Is it ok to use the same SSL certificate used for public website, for encrypting the AspNet Core Data?



  • Is it secure enough to use the SSL certificate used for public website, for encrypting the AspNet Core Data Protections Keys persisted to Redis?

    Or must I use a separate certificate just for this purpose?

    Code:

    X509Certificate2 certificate = GetCertificate(); // Returns website's SSL pfx cert 
    ConnectionMultiplexer redis = ConnectionMultiplexer.Connect(redisConnectionString);
    services.AddDataProtection()
        .SetApplicationName(appName)
        .PersistKeysToStackExchangeRedis(redis, "DataProtection-Keys")
        .ProtectKeysWithCertificate(certificate);
    


  • You should never re-use cryptographic material for other purposes. If encryption keys are being used for an HTTP server, those keys should stay strictly in use for that service, and not be utilized elsewhere.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2