Kestrel on windows does not support SChannel autoactivation of new certificate like HTTP.Sys #63980
Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
Context: Secrets & PKI org is driving a "Managed Certificates Standards" initiative intended to manage the entire lifecycle of 1P certificates. Auto-activation is part of the lifecycle. IIS/HTTP.Sys supports seamless autoactivation via specific SChannel behavior underneath (details below).
Expected Behavior
Expected behavior: Kestrel on Windows is using SChannel and should be theoretically supporting similar seamless auto-activation.
Observed behavior: Kestrel continues to use the certificate configured at app startup. We are aware of callbacks that support adding custom logic to select an intended certificate. We do not want to go that route as it creates fanout work for 1P partners. Moreover, the ask is to expose something that SChannel already supports.
Steps To Reproduce
Repro steps:
I. Control test:
a. Install AKVVM Extension as a standalone package as per internal guide eng.ms/docs/products/onecert-certificates-key-vault-and-dsms/key-vault-dsms/keyvault/standalonekeyvaultvmextensionguide.
b. Configure the VM extension to poll for a certificate we will be using for our local deb box test. (JSON files attached). We are doing this because, AKVVMExt performs the necessary certificate linkage and cert store event emission. This is leveraged by lots of 1P and 3P customers for autoactivation.
c. Confirm that when the extension starts up, it downloads and installs the certificate we will be using for our test.
d. Create a hello world WebAPI app (we used .Net 9)
e. Host it on IIS, edit binding to select HTTPS at port 8443. Select the certificate in step b.
f. Use browser and navigate to the WebAPI endpoint at port 883. Ignore the browser warning and navigate. Look at the presented certificate and note down the details.
g. Create a new version of the certificate in key vault that AKVVMExt polls. Enable and disable the extension to pick up the new version immediately (Latest version of AKVVMExt removed support for polling interval in seconds in the JSON setting. We can always pick a version from July 2025 and set the poll interval to 45 seconds instead of enabling/disabling).
h. Reload the web api endpoint in browser and confirm that the new certificate is presented.
II. Kestrel test
a. Create a hello world API hosted on Kestrel.
b. Use the same cert from the control test for the kestrel test.
c. Repeat steps (f) through (h) above.
d. Verify that the same certificate is presented by kestrel from step (b) instead of the new certificate.
Exceptions (if any)
No response
.NET Version
8.0
Anything else?
From Schannel folks:
http.sys code configures the following struct in minio\http\sys\sslconfig.c!UxpSslInitializeSchCredentials()
typedef struct _SCH_CREDENTIALS
{
DWORD dwVersion; // Always SCH_CREDENTIALS_VERSION.
DWORD dwCredFormat;
DWORD cCreds;
PCCERT_CONTEXT *paCred;
…
Where it sets dwCredFormat to: SCH_CRED_FORMAT_CERT_HASH_STORE instead of SCH_CRED_FORMAT_CERT_CONTEXT
For SCH_CRED_FORMAT_CERT_HASH_STORE, paCred is cast to the following:
typedef struct _SCHANNEL_CERT_HASH_STORE
{
DWORD dwLength;
DWORD dwFlags; // http.sys sets to SCH_MACHINE_CERT_HASH
HCRYPTPROV hProv;
BYTE ShaHash[20];
WCHAR pwszStoreName[SCH_CRED_MAX_STORE_NAME_SIZE];
} SCHANNEL_CERT_HASH_STORE, *PSCHANNEL_CERT_HASH_STORE;
If the above StoreName == L”my” and SCH_MACHINE_CERT_HASH is set, then, Schannel will check cert renewal for the above certificate.
It won’t enable renewable, if called with SCH_CRED_FORMAT_CERT_CONTEXT
Suggestion: See if SChannel API is called with the recommended values above.