starred/WireMock.Net-wiremock
1
0
Fork 0
mirror of https://github.com/wiremock/WireMock.Net.git synced 2026-01-11 14:20:29 +01:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

Support In-Memory SSL Certificate #692

New Issue
Closed
opened 2025-12-29 15:31:02 +01:00 by adam · 8 comments
adam commented 2025-12-29 15:31:02 +01:00
Owner
Copy Link

Originally created by @Ranthalion on GitHub (May 22, 2025).

Originally assigned to: @StefH on GitHub.

Is your feature request related to a problem? Please describe.
WireMock.NET expects to explicitly and manually load the SSL certificate either from the file system, or from a Windows certificate store.
I need to load the SSL certificate from Azure KeyVault. I am not able to write the certificate to disk because the private key is not exportable and I don't have write access to a file system in the deployed environment.

Describe the solution you'd like
I'd like to provide the actual SSL certificate to the WireMock.Net server instead of relying on it to load a certficae. This could possibly be implemented in one of the following ways:

  • Add a property for the SSL certificate to WireMockCertificateSettigns
  • Support a callback/action/delegate/interface to allow the consumer to load the certificate.

Describe alternatives you've considered

  • Writing the certificate to the file system
    • Certificate is not exportable
    • No write access to file system
  • Extending or overriding CertificateLoader
    • not possible without some crazy stuff
  • Using wiremock as a middleware and hosting via Kestrel in my app
    • Wiremock middleware doesn't seem to be intended for this use case.

Is your feature request supported by WireMock (java version)? Please provide details.
I don't have experience with the java version. I don't think WireMock and WireMock.Net currently have parity in SSL certificate suppport. I only see support for java keystores.

Additional context
TLDR - I have the SSL cert in memory, but I can't seem to get WireMock.NET to use it.

Originally created by @Ranthalion on GitHub (May 22, 2025). Originally assigned to: @StefH on GitHub. **Is your feature request related to a problem? Please describe.** WireMock.NET expects to explicitly and manually load the SSL certificate either from the file system, or from a Windows certificate store. I need to load the SSL certificate from Azure KeyVault. I am not able to write the certificate to disk because the private key is not exportable and I don't have write access to a file system in the deployed environment. **Describe the solution you'd like** I'd like to provide the actual SSL certificate to the WireMock.Net server instead of relying on it to load a certficae. This could possibly be implemented in one of the following ways: - Add a property for the SSL certificate to WireMockCertificateSettigns - Support a callback/action/delegate/interface to allow the consumer to load the certificate. **Describe alternatives you've considered** - Writing the certificate to the file system - Certificate is not exportable - No write access to file system - Extending or overriding CertificateLoader - not possible without some crazy stuff - Using wiremock as a middleware and hosting via Kestrel in my app - Wiremock middleware doesn't seem to be intended for this use case. **Is your feature request supported by [WireMock (java version)](https://www.wiremock.org)? Please provide details.** I don't have experience with the java version. I don't think WireMock and WireMock.Net currently have parity in SSL certificate suppport. I only see support for java keystores. **Additional context** TLDR - I have the SSL cert in memory, but I can't seem to get WireMock.NET to use it.
adam added the feature label 2025-12-29 15:31:02 +01:00
adam closed this issue 2025-12-29 15:31:03 +01:00
adam commented 2025-12-29 15:31:03 +01:00
Author
Owner
Copy Link

@StefH commented on GitHub (May 24, 2025):

I think this can be added.
Is your certificate a .PEM or .PFX ? And you also have a password?

@StefH commented on GitHub (May 24, 2025): I think this can be added. Is your certificate a .PEM or .PFX ? And you also have a password?
adam commented 2025-12-29 15:31:04 +01:00
Author
Owner
Copy Link

@StefH commented on GitHub (May 24, 2025):

@Ranthalion
Would this be your solution?

@StefH commented on GitHub (May 24, 2025): @Ranthalion Would this be your solution? - https://github.com/wiremock/WireMock.Net/pull/1303
adam commented 2025-12-29 15:31:04 +01:00
Author
Owner
Copy Link

@StefH commented on GitHub (May 26, 2025):

@Ranthalion
If you like, you can test this preview version 1.8.8-ci-110112.

See https://github.com/wiremock/WireMock.Net/wiki/MyGet-preview-versions for details.

@StefH commented on GitHub (May 26, 2025): @Ranthalion If you like, you can test this preview version `1.8.8-ci-110112`. See https://github.com/wiremock/WireMock.Net/wiki/MyGet-preview-versions for details.
adam commented 2025-12-29 15:31:05 +01:00
Author
Owner
Copy Link

@Ranthalion commented on GitHub (May 27, 2025):

Thanks @StefH. The certificate is downloaded from KeyVault as a full X509Certificate2. I've reviewed the changes and will try this today.

@Ranthalion commented on GitHub (May 27, 2025): Thanks @StefH. The certificate is downloaded from KeyVault as a full X509Certificate2. I've reviewed the changes and will try this today.
adam commented 2025-12-29 15:31:05 +01:00
Author
Owner
Copy Link

@Ranthalion commented on GitHub (May 27, 2025):

I'm encountering the same issue with the new implementation. I'm not able to convert the existing X509Certificate2 into a byte array since the private key is not exportable.

When I download the certificate from KeyVault, it already has the private key included, and it is already a X509Certificate2. X509Certificate2.Export fails since the key is not exportable.

X509Certificate2.GetRawCertData does not export the private key and results in a run time error "NotSupportedException: The server mode SSL must use a certificate with the associated private key."

Would you consider simply allowing an existing X509Certificate2 to be set on WireMockServerSettings so that an existing certificate in memory would not require any additional twiddling and transformations?

@Ranthalion commented on GitHub (May 27, 2025): I'm encountering the same issue with the new implementation. I'm not able to convert the existing X509Certificate2 into a byte array since the private key is not exportable. When I download the certificate from KeyVault, it already has the private key included, and it is already a X509Certificate2. X509Certificate2.Export fails since the key is not exportable. X509Certificate2.GetRawCertData does not export the private key and results in a run time error "NotSupportedException: The server mode SSL must use a certificate with the associated private key." Would you consider simply allowing an existing X509Certificate2 to be set on WireMockServerSettings so that an existing certificate in memory would not require any additional twiddling and transformations?
adam commented 2025-12-29 15:31:07 +01:00
Author
Owner
Copy Link

@Ranthalion commented on GitHub (May 27, 2025):

@Ranthalion If you like, you can test this preview version 1.8.8-ci-110112.

See https://github.com/wiremock/WireMock.Net/wiki/MyGet-preview-versions for details.

I've pulled the most recent preview build (1.8.8-ci-110115) and directly providing the X509 certificate works perfectly for me!

I don't personally see value in supporting a byte array version of the certificate, especially as that constructor is obsolete as of .NET 9 (see ctor and syslib0057).

@Ranthalion commented on GitHub (May 27, 2025): > [@Ranthalion](https://github.com/Ranthalion) If you like, you can test this preview version `1.8.8-ci-110112`. > > See https://github.com/wiremock/WireMock.Net/wiki/MyGet-preview-versions for details. I've pulled the most recent preview build (1.8.8-ci-110115) and directly providing the X509 certificate works perfectly for me! I don't personally see value in supporting a byte array version of the certificate, especially as that constructor is obsolete as of .NET 9 (see [ctor](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor?view=net-9.0#system-security-cryptography-x509certificates-x509certificate2-ctor(system-byte())) and [syslib0057](https://learn.microsoft.com/en-us/dotnet/fundamentals/syslib-diagnostics/syslib0057)).
adam commented 2025-12-29 15:31:08 +01:00
Author
Owner
Copy Link

@Ranthalion commented on GitHub (Jun 3, 2025):

@StefH Unfortunately, I can't seem to neither edit the wiki, nor push a branch and submit a PR to update the wiki. If you are interested, I was going to propose the following edits.

Using-HTTPS-(SSL).md replaced HTTPS and certifiates section starting on line 14.

## HTTPS and certificates
WireMock.NET provides flexible support for SSL certificates through the following methods:  
- Using the Certificate Store  
- Loading a PFX certificate from the file system  
- Utilizing an in-memory `X509Certificate2` instance

See [WIKI : Settings - Certificate Settings](https://github.com/WireMock-Net/WireMock.Net/wiki/Settings#certificatesettings) for details.

Settings.md replaced CertificateSettings section starting on line 22

### CertificateSettings
By default, the .NETStandard version from WireMock.Net can use the default .NET self-signed development certificate. See [HTTPS-SSL](https://github.com/WireMock-Net/WireMock.Net/wiki/Using-HTTPS-%28SSL%29#net-standard--net-core) for more info.

However, it's also possible to use your own certificate by configuring appropriate values for the `CertificateSettings`.
The following methods are supported: 

- Using the Certificate Store  
- Loading a PFX certificate from the file system  
- Utilizing an in-memory `X509Certificate2` instance

Note that:
- X509StoreName and X509StoreLocation should be defined
- OR
- X509CertificateFilePath and X509CertificatePassword should be defined
- OR 
- X509Certificate should be defined

#### SSL Certficate from Certificate Store

``` c#
var server = WireMockServer.Start(new WireMockServerSettings
{
    Urls = new[] { "https://localhost:8443" },
    CertificateSettings = new WireMockCertificateSettings
    {
        X509StoreName = "My",
        X509StoreLocation = "CurrentUser",
        // X509StoreThumbprintOrSubjectName can be a Thumbprint, SubjectName or null
        X509StoreThumbprintOrSubjectName = "FE16586076A8B3F3E2F1466803A6C4C7CA35455B"
    }
});
```

Where
* `X509StoreName` = The Certificate StoreName. One of: AddressBook, AuthRoot, CertificateAuthority, My, Root, TrustedPeople, TrustedPublisher.
* `X509StoreLocation` = The Certificate StoreLocation. Can be CurrentUser or LocalMachine.
* `X509StoreThumbprintOrSubjectName` = This can be the Certifcate Thumbprint, Certifcate SubjectName or null. If it's null, the first match on the hostname Certicate is used.

#### SSL Certficate from the file system  

``` c#
var server = WireMockServer.Start(new WireMockServerSettings
{
    Urls = new[] { "https://localhost:8443" },
    CertificateSettings = new WireMockCertificateSettings
    {
        X509CertificateFilePath = "example.pfx",
        X509CertificatePassword = "wiremock"
    }
});
```

Where
* `X509CertificateFilePath` = The full path to the X509Certificate2 `.pfx` or `.pem` file
* `X509CertificatePassword` = The password or key for the X509Certificate2 file.  This can be null if the certficate does not require a password

#### SSL Certficate from in-memory X509Certificate2

``` c#
// GetSSLCertificate is used to represent any way to load a certificate, for example from Azure KeyVault.
X509Certificate2 sslCertificate = GetSSLCertificate();

var server = WireMockServer.Start(new WireMockServerSettings
{
    Urls = new[] { "https://localhost:8443" },
    CertificateSettings = new WireMockCertificateSettings
    {
        X509Certificate = sslCertificate
    }
});
```

#### Additional SSL Certifiate Resources

📝 
See also these links on how to generate a EC or RSA
- https://www.scottbrady91.com/openssl/creating-elliptical-curve-keys-using-openssl 
- https://www.scottbrady91.com/openssl/creating-rsa-keys-using-openssl
- https://github.com/WireMock-Net/WireMock.Net/tree/master/examples/WireMock.Net.Console.NET6.WithCertificate
@Ranthalion commented on GitHub (Jun 3, 2025): @StefH Unfortunately, I can't seem to neither edit the wiki, nor push a branch and submit a PR to update the wiki. If you are interested, I was going to propose the following edits. Using-HTTPS-(SSL).md replaced HTTPS and certifiates section starting on line 14. > > ```markdown > ## HTTPS and certificates > WireMock.NET provides flexible support for SSL certificates through the following methods: > - Using the Certificate Store > - Loading a PFX certificate from the file system > - Utilizing an in-memory `X509Certificate2` instance > > See [WIKI : Settings - Certificate Settings](https://github.com/WireMock-Net/WireMock.Net/wiki/Settings#certificatesettings) for details. > > ``` Settings.md replaced CertificateSettings section starting on line 22 > > ````markdown > ### CertificateSettings > By default, the .NETStandard version from WireMock.Net can use the default .NET self-signed development certificate. See [HTTPS-SSL](https://github.com/WireMock-Net/WireMock.Net/wiki/Using-HTTPS-%28SSL%29#net-standard--net-core) for more info. > > However, it's also possible to use your own certificate by configuring appropriate values for the `CertificateSettings`. > The following methods are supported: > > - Using the Certificate Store > - Loading a PFX certificate from the file system > - Utilizing an in-memory `X509Certificate2` instance > > Note that: > - X509StoreName and X509StoreLocation should be defined > - OR > - X509CertificateFilePath and X509CertificatePassword should be defined > - OR > - X509Certificate should be defined > > #### SSL Certficate from Certificate Store > > ``` c# > var server = WireMockServer.Start(new WireMockServerSettings > { > Urls = new[] { "https://localhost:8443" }, > CertificateSettings = new WireMockCertificateSettings > { > X509StoreName = "My", > X509StoreLocation = "CurrentUser", > // X509StoreThumbprintOrSubjectName can be a Thumbprint, SubjectName or null > X509StoreThumbprintOrSubjectName = "FE16586076A8B3F3E2F1466803A6C4C7CA35455B" > } > }); > ``` > > Where > * `X509StoreName` = The Certificate StoreName. One of: AddressBook, AuthRoot, CertificateAuthority, My, Root, TrustedPeople, TrustedPublisher. > * `X509StoreLocation` = The Certificate StoreLocation. Can be CurrentUser or LocalMachine. > * `X509StoreThumbprintOrSubjectName` = This can be the Certifcate Thumbprint, Certifcate SubjectName or null. If it's null, the first match on the hostname Certicate is used. > > #### SSL Certficate from the file system > > ``` c# > var server = WireMockServer.Start(new WireMockServerSettings > { > Urls = new[] { "https://localhost:8443" }, > CertificateSettings = new WireMockCertificateSettings > { > X509CertificateFilePath = "example.pfx", > X509CertificatePassword = "wiremock" > } > }); > ``` > > Where > * `X509CertificateFilePath` = The full path to the X509Certificate2 `.pfx` or `.pem` file > * `X509CertificatePassword` = The password or key for the X509Certificate2 file. This can be null if the certficate does not require a password > > #### SSL Certficate from in-memory X509Certificate2 > > ``` c# > // GetSSLCertificate is used to represent any way to load a certificate, for example from Azure KeyVault. > X509Certificate2 sslCertificate = GetSSLCertificate(); > > var server = WireMockServer.Start(new WireMockServerSettings > { > Urls = new[] { "https://localhost:8443" }, > CertificateSettings = new WireMockCertificateSettings > { > X509Certificate = sslCertificate > } > }); > ``` > > #### Additional SSL Certifiate Resources > > 📝 > See also these links on how to generate a EC or RSA > - https://www.scottbrady91.com/openssl/creating-elliptical-curve-keys-using-openssl > - https://www.scottbrady91.com/openssl/creating-rsa-keys-using-openssl > - https://github.com/WireMock-Net/WireMock.Net/tree/master/examples/WireMock.Net.Console.NET6.WithCertificate > ````
adam commented 2025-12-29 15:31:08 +01:00
Author
Owner
Copy Link

@StefH commented on GitHub (Jun 3, 2025):

@Ranthalion
Thanks. I've copied your proposal.

@StefH commented on GitHub (Jun 3, 2025): @Ranthalion Thanks. I've copied your proposal.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
doc
doc
duplicate
feature
feature
invalid
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/WireMock.Net-wiremock#692
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?