Local Hashing Service Security

The local hashing service’s default configuration is:

  • Use a self-signed certificate for HTTPS connections.
  • Allow client certificates (but not require them).

The local hashing service is an ASP.NET application, so certificate locations and behavior is controlled with environment variables.

Environment Variable Purpose
ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Path Set the server certificate used for HTTPS connections. Certificate Format: PFX
ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Password Set the password for the server certificate. If the certificate does not have a password, do not set this variable.
SSL_CERT_FILE Set the client certificate trust chain. Certificate Format: PEM Bundle
HashingService__RequireClientCertificate Set to True to require a client certificate for all connections
Logging__LogLevel__MPI.HashingService.Security.ClientCertificateValidator log level for debugging certificate issues, set to Trace to see detailed errors.

Certificate Management

Injecting certificate files into the local hashing service can be done in a couple of ways. The best choice for you will depend on your hosting service and build chain.

Two options are:

  • copy the PFX file to a network share and mount the network share as a volume
  • build the PFX file directly into a Docker image using careevolution/bmpi-hashing-service as the base image

Example Docker File

If you are building a new docker image with the trust store embedded and a BYO server certificate:

FROM bmpi-hashing-service:latest AS hashing

# Copy the certificate files into the image
COPY /buildserver/certs/truststore.pem /app/ssl/truststore.pem
COPY /buildserver/certs/local-hashing-cert.pfx /app/ssl/server.pfx

# Set the client certificate trust chain
ENV SSL_CERT_FILE=/app/ssl/truststore.pem

# Require a client certificate from the provided trust chain
ENV HashingService__RequireClientCertificate=True

# Set the server certificate so that clients can also verify the server
ENV ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Path=/app/ssl/server.pfx
ENV ASPNETCORE_Kestrel__Endpoints__HttpsInlineCertFile__Certificate__Password=TheCertificatePassword

# Turn on trace logging for development because certificate configuration is notoriously complicated and hard to debug
ENV Logging__LogLevel__MPI.HashingService.Security.ClientCertificateValidator=Trace # useful for dev, should be removed or for prod