How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client


I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

Go to Source
Author: NOP-MOV

20+ RPG career transition to ASP.NET core

For the past 20+ years I’ve made a comfortable living as an iSeries RPG developer.
I’m now pursuing a new skillset of ASP.NET core 3.1 (razor pages)…

Very early in the self learning process but hoping to confirm a few fuzzy concepts with proficient .Net devs out there…

1.) .NET is a framework, not a language
2.) using .NET core 3.1 (razor pages), I have appeared to have been exposed to C# as the main language along with HTML and bootstrap, in the tutorial I have been pursuing.

So essentially, my quest (to pursue a .Net framework), will require me to become proficient in C# programming language. I know other requirements will be essential (javascript and latest versions thereof), but will C# be the cornerstone of the code development?

Are these statements accurate. Am I confused so early on? Any elaboration or advice moving into .Net development area? The .net core 3.1 has been super easy to follow along with so far. I’m impressed with it. I’m doing a simple CRUD application but is not different at all than what I have been doing for the last 20 years, except with the .net framework. After I finish the CRUD that interfaces with an SQL server DB, I plan to clone the application and replace the SQL Server DB interface and utilize REST API’s instead that I have developed on the iSeries over the DB2 database.

Appreciate any helpful input.
Feel free to rip my statements to shreds… that is how I learn best… as long as met with accurate info.


Go to Source
Author: jefferson vaughn

How to determine if particular .NET/ASP.NET version has known vulnerabilities by version-build number using Microsoft resources?

How to determine if particular .NET/ASP.NET version has known vulnerabilities by version-build number using Microsoft resources?

I’m trying to find any list which can help finding if particular ASP.NET version has known vulnerabilities by version-build number. Googling doesn’t help. Is there a known list by microsoft which can help me, containing all existing build numbers (like “ASP.NET Version:2.0.50727.8813”), or any other way of checking if security patches has been already applied, for example the list of security patches with build numbers to which it updates the components? doesn’t help because it doesn’t contain build information, only lists major versions.

Go to Source
Author: Vadim