore different platforms 🙇.

Historically, the .NET framework was written only with the Windows platform in mind. Now with .NET Core, porting the framework’s functionality to other platforms presents significant challenges and some paradigm shifts such as how to handle certificates.

For example, in Windows, the certificate store has the concept of Local Machine and Current User locations which doesn’t quite translate to the way Linux stores certificates. There is no Current User store in Linux, which begs the question; What happens when I try to access it with .NET Core on Linux like this?

That being said, adding a certificate to the Current User store has to be done programmatically with the .NET Core framework (adding the certificate file manually to that custom location is not a recommended approach).

Since programmatically adding certificates is a bit of a pain in the butt, I decided to develop a little console application to help with the process. My colleague suggested I should publish it as a .NET Core global tool to further simplify the installation/usage process — good idea!

Now all you have to do to use it is:

And you’re off 🏃‍♀! Fo more information on how to add/remove certificates with the tool, have a look at the repository:

There are a few “gotchas” when using it with Docker.

Next, install the certificate, but do so only when running your container. Never bake the certificate into the image as this is a potential security breach.

In order to install the certificate when initializing the container, the image entry point needs to do the work. For example, a bash script could do the following:

And the call the Docker run CLI with the necessary arguments:

Tada 🎉 you now have a .NET Core application running in Docker which can load a certificate from the X509Store in your code. Hopefully this little tool will have saved you some wasted time. Cheers!

Related posts:

CSR is not just a concern for your PR team. Responsible business owners can expect higher profits, more brand loyalty and more eager investors. Those benefits are likely to grow as millennials — the…

Whenever something unforeseen happens in my life, I tend to question God first (just being transparent here). But the cold, hard trust is: sometimes our decisions put us in positions of compromise…

But I still had a vivid memory Of all those lights And my younger self, With my loving father And my younger brother, Riding all those rides All the fun That we had And all the joy That we…