SlideShare a Scribd company logo
Create Your Own Serverless PKI with
.NET & Azure Key Vault
Eran Stiller
Chief Technology Officer
erans@codevalue.net
@eranstiller
https://stiller.blog
https://codevalue.net
2
3
4
5
Agenda
▪ IoT Data Ingestion
▪ PKIs, CAs & Certificates
▪ Building a Serverless CA using .NET
▪ Authoring Certificate Subscribers using .NET
▪ Using the Generated Certificates
▪ Device Provisioning Service & IoT Hub
6
About Eran
Eran Stiller
▪ @eranstiller
▪ CTO & Founder at CodeValue
▪ Software architect, consultant and instructor
▪ Microsoft Regional Director & Azure MVP
▪ Founder of Azure Israel Meetup
7
IoT Data Ingestion
9
IoT Data Ingestion
10
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Device
Device
Device
IoT Data Ingestion
11
Device
Device
Device
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Device
Provisioning
Service
Securely Communicating with Devices
12
Confidentiality Authentication Authorization
Icons made by Freepik and Eucalyp for www.flaticon.com
Keep It Simple
13
PKIs, CAs & Certs
14
Public Key Infrastructure (PKI)
▪ An umbrella term for the stuff we need in order to:
▪ Issue
▪ Distribute
▪ Store
▪ Use
▪ Verify
▪ Revoke
▪ and otherwise manage and interact with certificates and keys
▪ Don’t build from scratch
▪ Can use an off-the-shelf solution
▪ Can build some parts and rely on others
15
Certificates
▪ A driver’s license for computers and
code
▪ Basically, a binding between an
identifier (name) and a public key
▪ Usually encoded as X.509
16
Icon made by Becris for www.flaticon.com
Demo
Certificate Content
17
Certificates 101
18
Hi there, I’m Alice!
Hi Alice, I’m Bob!
How do I know you’re really Bob?
Here is my Certificate ( + certificate)
Prove it to me by decrypting this challenge ( + challenge)
There you go ( + decrypted challenge)
Continue secure conversation (Optionally – mutual authentication)
Certificate Authority
▪ The entity which issues certificates
▪ Trusted by the Relying Parties
▪ Public trusted root certificates are pre-populated
▪ Various methods to verify identity
19
Building a Serverless CA
using .NET
20
The Root Certificate
21
Azure Key Vault
▪ Safeguard cryptographic keys and other secrets
▪ Hardware Security Modules (HSM) as a service
▪ Can be replaced with AWS Certificate Manager
▪ Principles will remain unchanged
▪ Implementation details will defer
22
Scenario
Generating a new certificate on a new device
23
Demo
Setup Azure
Key Vault & Other
Resources
24
Generating the Root Certificate on Key Vault
25
var certificateOperation = await client.CreateCertificateAsync(
_vaultBaseUrl,
_certificateName,
new CertificatePolicy(
keyProperties: new KeyProperties(false, "RSA", 2048, false),
x509CertificateProperties: new X509CertificateProperties(
"CN=" + RootSubjectName,
keyUsage: new List<string> {X509KeyUsageFlags.KeyCertSign.ToString()},
ekus: new List<string> {"1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.1"}),
issuerParameters: new IssuerParameters("Self")));
Generating the Root Certificate on Our Machine
26
using var certificateKey = RSA.Create();
var subjectDistinguishedName = new X500DistinguishedName("CN=" + RootSubjectName);
var request = new CertificateRequest(subjectDistinguishedName, certificateKey,
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign, true));
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, true, 1, true));
// Additional X509 extensions not shown for brevity
var certificate =
request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
Demo
Generating the
Root Certificate
27
Limiting Root Certificate Access
▪ Use Azure Key Vault Access Policies
28
Auditing Root Certificate Access
29
{
"time": "2016-01-05T01:32:01.2691226Z",
"resourceId": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-
XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAU
LT",
"operationName": "VaultGet",
"operationVersion": "2015-06-01",
"category": "AuditEvent",
"resultType": "Success",
"resultSignature": "OK",
"resultDescription": "",
"durationMs": "78",
"callerIpAddress": "104.40.82.76",
"correlationId": "",
"identity": {
"claim": {
"http://schemas.microsoft.com/identity/claims/objectidentifier":
30
"durationMs": "78",
"callerIpAddress": "104.40.82.76",
"correlationId": "",
"identity": {
"claim": {
"http://schemas.microsoft.com/identity/claims/objectidentifier":
"d9da5048-2737-4770-bd64-XXXXXXXXXXXX",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":
"live.com#username@outlook.com",
"appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX"
}
},
"properties": {
"clientInfo": "azure-resource-manager/2.0",
"requestUri": "https://control-prod-
wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-
XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/conto
sokeyvault?api-version=2015-06-01",
"id": "https://contosokeyvault.vault.azure.net/",
"httpStatusCode": 200
}
}
Sign a Request Using the Root Certificate
31
subject name, public key & access token
Sign a Request Using the Root Certificate
32
Device
Identity
Provider
Certificate
Authority
Key Vault
authentication info
access token
generate CSR
generate
key pair
certificate digest (hash)
signed digest
signed certificate
Store certificate
& private key
Generate Certificate Signing Request (CSR)
33
var parameters = new RSAParameters
{ Modulus = publicKey.Modulus, Exponent = publicKey.Exponent };
var certificateKey = RSA.Create(parameters);
var subjectDistinguishedName = new X500DistinguishedName("CN=" + subjectName);
var request = new CertificateRequest(subjectDistinguishedName, certificateKey,
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true));
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, true, 0, true));
// Additional X509 not shown for brevity
return request;
Sign Certificate with Root Key
34
CertificateRequest request = CreateCertificateRequest(subjectName, certificateKey);
byte[] certificateSerialNumber = await _serialNumberGenerator.GenerateSerialAsync();
RSA rsaKeyVault = _keyVaultClient.ToRSA(
certificateBundle.KeyIdentifier, issuerCertificate);
var generator = X509SignatureGenerator.CreateForRSA(
rsaKeyVault, RSASignaturePadding.Pkcs1);
var certificate = request.Create(
issuerCertificate.SubjectName, generator,
DateTime.Today, DateTime.Today.AddYears(1),
certificateSerialNumber);
Demo
Serverless CA using
.NET & Azure Functions
35
Authoring Certificate
Subscribers using .NET
36
subject name, public key & access token
Sign a Request Using the Root Certificate
37
Device
Identity
Provider
Certificate
Authority
Key Vault
generate CSR
certificate digest (hash)
signed digest
signed certificate
Store certificate
& private key
authentication info
access token
generate
key pair
Getting an Access Token for Azure Functions
39
var auth = await authHelper.AcquireTokenAsync(); // AAD Token
var client = new HttpClient
{ BaseAddress = new Uri(configuration.BaseUrl) };
var request = new {access_token = auth.AccessToken};
var httpContent = ... // JSON serialization
var responseMessage = await client.PostAsync(".auth/login/aad", httpContent);
var serializedResponse = await responseMessage.Content.ReadAsStringAsync();
dynamic response = JsonConvert.DeserializeObject<dynamic>(serializedResponse);
return response.authenticationToken;
Issue Certificate
40
var key = RSA.Create();
var publicParameters = key.ExportParameters(false);
var request = new IssueCertificateRequest(
subjectName, publicParameters);
var httpContent = new StringContent(
JsonConvert.SerializeObject(request),
Encoding.UTF8,
MediaTypeNames.Application.Json);
Issue Certificate (Cont.)
41
var client = new HttpClient {BaseAddress = ...};
client.DefaultRequestHeaders.Add("X-ZUMO-AUTH", accessToken);
var responseMessage =
await client.PostAsync("api/issueCertificate", httpContent);
var serializedResponse =
await responseMessage.Content.ReadAsStringAsync();
var response = JsonConvert.DeserializeObject<IssueCertificateResponse>(
serializedResponse);
var certificate = new X509Certificate2(
Convert.FromBase64String(response.Certificate));
return certificate;
Store Certificate With Private Key
42
var certificateWithPrivateKey =
certificate.CopyWithPrivateKey(key);
var rawCertificate =
certificateWithPrivateKey.Export(X509ContentType.Pfx);
var persistableCertificate =
new X509Certificate2(rawCertificate, string.Empty,
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.UserKeySet);
var store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Add(persistableCertificate);
Demo
Certificate Subscribers
using .NET
43
Using the Generated
Certificates
44
IoT Data Ingestion (Reminder)
45
Device
Device
Device
Data Ingestion Pipeline
Further Big Data
Processing
IoT Hub Raw Storage
(Data Lake)
Device
Provisioning
Service
Sending Data Using the Generated Certificate
47
X509Certificate2 certificate =
LoadCertificate(configuration.DeviceName);
var security =
new SecurityProviderX509Certificate(certificate);
var transport = new ProvisioningTransportHandlerAmqp(
TransportFallbackType.TcpOnly);
var provClient = ProvisioningDeviceClient.Create(
GlobalDeviceEndpoint, configuration.DpsIdScope,
security, transport);
DeviceRegistrationResult registrationResult =
await provClient.RegisterAsync();
Demo
End-to-End Operation
48
Takeaways
50
Takeaways
▪ Certificates are hard, but crucial, to get right
▪ Don’t author an entire PKI from scratch
▪ Customize an existing solution where appropriate
▪ IoT is one scenario where I encountered a need for a custom PKI
▪ Handling certificates with .NET is surprisingly undocumented
▪ With and without Azure Key Vault
▪ Azure Key Vault is a great platform to base a CA on
▪ The sample is just a sample, but is derived from a production system
▪ Can base on it and form your own solution
51
Resources
▪ Source Code
▪ https://github.com/estiller/build-pki-net-azure-sample
▪ NuGet package to integrate Key Vault with .NET Cryptographic Keys
▪ https://github.com/onovotny/RSAKeyVaultProvider
▪ Additional resources
▪ https://smallstep.com/blog/everything-pki.html
▪ https://docs.microsoft.com/en-in/azure/key-vault/certificate-scenarios
▪ https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging
52
Eran Stiller
Chief Technology Officer
erans@codevalue.net
@eranstiller
https://stiller.blog
https://codevalue.net

More Related Content

What's hot

Azure key vault - Brisbane User Group
Azure key vault  - Brisbane User GroupAzure key vault  - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
Akeyless
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
Novell
 
Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
viaForensics
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
Pau Freixes
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
ShengWen Chiou
 
Streamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time AccessStreamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time Access
Akeyless
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Akeyless
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
Alberto Diaz Martin
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
2018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii3652018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii365
OBD365
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Novell
 
Azure IoT hub
Azure IoT hubAzure IoT hub
Azure IoT hub
Basavaraj Mulaveesala
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
CloudIDSummit
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
Felipe Prado
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
Nathan Winters
 
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
Louis Göhl
 
Whats new in iOS5
Whats new in iOS5Whats new in iOS5
Whats new in iOS5
Paul Ardeleanu
 

What's hot (20)

Azure key vault - Brisbane User Group
Azure key vault  - Brisbane User GroupAzure key vault  - Brisbane User Group
Azure key vault - Brisbane User Group
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
 
Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
 
Streamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time AccessStreamline CI/CD with Just-in-Time Access
Streamline CI/CD with Just-in-Time Access
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
2018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii3652018.12 MB Star SD Connect C4 Software Activation- obdii365
2018.12 MB Star SD Connect C4 Software Activation- obdii365
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
 
Azure IoT hub
Azure IoT hubAzure IoT hub
Azure IoT hub
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
 
Whats new in iOS5
Whats new in iOS5Whats new in iOS5
Whats new in iOS5
 

Similar to .NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azure Key Vault

WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
Simon Haslam
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
Nick Maludy
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
Ashish Agrawal
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Nick Maludy
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GE
Federico Fernández Moreno
 
How to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GEHow to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GE
FIWARE
 
Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!
Jan de Vries
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
DevClub_lv
 
Generating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdeviceGenerating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdevice
Alon Fliess
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Jan de Vries
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
Netwax Lab
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
Amazon Web Services
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pki
phanleson
 
ESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdf
Protect724v2
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
Sarah Dutkiewicz
 

Similar to .NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azure Key Vault (20)

WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GE
 
How to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GEHow to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GE
 
Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!Global Azure - Use Azure Active Directory Managed Identities for your services!
Global Azure - Use Azure Active Directory Managed Identities for your services!
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
 
Generating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdeviceGenerating cross platform .NET based azure IoTdevice
Generating cross platform .NET based azure IoTdevice
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...Next.Net event - Use Azure Active Directory Managed Identities for your servi...
Next.Net event - Use Azure Active Directory Managed Identities for your servi...
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pki
 
ESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdfESM_AdminGuide_6.9.0.pdf
ESM_AdminGuide_6.9.0.pdf
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
 

More from NETFest

.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
NETFest
 
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE....NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
NETFest
 
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
NETFest
 
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
NETFest
 
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem....NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
NETFest
 
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
NETFest
 
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
NETFest
 
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A....NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
NETFest
 
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
NETFest
 
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
NETFest
 
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос....NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
NETFest
 
.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep dive.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep dive
NETFest
 
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
NETFest
 
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com....NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
NETFest
 
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real....NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
NETFest
 
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
NETFest
 
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ....NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
NETFest
 
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali....NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
NETFest
 
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
NETFest
 
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith....NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
NETFest
 

More from NETFest (20)

.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
.NET Fest 2019. Николай Балакин. Микрооптимизации в мире .NET
 
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE....NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
.NET Fest 2019. Сергей Калинец. Efficient Microservice Communication with .NE...
 
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
.NET Fest 2019. Оля Гавриш. .NET Core 3.0 и будущее .NET
 
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
.NET Fest 2019. Оля Гавриш. Машинное обучение для .NET программистов
 
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem....NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
.NET Fest 2019. Roberto Freato. Provisioning Azure PaaS fluently with Managem...
 
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
.NET Fest 2019. Halil Ibrahim Kalkan. Implementing Domain Driven Design
 
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
.NET Fest 2019. Сергій Бута. Feature Toggles: Dynamic Configuration at Wirex
 
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A....NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
.NET Fest 2019. Michael Staib. Hot Chocolate: GraphQL Schema Stitching with A...
 
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
.NET Fest 2019. Андрей Литвинов. Async lifetime tests with xUnit and AutoFixture
 
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
.NET Fest 2019. Анатолий Колесник. Love, Death & F# Tests
 
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос....NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
.NET Fest 2019. Алексей Голуб. Монадные парсер-комбинаторы в C# (простой спос...
 
.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep dive.NET Fest 2019. Roberto Freato. Azure App Service deep dive
.NET Fest 2019. Roberto Freato. Azure App Service deep dive
 
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
.NET Fest 2019. Леонид Молотиевский. DotNet Core in production
 
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com....NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
.NET Fest 2019. Александр Демчук. How to measure relationships within the Com...
 
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real....NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
.NET Fest 2019. Anna Melashkina та Philipp Bauknecht. Dragons in a Mixed Real...
 
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
.NET Fest 2019. Alex Thissen. Architecting .NET solutions in a Docker ecosystem
 
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ....NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
.NET Fest 2019. Stas Lebedenko. Practical serverless use cases in Azure with ...
 
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali....NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
 
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
.NET Fest 2019. Сергей Корж. Natural Language Processing in .NET
 
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith....NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
.NET Fest 2019. Eran Stiller. 6 Lessons I Learned on My Journey from Monolith...
 

Recently uploaded

220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty  Aims and objectives of national policy on inf...220711130100 udita Chakraborty  Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
Kalna College
 
220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science
Kalna College
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
deepaannamalai16
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
indexPub
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
adjectives.ppt for class 1 to 6, grammar
adjectives.ppt for class 1 to 6, grammaradjectives.ppt for class 1 to 6, grammar
adjectives.ppt for class 1 to 6, grammar
7DFarhanaMohammed
 
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
andagarcia212
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
سمير بسيوني
 
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxxSimple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
RandolphRadicy
 
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptxRESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
zuzanka
 
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
MJDuyan
 
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
TechSoup
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
nitinpv4ai
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
EduSkills OECD
 
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
Nguyen Thanh Tu Collection
 
How to Download & Install Module From the Odoo App Store in Odoo 17
How to Download & Install Module From the Odoo App Store in Odoo 17How to Download & Install Module From the Odoo App Store in Odoo 17
How to Download & Install Module From the Odoo App Store in Odoo 17
Celine George
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
deepaannamalai16
 
Information and Communication Technology in Education
Information and Communication Technology in EducationInformation and Communication Technology in Education
Information and Communication Technology in Education
MJDuyan
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
zuzanka
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
Kalna College
 

Recently uploaded (20)

220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty  Aims and objectives of national policy on inf...220711130100 udita Chakraborty  Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
 
220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science220711130082 Srabanti Bag Internet Resources For Natural Science
220711130082 Srabanti Bag Internet Resources For Natural Science
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
adjectives.ppt for class 1 to 6, grammar
adjectives.ppt for class 1 to 6, grammaradjectives.ppt for class 1 to 6, grammar
adjectives.ppt for class 1 to 6, grammar
 
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
 
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxxSimple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
 
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptxRESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
 
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
 
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
 
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
 
How to Download & Install Module From the Odoo App Store in Odoo 17
How to Download & Install Module From the Odoo App Store in Odoo 17How to Download & Install Module From the Odoo App Store in Odoo 17
How to Download & Install Module From the Odoo App Store in Odoo 17
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
 
Information and Communication Technology in Education
Information and Communication Technology in EducationInformation and Communication Technology in Education
Information and Communication Technology in Education
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
 

.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azure Key Vault

  • 1. Create Your Own Serverless PKI with .NET & Azure Key Vault Eran Stiller Chief Technology Officer erans@codevalue.net @eranstiller https://stiller.blog https://codevalue.net
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. 5
  • 6. Agenda ▪ IoT Data Ingestion ▪ PKIs, CAs & Certificates ▪ Building a Serverless CA using .NET ▪ Authoring Certificate Subscribers using .NET ▪ Using the Generated Certificates ▪ Device Provisioning Service & IoT Hub 6
  • 7. About Eran Eran Stiller ▪ @eranstiller ▪ CTO & Founder at CodeValue ▪ Software architect, consultant and instructor ▪ Microsoft Regional Director & Azure MVP ▪ Founder of Azure Israel Meetup 7
  • 9. IoT Data Ingestion 10 Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Device Device Device
  • 10. IoT Data Ingestion 11 Device Device Device Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Device Provisioning Service
  • 11. Securely Communicating with Devices 12 Confidentiality Authentication Authorization Icons made by Freepik and Eucalyp for www.flaticon.com
  • 13. PKIs, CAs & Certs 14
  • 14. Public Key Infrastructure (PKI) ▪ An umbrella term for the stuff we need in order to: ▪ Issue ▪ Distribute ▪ Store ▪ Use ▪ Verify ▪ Revoke ▪ and otherwise manage and interact with certificates and keys ▪ Don’t build from scratch ▪ Can use an off-the-shelf solution ▪ Can build some parts and rely on others 15
  • 15. Certificates ▪ A driver’s license for computers and code ▪ Basically, a binding between an identifier (name) and a public key ▪ Usually encoded as X.509 16 Icon made by Becris for www.flaticon.com
  • 17. Certificates 101 18 Hi there, I’m Alice! Hi Alice, I’m Bob! How do I know you’re really Bob? Here is my Certificate ( + certificate) Prove it to me by decrypting this challenge ( + challenge) There you go ( + decrypted challenge) Continue secure conversation (Optionally – mutual authentication)
  • 18. Certificate Authority ▪ The entity which issues certificates ▪ Trusted by the Relying Parties ▪ Public trusted root certificates are pre-populated ▪ Various methods to verify identity 19
  • 19. Building a Serverless CA using .NET 20
  • 21. Azure Key Vault ▪ Safeguard cryptographic keys and other secrets ▪ Hardware Security Modules (HSM) as a service ▪ Can be replaced with AWS Certificate Manager ▪ Principles will remain unchanged ▪ Implementation details will defer 22
  • 22. Scenario Generating a new certificate on a new device 23
  • 23. Demo Setup Azure Key Vault & Other Resources 24
  • 24. Generating the Root Certificate on Key Vault 25 var certificateOperation = await client.CreateCertificateAsync( _vaultBaseUrl, _certificateName, new CertificatePolicy( keyProperties: new KeyProperties(false, "RSA", 2048, false), x509CertificateProperties: new X509CertificateProperties( "CN=" + RootSubjectName, keyUsage: new List<string> {X509KeyUsageFlags.KeyCertSign.ToString()}, ekus: new List<string> {"1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.1"}), issuerParameters: new IssuerParameters("Self")));
  • 25. Generating the Root Certificate on Our Machine 26 using var certificateKey = RSA.Create(); var subjectDistinguishedName = new X500DistinguishedName("CN=" + RootSubjectName); var request = new CertificateRequest(subjectDistinguishedName, certificateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.KeyCertSign, true)); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, true, 1, true)); // Additional X509 extensions not shown for brevity var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
  • 27. Limiting Root Certificate Access ▪ Use Azure Key Vault Access Policies 28
  • 28. Auditing Root Certificate Access 29 { "time": "2016-01-05T01:32:01.2691226Z", "resourceId": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD- XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAU LT", "operationName": "VaultGet", "operationVersion": "2015-06-01", "category": "AuditEvent", "resultType": "Success", "resultSignature": "OK", "resultDescription": "", "durationMs": "78", "callerIpAddress": "104.40.82.76", "correlationId": "", "identity": { "claim": { "http://schemas.microsoft.com/identity/claims/objectidentifier":
  • 29. 30 "durationMs": "78", "callerIpAddress": "104.40.82.76", "correlationId": "", "identity": { "claim": { "http://schemas.microsoft.com/identity/claims/objectidentifier": "d9da5048-2737-4770-bd64-XXXXXXXXXXXX", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "live.com#username@outlook.com", "appid": "1950a258-227b-4e31-a9cf-XXXXXXXXXXXX" } }, "properties": { "clientInfo": "azure-resource-manager/2.0", "requestUri": "https://control-prod- wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd- XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/conto sokeyvault?api-version=2015-06-01", "id": "https://contosokeyvault.vault.azure.net/", "httpStatusCode": 200 } }
  • 30. Sign a Request Using the Root Certificate 31
  • 31. subject name, public key & access token Sign a Request Using the Root Certificate 32 Device Identity Provider Certificate Authority Key Vault authentication info access token generate CSR generate key pair certificate digest (hash) signed digest signed certificate Store certificate & private key
  • 32. Generate Certificate Signing Request (CSR) 33 var parameters = new RSAParameters { Modulus = publicKey.Modulus, Exponent = publicKey.Exponent }; var certificateKey = RSA.Create(parameters); var subjectDistinguishedName = new X500DistinguishedName("CN=" + subjectName); var request = new CertificateRequest(subjectDistinguishedName, certificateKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, true)); request.CertificateExtensions.Add( new X509BasicConstraintsExtension(false, true, 0, true)); // Additional X509 not shown for brevity return request;
  • 33. Sign Certificate with Root Key 34 CertificateRequest request = CreateCertificateRequest(subjectName, certificateKey); byte[] certificateSerialNumber = await _serialNumberGenerator.GenerateSerialAsync(); RSA rsaKeyVault = _keyVaultClient.ToRSA( certificateBundle.KeyIdentifier, issuerCertificate); var generator = X509SignatureGenerator.CreateForRSA( rsaKeyVault, RSASignaturePadding.Pkcs1); var certificate = request.Create( issuerCertificate.SubjectName, generator, DateTime.Today, DateTime.Today.AddYears(1), certificateSerialNumber);
  • 34. Demo Serverless CA using .NET & Azure Functions 35
  • 36. subject name, public key & access token Sign a Request Using the Root Certificate 37 Device Identity Provider Certificate Authority Key Vault generate CSR certificate digest (hash) signed digest signed certificate Store certificate & private key authentication info access token generate key pair
  • 37. Getting an Access Token for Azure Functions 39 var auth = await authHelper.AcquireTokenAsync(); // AAD Token var client = new HttpClient { BaseAddress = new Uri(configuration.BaseUrl) }; var request = new {access_token = auth.AccessToken}; var httpContent = ... // JSON serialization var responseMessage = await client.PostAsync(".auth/login/aad", httpContent); var serializedResponse = await responseMessage.Content.ReadAsStringAsync(); dynamic response = JsonConvert.DeserializeObject<dynamic>(serializedResponse); return response.authenticationToken;
  • 38. Issue Certificate 40 var key = RSA.Create(); var publicParameters = key.ExportParameters(false); var request = new IssueCertificateRequest( subjectName, publicParameters); var httpContent = new StringContent( JsonConvert.SerializeObject(request), Encoding.UTF8, MediaTypeNames.Application.Json);
  • 39. Issue Certificate (Cont.) 41 var client = new HttpClient {BaseAddress = ...}; client.DefaultRequestHeaders.Add("X-ZUMO-AUTH", accessToken); var responseMessage = await client.PostAsync("api/issueCertificate", httpContent); var serializedResponse = await responseMessage.Content.ReadAsStringAsync(); var response = JsonConvert.DeserializeObject<IssueCertificateResponse>( serializedResponse); var certificate = new X509Certificate2( Convert.FromBase64String(response.Certificate)); return certificate;
  • 40. Store Certificate With Private Key 42 var certificateWithPrivateKey = certificate.CopyWithPrivateKey(key); var rawCertificate = certificateWithPrivateKey.Export(X509ContentType.Pfx); var persistableCertificate = new X509Certificate2(rawCertificate, string.Empty, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.UserKeySet); var store = new X509Store(StoreLocation.CurrentUser); store.Open(OpenFlags.ReadWrite); store.Add(persistableCertificate);
  • 43. IoT Data Ingestion (Reminder) 45 Device Device Device Data Ingestion Pipeline Further Big Data Processing IoT Hub Raw Storage (Data Lake) Device Provisioning Service
  • 44. Sending Data Using the Generated Certificate 47 X509Certificate2 certificate = LoadCertificate(configuration.DeviceName); var security = new SecurityProviderX509Certificate(certificate); var transport = new ProvisioningTransportHandlerAmqp( TransportFallbackType.TcpOnly); var provClient = ProvisioningDeviceClient.Create( GlobalDeviceEndpoint, configuration.DpsIdScope, security, transport); DeviceRegistrationResult registrationResult = await provClient.RegisterAsync();
  • 47. Takeaways ▪ Certificates are hard, but crucial, to get right ▪ Don’t author an entire PKI from scratch ▪ Customize an existing solution where appropriate ▪ IoT is one scenario where I encountered a need for a custom PKI ▪ Handling certificates with .NET is surprisingly undocumented ▪ With and without Azure Key Vault ▪ Azure Key Vault is a great platform to base a CA on ▪ The sample is just a sample, but is derived from a production system ▪ Can base on it and form your own solution 51
  • 48. Resources ▪ Source Code ▪ https://github.com/estiller/build-pki-net-azure-sample ▪ NuGet package to integrate Key Vault with .NET Cryptographic Keys ▪ https://github.com/onovotny/RSAKeyVaultProvider ▪ Additional resources ▪ https://smallstep.com/blog/everything-pki.html ▪ https://docs.microsoft.com/en-in/azure/key-vault/certificate-scenarios ▪ https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging 52
  • 49. Eran Stiller Chief Technology Officer erans@codevalue.net @eranstiller https://stiller.blog https://codevalue.net