ServiceFabric Secrets encrypted with certificate inside X509FindValueSecondary

240 views Asked by At

I have an encrypted application secret.

In my ApplicationManifest I have specified the corresponding certificate to decrypt the secret:

<Certificates>
    <SecretsCertificate Name="MyCert" X509FindValue="1..." X509FindValueSecondary="2..." />
</Certificates>

My secret is actually encrypted with the 2... certificate, which I specified in X509FindValueSecondary. I thought that when it does not find the certificate of X509FindValue, in my case 1..., it will fall back to looking for the certificate in X509FindValueSecondary. This is what I thought "Secondary" means. However, my application does not start:

Failed to configure certificate permissions. Error FABRIC_E_CERTIFICATE_NOT_FOUND. 

What is the difference between X509FindValue and X509FindValueSecondary?

1

There are 1 answers

0
Diego Mendes On BEST ANSWER

SecretsCertificate uses the same formatting for other certificate options like ServerCertificate, ClientCertificate and so on.

What is the difference between X509FindValue and X509FindValueSecondary?

Assuming they all work the same way, the idea of X509FindValueSecondary for ServerCertificate is to be used as a rollover approach, that means:

  • Load the first certificated, if it is valid, use it
  • if first certificate expires, try load the second

In both cases, the certificate must exist, because it requires to validate the expiration dates, if you plan to have just one, you should remove the secondary.