Local Hashing Service Security
The local hashing service’s default configuration is:
- Use a self-signed certificate for HTTPS connections.
- Allow client certificates (but not require them).
The local hashing service is an ASP.NET application, so certificate locations and behavior is controlled with environment variables.
| Environment Variable |
Purpose |
ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Path |
Set the server certificate used for HTTPS connections. Certificate Format: PFX |
ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Password |
Set the password for the server certificate. If the certificate does not have a password, do not set this variable. |
SSL_CERT_FILE |
Set the client certificate trust chain. Certificate Format: PEM Bundle |
HashingService__RequireClientCertificate |
Set to True to require a client certificate for all connections |
Logging__LogLevel__MPI.HashingService.Security.ClientCertificateValidator |
log level for debugging certificate issues, set to Trace to see detailed errors. |
Certificate Management
Injecting certificate files into the local hashing service can be done in a couple of ways. The best choice for you will depend on your hosting service and build chain.
Two options are:
- copy the PFX file to a network share and mount the network share as a volume
- build the PFX file directly into a Docker image using
careevolution/bmpi-hashing-service as the base image
Example Docker File
If you are building a new docker image with the trust store embedded and a BYO server certificate:
FROM bmpi-hashing-service:latest AS hashing
# Copy the certificate files into the image
COPY /buildserver/certs/truststore.pem /app/ssl/truststore.pem
COPY /buildserver/certs/local-hashing-cert.pfx /app/ssl/server.pfx
# Set the client certificate trust chain
ENV SSL_CERT_FILE=/app/ssl/truststore.pem
# Require a client certificate from the provided trust chain
ENV HashingService__RequireClientCertificate=True
# Set the server certificate so that clients can also verify the server
ENV ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Path=/app/ssl/server.pfx
ENV ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Password=TheCertificatePassword
# Turn on trace logging for development because certificate configuration is notoriously complicated and hard to debug
ENV Logging__LogLevel__MPI.HashingService.Security.ClientCertificateValidator=Trace # useful for dev, should be removed or for prod