This implementation adds X.509 certificate-based authentication (mutual TLS) to secure API communications between:
- SecureBootWatcher Client → API
- SecureBootDashboard Web → API
Files Changed:
Program.cs- Added certificate authentication configuration and middlewareConfiguration/MutualTlsOptions.cs- New configuration classSecureBootDashboard.Api.csproj- Added Microsoft.AspNetCore.Authentication.Certificate packageappsettings.json- Added MutualTls configuration section
Key Features:
- ASP.NET Core Certificate Authentication middleware
- Configurable certificate validation:
- Thumbprint allowlisting
- Issuer (CA) allowlisting
- Revocation checking
- Chain validation
- Detailed authentication event logging
- Support for self-signed certificates (development)
Files Changed:
Program.cs- Updated HttpClient configuration with certificate handlerappsettings.json- Added certificate authentication optionsSecureBootWatcher.Shared/Configuration/SecureBootWatcherOptions.cs- Extended WebApiSinkOptions
Key Features:
- Certificate loading from Windows Certificate Store
- Certificate loading from .pfx files
- Automatic certificate attachment to HTTP requests
- Detailed logging of certificate operations
Files Changed:
Program.cs- Updated HttpClient configuration with certificate handlerServices/ApiSettings.cs- Extended with certificate propertiesappsettings.json- Added certificate authentication options
Key Features:
- Certificate loading from Windows Certificate Store
- Certificate loading from .pfx files
- Automatic certificate attachment to API requests
- Detailed logging of certificate operations
{
"MutualTls": {
"Enabled": false,
"AllowSelfSignedCertificates": false,
"AllowedThumbprints": [],
"AllowedIssuers": [],
"CheckCertificateRevocation": true,
"ValidateCertificateChain": true
}
}{
"WebApi": {
"UseCertificateAuth": false,
"CertificateThumbprint": "",
"CertificatePath": "",
"CertificatePassword": "",
"CertificateStoreLocation": "LocalMachine",
"CertificateStoreName": "My"
}
}{
"ApiSettings": {
"UseCertificateAuth": false,
"CertificateThumbprint": "",
"CertificatePath": "",
"CertificatePassword": "",
"CertificateStoreLocation": "LocalMachine",
"CertificateStoreName": "My"
}
}- mTLS is disabled by default (backward compatible)
- Self-signed certificates are not allowed by default
- Certificate revocation checking is enabled by default
- Certificate chain validation is enabled by default
- Use certificates issued by a trusted CA (internal or public)
- Enable certificate revocation checking
- Use certificate thumbprint or issuer allowlisting
- Store certificates in Windows Certificate Store (not files)
- Rotate certificates before expiration
- Monitor certificate expiration dates
- Use separate certificates for each client component
- Can use self-signed certificates
- Disable revocation checking if CRL/OCSP not available
- Allow specific test CA issuers
- Enable detailed logging
Created comprehensive tests in SecureBootDashboard.Api.Tests/Configuration/MutualTlsConfigurationTests.cs:
- Default configuration validation
- Enabled configuration parsing
- Production-safe defaults verification
- Allow list behavior testing
- Development configuration validation
Test Results: 5/5 tests passing ✓
- ✓ API builds successfully with certificate authentication package
- ✓ Web app builds successfully with certificate configuration
- ✓ Configuration loads correctly from appsettings.json
- ✓ Default configuration is secure (mTLS disabled)
- ☐ End-to-end test with self-signed certificates (requires runtime environment)
- ☐ Certificate validation with allowlisting (requires runtime environment)
- ☐ Certificate validation failure scenarios (requires runtime environment)
Created docs/MUTUAL_TLS_CONFIGURATION.md with:
- Architecture overview
- Certificate requirements
- Certificate generation (PowerShell and OpenSSL)
- Configuration guide for all components
- Deployment instructions (Windows and Azure)
- Testing procedures
- Troubleshooting guide
- Security best practices
✓ Fully backward compatible
- mTLS is disabled by default
- No breaking changes to existing configurations
- Can be enabled incrementally per component
- Existing deployments work without changes
- Create root CA certificate
- Generate client certificates for each component
- Install certificates in appropriate stores
- Update API appsettings.json
- Set
MutualTls.Enabled = true - Configure allowed issuers
- Restart API
- Verify API logs for certificate events
- Update client appsettings.json
- Set
WebApi.UseCertificateAuth = true - Configure certificate thumbprint
- Deploy updated configuration
- Verify client logs for certificate loading
- Update web app appsettings.json
- Set
ApiSettings.UseCertificateAuth = true - Configure certificate thumbprint
- Restart web app
- Verify web app can communicate with API
- Certificate Store Access: Requires appropriate permissions to read private keys
- .NET Framework Client: Uses older X509Certificate2 constructor (SYSLIB0057 warning)
- CodeQL Timeout: Security scan timed out (common for large repos)
- Runtime Testing: End-to-end testing requires actual certificate infrastructure
- Add support for X509CertificateLoader in .NET 10+ projects
- Add integration tests with test certificates
- Add certificate expiration monitoring
- Add automatic certificate rotation support
- Add metrics for certificate authentication events
- ASP.NET Core Certificate Authentication
- X.509 Certificate Profile (RFC 5280)
- NIST TLS Guidelines
- Configuration Guide:
docs/MUTUAL_TLS_CONFIGURATION.md
This implementation provides a solid foundation for mutual TLS authentication with:
- Comprehensive configuration options
- Secure defaults
- Detailed logging
- Backward compatibility
- Complete documentation
The implementation is production-ready but should be tested thoroughly in a development environment before deploying to production.