SlideShare a Scribd company logo
1 of 49
Create Your Own Serverless PKI with
.NET & Azure Key Vault
Eran Stiller
Chief Technology Officer
erans@codevalue.net
@eranstiller
https://stiller.blog
https://codevalue.net
2
3
4
5
Agenda
▪ IoT Data Ingestion
▪ PKIs, CAs & Certificates
▪ Building a Serverless CA using .NET
▪ Authoring Certificate Subscribers using .NET
▪ Using the Generated Certificates
▪ Device Provisioning Service & IoT Hub
6
About Eran
Eran Stiller
▪ @eranstiller
▪ CTO & Founder at CodeValue
▪ Software architect, consultant and instructor
▪ Microsoft Regional Director & Azure MVP
▪ Founder of Azure Israel Meetup
7
IoT Data Ingestion
9
IoT Data Ingestion
10
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Device
Device
Device
IoT Data Ingestion
11
Device
Device
Device
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Device
Provisioning
Service
Securely Communicating with Devices
12
Confidentiality Authentication Authorization
Icons made by Freepik and Eucalyp for www.flaticon.com
Keep It Simple
13
PKIs, CAs & Certs
14
Public Key Infrastructure (PKI)
▪ An umbrella term for the stuff we need in order to:
▪ Issue
▪ Distribute
▪ Store
▪ Use
▪ Verify
▪ Revoke
▪ and otherwise manage and interact with certificates and keys
▪ Don’t build from scratch
▪ Can use an off-the-shelf solution
▪ Can build some parts and rely on others
15
Certificates
▪ A driver’s license for computers and
code
▪ Basically, a binding between an
identifier (name) and a public key
▪ Usually encoded as X.509
16
Icon made by Becris for www.flaticon.com
Demo
Certificate Content
17
Certificates 101
18
Hi there, I’m Alice!
Hi Alice, I’m Bob!
How do I know you’re really Bob?
Here is my Certificate ( + certificate)
Prove it to me by decrypting this challenge ( + challenge)
There you go ( + decrypted challenge)
Continue secure conversation (Optionally – mutual authentication)
Certificate Authority
▪ The entity which issues certificates
▪ Trusted by the Relying Parties
▪ Public trusted root certificates are pre-populated
▪ Various methods to verify identity
19
Building a Serverless CA
using .NET
20
The Root Certificate
21
Azure Key Vault
▪ Safeguard cryptographic keys and other secrets
▪ Hardware Security Modules (HSM) as a service
▪ Can be replaced with AWS Certificate Manager
▪ Principles will remain unchanged
▪ Implementation details will defer
22
Scenario
Generating a new certificate on a new device
23
Demo
Setup Azure
Key Vault & Other
Resources
24
Generating the Root Certificate on Key Vault
25
var certificateOperation = await client.CreateCertificateAsync(
_vaultBaseUrl,
_certificateName,
new CertificatePolicy(
keyProperties: new KeyProperties(false, "RSA", 2048, false),
x509CertificateProperties: new X509CertificateProperties(
"CN=" + RootSubjectName,
keyUsage: new List<string> {X509KeyUsageFlags.KeyCertSign.ToString()},
ekus: new List<string> {"1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.1"}),
issuerParameters: new IssuerParameters("Self")));
Generating the Root Certificate on Our Machine
26
using var certificateKey = RSA.Create();
var subjectDistinguishedName = new X500DistinguishedName("CN=" + RootSubjectName);
var request = new CertificateRequest(subjectDistinguishedName, certificateKey,
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign, true));
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, true, 1, true));
// Additional X509 extensions not shown for brevity
var certificate =
request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
Demo
Generating the
Root Certificate
27
Limiting Root Certificate Access
▪ Use Azure Key Vault Access Policies
28
Auditing Root Certificate Access
29
{
"time": "2016-01-05T01:32:01.2691226Z",
"resourceId": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-
XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAU
LT",
"operationName": "VaultGet",
"operationVersion": "2015-06-01",
"category": "AuditEvent",
"resultType": "Success",
"resultSignature": "OK",
"resultDescription": "",
"durationMs": "78",
"callerIpAddress": "104.40.82.76",
"correlationId": "",
"identity": {
"claim": {
"http://schemas.microsoft.com/identity/claims/objectidentifier":
30
"durationMs": "78",
"callerIpAddress": "104.40.82.76",
"correlationId": "",
"identity": {
"claim": {
"http://schemas.microsoft.com/identity/claims/objectidentifier":
"d9da5048-2737-4770-bd64-XXXXXXXXXXXX",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":
"live.com#username@outlook.com",
"appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX"
}
},
"properties": {
"clientInfo": "azure-resource-manager/2.0",
"requestUri": "https://control-prod-
wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-
XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/conto
sokeyvault?api-version=2015-06-01",
"id": "https://contosokeyvault.vault.azure.net/",
"httpStatusCode": 200
}
}
Sign a Request Using the Root Certificate
31
subject name, public key & access token
Sign a Request Using the Root Certificate
32
Device
Identity
Provider
Certificate
Authority
Key Vault
authentication info
access token
generate CSR
generate
key pair
certificate digest (hash)
signed digest
signed certificate
Store certificate
& private key
Generate Certificate Signing Request (CSR)
33
var parameters = new RSAParameters
{ Modulus = publicKey.Modulus, Exponent = publicKey.Exponent };
var certificateKey = RSA.Create(parameters);
var subjectDistinguishedName = new X500DistinguishedName("CN=" + subjectName);
var request = new CertificateRequest(subjectDistinguishedName, certificateKey,
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, true, 0, true));
// Additional X509 not shown for brevity
return request;
Sign Certificate with Root Key
34
CertificateRequest request = CreateCertificateRequest(subjectName, certificateKey);
byte[] certificateSerialNumber = await _serialNumberGenerator.GenerateSerialAsync();
RSA rsaKeyVault = _keyVaultClient.ToRSA(
certificateBundle.KeyIdentifier, issuerCertificate);
var generator = X509SignatureGenerator.CreateForRSA(
rsaKeyVault, RSASignaturePadding.Pkcs1);
var certificate = request.Create(
issuerCertificate.SubjectName, generator,
DateTime.Today, DateTime.Today.AddYears(1),
certificateSerialNumber);
Demo
Serverless CA using
.NET & Azure Functions
35
Authoring Certificate
Subscribers using .NET
36
subject name, public key & access token
Sign a Request Using the Root Certificate
37
Device
Identity
Provider
Certificate
Authority
Key Vault
generate CSR
certificate digest (hash)
signed digest
signed certificate
Store certificate
& private key
authentication info
access token
generate
key pair
Getting an Access Token for Azure Functions
39
var auth = await authHelper.AcquireTokenAsync(); // AAD Token
var client = new HttpClient
{ BaseAddress = new Uri(configuration.BaseUrl) };
var request = new {access_token = auth.AccessToken};
var httpContent = ... // JSON serialization
var responseMessage = await client.PostAsync(".auth/login/aad", httpContent);
var serializedResponse = await responseMessage.Content.ReadAsStringAsync();
dynamic response = JsonConvert.DeserializeObject<dynamic>(serializedResponse);
return response.authenticationToken;
Issue Certificate
40
var key = RSA.Create();
var publicParameters = key.ExportParameters(false);
var request = new IssueCertificateRequest(
subjectName, publicParameters);
var httpContent = new StringContent(
JsonConvert.SerializeObject(request),
Encoding.UTF8,
MediaTypeNames.Application.Json);
Issue Certificate (Cont.)
41
var client = new HttpClient {BaseAddress = ...};
client.DefaultRequestHeaders.Add("X-ZUMO-AUTH", accessToken);
var responseMessage =
await client.PostAsync("api/issueCertificate", httpContent);
var serializedResponse =
await responseMessage.Content.ReadAsStringAsync();
var response = JsonConvert.DeserializeObject<IssueCertificateResponse>(
serializedResponse);
var certificate = new X509Certificate2(
Convert.FromBase64String(response.Certificate));
return certificate;
Store Certificate With Private Key
42
var certificateWithPrivateKey =
certificate.CopyWithPrivateKey(key);
var rawCertificate =
certificateWithPrivateKey.Export(X509ContentType.Pfx);
var persistableCertificate =
new X509Certificate2(rawCertificate, string.Empty,
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.UserKeySet);
var store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Add(persistableCertificate);
Demo
Certificate Subscribers
using .NET
43
Using the Generated
Certificates
44
IoT Data Ingestion (Reminder)
45
Device
Device
Device
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Device
Provisioning
Service
Sending Data Using the Generated Certificate
47
X509Certificate2 certificate =
LoadCertificate(configuration.DeviceName);
var security =
new SecurityProviderX509Certificate(certificate);
var transport = new ProvisioningTransportHandlerAmqp(
TransportFallbackType.TcpOnly);
var provClient = ProvisioningDeviceClient.Create(
GlobalDeviceEndpoint, configuration.DpsIdScope,
security, transport);
DeviceRegistrationResult registrationResult =
await provClient.RegisterAsync();
Demo
End-to-End Operation
48
Takeaways
50
Takeaways
▪ Certificates are hard, but crucial, to get right
▪ Don’t author an entire PKI from scratch
▪ Customize an existing solution where appropriate
▪ IoT is one scenario where I encountered a need for a custom PKI
▪ Handling certificates with .NET is surprisingly undocumented
▪ With and without Azure Key Vault
▪ Azure Key Vault is a great platform to base a CA on
▪ The sample is just a sample, but is derived from a production system
▪ Can base on it and form your own solution
51
Resources
▪ Source Code
▪ https://github.com/estiller/build-pki-net-azure-sample
▪ NuGet package to integrate Key Vault with .NET Cryptographic Keys
▪ https://github.com/onovotny/RSAKeyVaultProvider
▪ Additional resources
▪ https://smallstep.com/blog/everything-pki.html
▪ https://docs.microsoft.com/en-in/azure/key-vault/certificate-scenarios
▪ https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging
52
Eran Stiller
Chief Technology Officer
erans@codevalue.net
@eranstiller
https://stiller.blog
https://codevalue.net

More Related Content

What's hot

Azure key vault - Brisbane User Group
Azure key vault  - Brisbane User GroupAzure key vault  - Brisbane User Group
Azure key vault - Brisbane User GroupRahul Nath
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets ManagementAkeyless
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Novell
 
Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13viaForensics
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSLPau Freixes
 
Streamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time AccessStreamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time AccessAkeyless
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Akeyless
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultAlberto Diaz Martin
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
2018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii3652018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii365OBD365
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsNovell
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API SecurityCloudIDSummit
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiNathan Winters
 
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?Louis Göhl
 

What's hot (20)

Azure key vault - Brisbane User Group
Azure key vault  - Brisbane User GroupAzure key vault  - Brisbane User Group
Azure key vault - Brisbane User Group
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
 
Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
 
Streamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time AccessStreamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time Access
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
2018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii3652018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii365
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
 
Azure IoT hub
Azure IoT hubAzure IoT hub
Azure IoT hub
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
 
Whats new in iOS5
Whats new in iOS5Whats new in iOS5
Whats new in iOS5
 

Similar to Create Your Own Serverless PKI with .NET & Azure Key Vault

WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...Nick Maludy
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8Ashish Agrawal
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesNick Maludy
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEFederico Fernández Moreno
 
How to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GEHow to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GEFIWARE
 
Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!Jan de Vries
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...DevClub_lv
 
Generating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdeviceGenerating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdeviceAlon Fliess
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...Jan de Vries
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Netwax Lab
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pkiphanleson
 
ESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfProtect724v2
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure IdentitySarah Dutkiewicz
 

Similar to Create Your Own Serverless PKI with .NET & Azure Key Vault (20)

WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GE
 
How to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GEHow to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GE
 
Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
 
Generating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdeviceGenerating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdevice
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pki
 
ESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdf
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
 

More from NETFest

.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NETNETFest
 
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE....NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...NETFest
 
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NETNETFest
 
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистовNETFest
 
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem....NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...NETFest
 
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven DesignNETFest
 
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at WirexNETFest
 
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A....NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...NETFest
 
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixtureNETFest
 
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# TestsNETFest
 
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос....NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...NETFest
 
.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep dive.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep diveNETFest
 
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in productionNETFest
 
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com....NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...NETFest
 
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real....NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...NETFest
 
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystemNETFest
 
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ....NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...NETFest
 
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali....NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...NETFest
 
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NETNETFest
 
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith....NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...NETFest
 

More from NETFest (20)

.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
 
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE....NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
 
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
 
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
 
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem....NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
 
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
 
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
 
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A....NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
 
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
 
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
 
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос....NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
 
.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep dive.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep dive
 
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
 
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com....NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
 
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real....NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
 
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
 
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ....NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
 
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali....NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
 
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
 
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith....NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
 

Recently uploaded

How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17Celine George
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 

Recently uploaded (20)

How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Project
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 

Create Your Own Serverless PKI with .NET & Azure Key Vault

  • 1. Create Your Own Serverless PKI with .NET & Azure Key Vault Eran Stiller Chief Technology Officer erans@codevalue.net @eranstiller https://stiller.blog https://codevalue.net
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. 5
  • 6. Agenda ▪ IoT Data Ingestion ▪ PKIs, CAs & Certificates ▪ Building a Serverless CA using .NET ▪ Authoring Certificate Subscribers using .NET ▪ Using the Generated Certificates ▪ Device Provisioning Service & IoT Hub 6
  • 7. About Eran Eran Stiller ▪ @eranstiller ▪ CTO & Founder at CodeValue ▪ Software architect, consultant and instructor ▪ Microsoft Regional Director & Azure MVP ▪ Founder of Azure Israel Meetup 7
  • 9. IoT Data Ingestion 10 Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Device Device Device
  • 10. IoT Data Ingestion 11 Device Device Device Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Device Provisioning Service
  • 11. Securely Communicating with Devices 12 Confidentiality Authentication Authorization Icons made by Freepik and Eucalyp for www.flaticon.com
  • 13. PKIs, CAs & Certs 14
  • 14. Public Key Infrastructure (PKI) ▪ An umbrella term for the stuff we need in order to: ▪ Issue ▪ Distribute ▪ Store ▪ Use ▪ Verify ▪ Revoke ▪ and otherwise manage and interact with certificates and keys ▪ Don’t build from scratch ▪ Can use an off-the-shelf solution ▪ Can build some parts and rely on others 15
  • 15. Certificates ▪ A driver’s license for computers and code ▪ Basically, a binding between an identifier (name) and a public key ▪ Usually encoded as X.509 16 Icon made by Becris for www.flaticon.com
  • 17. Certificates 101 18 Hi there, I’m Alice! Hi Alice, I’m Bob! How do I know you’re really Bob? Here is my Certificate ( + certificate) Prove it to me by decrypting this challenge ( + challenge) There you go ( + decrypted challenge) Continue secure conversation (Optionally – mutual authentication)
  • 18. Certificate Authority ▪ The entity which issues certificates ▪ Trusted by the Relying Parties ▪ Public trusted root certificates are pre-populated ▪ Various methods to verify identity 19
  • 19. Building a Serverless CA using .NET 20
  • 21. Azure Key Vault ▪ Safeguard cryptographic keys and other secrets ▪ Hardware Security Modules (HSM) as a service ▪ Can be replaced with AWS Certificate Manager ▪ Principles will remain unchanged ▪ Implementation details will defer 22
  • 22. Scenario Generating a new certificate on a new device 23
  • 23. Demo Setup Azure Key Vault & Other Resources 24
  • 24. Generating the Root Certificate on Key Vault 25 var certificateOperation = await client.CreateCertificateAsync( _vaultBaseUrl, _certificateName, new CertificatePolicy( keyProperties: new KeyProperties(false, "RSA", 2048, false), x509CertificateProperties: new X509CertificateProperties( "CN=" + RootSubjectName, keyUsage: new List<string> {X509KeyUsageFlags.KeyCertSign.ToString()}, ekus: new List<string> {"1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.1"}), issuerParameters: new IssuerParameters("Self")));
  • 25. Generating the Root Certificate on Our Machine 26 using var certificateKey = RSA.Create(); var subjectDistinguishedName = new X500DistinguishedName("CN=" + RootSubjectName); var request = new CertificateRequest(subjectDistinguishedName, certificateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign, true)); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, true, 1, true)); // Additional X509 extensions not shown for brevity var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
  • 27. Limiting Root Certificate Access ▪ Use Azure Key Vault Access Policies 28
  • 28. Auditing Root Certificate Access 29 { "time": "2016-01-05T01:32:01.2691226Z", "resourceId": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD- XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAU LT", "operationName": "VaultGet", "operationVersion": "2015-06-01", "category": "AuditEvent", "resultType": "Success", "resultSignature": "OK", "resultDescription": "", "durationMs": "78", "callerIpAddress": "104.40.82.76", "correlationId": "", "identity": { "claim": { "http://schemas.microsoft.com/identity/claims/objectidentifier":
  • 29. 30 "durationMs": "78", "callerIpAddress": "104.40.82.76", "correlationId": "", "identity": { "claim": { "http://schemas.microsoft.com/identity/claims/objectidentifier": "d9da5048-2737-4770-bd64-XXXXXXXXXXXX", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "live.com#username@outlook.com", "appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX" } }, "properties": { "clientInfo": "azure-resource-manager/2.0", "requestUri": "https://control-prod- wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd- XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/conto sokeyvault?api-version=2015-06-01", "id": "https://contosokeyvault.vault.azure.net/", "httpStatusCode": 200 } }
  • 30. Sign a Request Using the Root Certificate 31
  • 31. subject name, public key & access token Sign a Request Using the Root Certificate 32 Device Identity Provider Certificate Authority Key Vault authentication info access token generate CSR generate key pair certificate digest (hash) signed digest signed certificate Store certificate & private key
  • 32. Generate Certificate Signing Request (CSR) 33 var parameters = new RSAParameters { Modulus = publicKey.Modulus, Exponent = publicKey.Exponent }; var certificateKey = RSA.Create(parameters); var subjectDistinguishedName = new X500DistinguishedName("CN=" + subjectName); var request = new CertificateRequest(subjectDistinguishedName, certificateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true)); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, true, 0, true)); // Additional X509 not shown for brevity return request;
  • 33. Sign Certificate with Root Key 34 CertificateRequest request = CreateCertificateRequest(subjectName, certificateKey); byte[] certificateSerialNumber = await _serialNumberGenerator.GenerateSerialAsync(); RSA rsaKeyVault = _keyVaultClient.ToRSA( certificateBundle.KeyIdentifier, issuerCertificate); var generator = X509SignatureGenerator.CreateForRSA( rsaKeyVault, RSASignaturePadding.Pkcs1); var certificate = request.Create( issuerCertificate.SubjectName, generator, DateTime.Today, DateTime.Today.AddYears(1), certificateSerialNumber);
  • 34. Demo Serverless CA using .NET & Azure Functions 35
  • 36. subject name, public key & access token Sign a Request Using the Root Certificate 37 Device Identity Provider Certificate Authority Key Vault generate CSR certificate digest (hash) signed digest signed certificate Store certificate & private key authentication info access token generate key pair
  • 37. Getting an Access Token for Azure Functions 39 var auth = await authHelper.AcquireTokenAsync(); // AAD Token var client = new HttpClient { BaseAddress = new Uri(configuration.BaseUrl) }; var request = new {access_token = auth.AccessToken}; var httpContent = ... // JSON serialization var responseMessage = await client.PostAsync(".auth/login/aad", httpContent); var serializedResponse = await responseMessage.Content.ReadAsStringAsync(); dynamic response = JsonConvert.DeserializeObject<dynamic>(serializedResponse); return response.authenticationToken;
  • 38. Issue Certificate 40 var key = RSA.Create(); var publicParameters = key.ExportParameters(false); var request = new IssueCertificateRequest( subjectName, publicParameters); var httpContent = new StringContent( JsonConvert.SerializeObject(request), Encoding.UTF8, MediaTypeNames.Application.Json);
  • 39. Issue Certificate (Cont.) 41 var client = new HttpClient {BaseAddress = ...}; client.DefaultRequestHeaders.Add("X-ZUMO-AUTH", accessToken); var responseMessage = await client.PostAsync("api/issueCertificate", httpContent); var serializedResponse = await responseMessage.Content.ReadAsStringAsync(); var response = JsonConvert.DeserializeObject<IssueCertificateResponse>( serializedResponse); var certificate = new X509Certificate2( Convert.FromBase64String(response.Certificate)); return certificate;
  • 40. Store Certificate With Private Key 42 var certificateWithPrivateKey = certificate.CopyWithPrivateKey(key); var rawCertificate = certificateWithPrivateKey.Export(X509ContentType.Pfx); var persistableCertificate = new X509Certificate2(rawCertificate, string.Empty, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.UserKeySet); var store = new X509Store(StoreLocation.CurrentUser); store.Open(OpenFlags.ReadWrite); store.Add(persistableCertificate);
  • 43. IoT Data Ingestion (Reminder) 45 Device Device Device Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Device Provisioning Service
  • 44. Sending Data Using the Generated Certificate 47 X509Certificate2 certificate = LoadCertificate(configuration.DeviceName); var security = new SecurityProviderX509Certificate(certificate); var transport = new ProvisioningTransportHandlerAmqp( TransportFallbackType.TcpOnly); var provClient = ProvisioningDeviceClient.Create( GlobalDeviceEndpoint, configuration.DpsIdScope, security, transport); DeviceRegistrationResult registrationResult = await provClient.RegisterAsync();
  • 47. Takeaways ▪ Certificates are hard, but crucial, to get right ▪ Don’t author an entire PKI from scratch ▪ Customize an existing solution where appropriate ▪ IoT is one scenario where I encountered a need for a custom PKI ▪ Handling certificates with .NET is surprisingly undocumented ▪ With and without Azure Key Vault ▪ Azure Key Vault is a great platform to base a CA on ▪ The sample is just a sample, but is derived from a production system ▪ Can base on it and form your own solution 51
  • 48. Resources ▪ Source Code ▪ https://github.com/estiller/build-pki-net-azure-sample ▪ NuGet package to integrate Key Vault with .NET Cryptographic Keys ▪ https://github.com/onovotny/RSAKeyVaultProvider ▪ Additional resources ▪ https://smallstep.com/blog/everything-pki.html ▪ https://docs.microsoft.com/en-in/azure/key-vault/certificate-scenarios ▪ https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging 52
  • 49. Eran Stiller Chief Technology Officer erans@codevalue.net @eranstiller https://stiller.blog https://codevalue.net