首页 文章

在AWS Elastic Beanstalk部署中将证书自动部署到Windows证书存储区?

提问于
浏览
2

我们有一个ASP.NET MVC5应用程序,需要两个证书:

  • X509椭圆曲线证书及其对应的私钥(* .PFX)

  • X509椭圆曲线证书(* .CER)

在Windows Server 2012 R2 's Certificate Store ( 534703 account, 534704 store). To clarify, these certificates are used by the MVC5 app' s代码和 have nothing to do with SSL/TLS/HTTPS 中可用 .

问: How can I configure AWS Elastic Beanstalk, so that after deploying the MVC5 app, it already has those certificates and private keys in the certificate store? AWS已配置通过Elastic Beanstalk自动配置的EC2 Windows服务器,以便ASP.NET应用程序在 IIS_IUSR 用户权限下在IIS中运行,因此我们还需要授予 IIS_IUSR 权限才能访问证书私钥 . 我'm not clear if IIS_IUSR is actually follows the principle of least-privilege or if I' m授予错误的帐户权限 - 但它确实有效(见下文) . 我们目前正在通过适用于Visual Studio 2013的AWS Toolkit进行部署,但如果这有助于解决主要问题,则可以使用其他部署技术 .

目前,我们有一个丑陋的手动解决方法

  • 远程进入每个实例,并在每个实例中执行以下操作

  • 上传证书文件(* cer和* pfx)

  • 手动运行批处理文件以将它们加载到证书库中(还必须将它们添加到根存储区,因为它们是自签名证书) . 批处理文件看起来像

certutil -f -addstore Root OurCert-SS.cer //下面是PFX的CER版本
certutil -f -addstore Root RemoteCert-SS.cer
certutil -f -p test -importPFX MY OurCert-SS.pfx
certutil -f -addstore MY RemoteCert-SS.cer

  • 手动打开MMC =>证书(本地计算机)=>授予 IIS_IUSRS 证书的 Full control 权限's private key (otherwise the ASP.NET app can' t获取私钥) . 详情this post

显然,这极大地杀死了PaaS应该提供的抽象,因为任何时候实例扩展或得到回收,我们必须做到以上几点:( ...所以会很感激任何帮助 .

asp.net amazon-web-services amazon-ec2 certificate elastic-beanstalk

1 回答

  • 1

    你有没有解决这个问题?

    你可以做一些类似于这里描述的事情https://forums.aws.amazon.com/thread.jspa?messageID=591375,忽略网页绑定部分并添加 IIS_IUSR 的权限 .

    我以为我会更新我们最终做的事情 .

    我们设置了一个ebextension来从s3加载证书,然后分配所需的权限 . 我意识到我们没有.cer文件来处理,所以这可能不适合你 .

    ---
files:  
  "c:\\init_scripts\\install_cert.ps1":  
   content: |  
    $env = $args[0]   
    $pwd = $args[1]
    $securePwd = ConvertTo-SecureString -String $pwd -Force -asplaintext
    $certName="$($env).auth.cert.pfx"
    $certFilePath = "C:\$($certName)"
    Read-S3Object -BucketName ourcertsbucket -Key $certName -File $certFilePath
    $cert = Import-PfxCertificate -FilePath $certFilePath cert:\localmachine\my -Password $securePwd
    # Now that we have the cert we need to grant access to the IIS user for the cert
    Try
    {
      $WorkingCert = Get-ChildItem CERT:\LocalMachine\My |where {$_.Subject -match $env} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP
      $TPrint = $WorkingCert.Thumbprint
      $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
    }
    Catch
    {
      "        Error: unable to locate certificate for $($env)"
      Exit
    }
    $keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\"
    $fullPath=$keyPath+$rsaFile
    $acl=Get-Acl -Path $fullPath
    $permission="IIS_IUSRS","Read","Allow"
    $accessRule=new-object System.Security.AccessControl.FileSystemAccessRule $permission
    $acl.AddAccessRule($accessRule)
    Try 
    {
     Set-Acl $fullPath $acl
      "        Success: ACL set on certificate"
    }
    Catch
    {
      "        Error: unable to set ACL on certificate"
        Exit
    }
container_commands:  
  01_install_cert:  
   command: powershell -ExecutionPolicy RemoteSigned -File .\\install_cert.ps1 %Environment% %CertPassword% 
   cwd: c:\\init_scripts  
   waitAfterCompletion: 0

    感谢这个link for power shell权限脚本

    回复于

相关问题