Filter CA list when prompting user with Certificate Authentication

[aderderian]

This is in relation to this feature that seems to have been left out from .NET Core.
dotnet/AspNetCore.Docs#15516 (comment)
and my stackoverflow : https://stackoverflow.com/questions/58736822/net-core-windows-azure-web-app-trusted-certificate-store-for-browser-prompt-wit

We would like the ability to pass along a list of CA's so a user does not need to filter through a ton of certificates to choose when prompted.

Legacy windows servers used to use the TrustedIssersList registry key to send a list of CA's the site supported for authentication. This seems to be sunsetted as of Windows Server 2012.

[blowdart]

@Tratcher Does http.sys support this? It looks from the RFC we can use the certificate_types in the message which triggers the handshake.

[aderderian]

Thanks for taking a look at this @blowdart . The issue we're having is that windows/iis used to support this and now when a user goes to authenticate with a certificate, they are presented with a long list of certs versus a trimmed down list or single cert we accept. It must be still supported by browsers because the legacy systems still work. Is the ability to do this a browser standard or http standard? I am wondering if we could add this option when configuring cert auth in .net core in startup.cs?

I think this is the functionality we need in .net core so that we can do this in Azure Web Apps :

https://docs.microsoft.com/en-us/windows-server/security/tls/what-s-new-in-tls-ssl-schannel-ssp-overview#BKMK_TrustedIssuers

[blowdart]

Well this wouldn't work in azure webapps anyway, as the certificate is terminated one hop before you get to your app, on the application routing layer which you can't configue

[aderderian]

Would it work if we stood up a VM instead?

[blowdart]

If we can get it to work with http.sys, or openssl then yes.

Might be worth asking azure webapps for the feature too.

[aderderian]

Oh, so it would be possible in WAWS, it is just not there now. Thanks for clarifying. Ideally we wouldn't want to have to drop that as our hosting infrastructure and move to a VM. :)

[blowdart]

it might be possible. I honestly can't speak for webapps. Support ticket is the best route to go.

[aderderian]

OK thanks! Can you advise what I might include in the support ticket? Would it be a support ticket from the Portal UI or somewhere else? I want to provide them exactly what is needed and I am not clear on that at the moment.

[blowdart]

I honestly don't know, let me ask around.

[Tratcher]

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831771(v=ws.11)#management-of-trusted-issuers-for-client-authentication

[aderderian]

@Tratcher that article is 4yrs old, is it providing a solution?

[Tratcher]

It should apply to all later versions unless we find anything newer.

[aderderian]

Do you know if these configurations are allowed in Azure? Client Authentication Issuers store for certs is available? I guess I am unsure if your point is this should work in WAWS and .NET Core or you're pointing out the general docs around it. My knowledge of certificate authentication is brand new.

[Tratcher]

These are the generic features. In Azure you're unlikely to be able to control anything at this layer unless you are running a VM.