OpenSSL is awesome! Though, requires little manual work to remember all the commands, executing them in a machine that has OpenSSL installed. In this post, I’m about to build an HTTP API over OpenSSL, with the most commonly used commands (and the possibility to extend it further – as required). This will help folks who wants to run OpenSSL in a private network but wants to orchestrate it in their automation workflows.
Background
Ever wanted to automate the TLS (also known as SSL) configuration process for your web application? You know, the sites that served via HTTPS and Chrome shows a green “secure” mark in address bar. Serving site over HTTP is insecure (even for static contents) and major browsers will mark those sites as not secure, Chrome already does that today.
Serving contents via HTTPS involves buying a digital certificate (aka SSL/TLS certificate) from certificate authorities (CA). The process seemed complicated (sometimes expensive too) by many average site owners or developers. Let’s encrypt addressed this hardship and made it painless. It’s an open certificate authority that provides free TLS certificates in an automated and elegant way.
However, free certificates might not be ideal for enterprise scenarios. Enterprise might have a requirement to buy certificate from a specific CA. In many cases, that process is manual and often complicated and slow. Typically, the workflow starts by generating a Certificate Signing request (also known as CSR) which requires generating asymmetric key pair (a public and private key pair). Which is then sent to CA to get a Digital Identity certificate. This doesn’t stop here. Once the certificate is provided by the CA, sometimes (Specially if you are in IIS, .net or Azure world) it’s needed to be converted to a PFX (Personal Information Exchange) file to deploy the certificate to the web server.
PFX (aka PKCS #12) is a file format defines an archive file format for storing many cryptography objects as a single file. It’s used to bundle a private key with it’s X.509 certificate or bundling all the members of a chain of trust. This file may be encrypted and signed. The internal storage containers (aka SafeBags), may also be encrypted and signed.
Generating CSR, converting a Digital Identity certificate to PFX format are often done manually. There are some online services that allows you generating CSRs – via an API or an UI. These are very useful and handy, but not the best fit for an enterprise. Because the private keys need to be shared with the online provider – to generate the CSR. Which leads people to use the vastly popular utility – OpenSSL in their local workstation – generating CSRs. In this article, this is exactly what I am trying to avoid. I wanted to have an API over OpenSSL – so that I can invoke it from my other automation workflow running in the Cloud.
Next, we will see how we can expose the OpenSSL over HTTP API in a Docker container, so we can run the container in our private enterprise network and orchestrate this in our certificate automation workflows.
The Solution Design
We will write a .net core web app, exposing the OpenSSL command via web API. Web API requests will fork OpenSSL process with the command and will return the outcome as web API response.
OpenSSL behind .net core Web API
We are using System.Diagnostics.Process to lunch OpenSSL in our code. This is assuming we will have OpenSSL executable present in our path. Which we will ensure soon with Docker.
private static StringBuilder ExecuteOpenSsl(string command)
{
var logs = new StringBuilder();
var executableName = "openssl";
var processInfo = new ProcessStartInfo(executableName)
{
Arguments = command,
UseShellExecute = false,
RedirectStandardError = true,
RedirectStandardOutput = true,
CreateNoWindow = true
};
var process = Process.Start(processInfo);
while (!process.StandardOutput.EndOfStream)
{
logs.AppendLine(process.StandardOutput.ReadLine());
}
logs.AppendLine(process.StandardError.ReadToEnd());
return logs;
}
This is simply kicking off OpenSSL executable with a command and capturing the output (or errors). We can now use this in our Web API controller.
/// <summary>
/// The Open SSL API
/// </summary>
[Produces("application/json")]
[Route("api/OpenSsl")]
public class OpenSslController : Controller
{
/// <summary>
/// Creates a new CSR
/// </summary>
/// Payload info
/// The CSR with private key
[HttpPost("CSR")]
public async Task Csr([FromBody] CsrRequestPayload payload)
{
var response = await CertificateManager.GenerateCSRAsync(payload);
return new JsonResult(response);
}
This snippet only shows one example, where we are receiving a CSR generation request and using the OpenSSL to generate, returning the CSR details (in a base64 encoded string format) as API response.
Other commands are following the same model, so skipping them here.
Building Docker Image
Above snippet assumes that we have OpenSSL installed in the machine and the executable’s path is registered in our system’s path. We will turn that assumption to a fact by installing OpenSSL in our Docker image.
FROM microsoft/aspnetcore:2.0 AS base RUN apt-get update -y RUN apt-get install openssl
Here we are using aspnetcore:2.0 as our base image (which is a Linux distribution) and installing OpenSSL right after.
Let’s Run it!
I have built the docker image and published it to Docker Hub. All we need is to run it:
The default port of the web API is 80, though in this example we will run it on 8080. Let’s open a browser pointing to:
Voila! We have our API’s. Here’s the Swagger UI for the web API.
And we can test our CSR generation API via Postman:
The complete code for this web app with Docker file can be found in this GitHub Repository. The Docker image is in Docker Hub.
Reverse Engineering 
I think this is among the most vital information for me. And i’m glad reading your article. But want to remark on few general things, The web site style is wonderful, the articles is really nice : D. Good job, cheers
LikeLike