With Logic Foreign to RavenDB or External Certificate Storage
The second way to enable authentication is to set
This option is useful when you want to protect your certificate (private key) with other solutions such as "Azure Key Vault", "HashiCorp Vault"
or even Hardware-Based Protection. RavenDB will invoke a process you specify, so you can write your own scripts / mini-programs and
apply the logic that you need.
This creates a clean separation between RavenDB and the secret store in use.
RavenDB expects to get the raw binary representation (byte array) of the .pfx certificate through the standard output.
Let's look at an example -
Security.Certificate.Load.Exec with a PowerShell script, the settings.json
must be stored in each node's
Server folder and will look something like this:
"Security.Certificate.Load.Exec.Arguments": "C:\\secrets\\give_me_cert.ps1 90F4BC16CA5E5CB535A6CD8DD78CBD3E88FC6FEA"
A sample powershell script called
give_me_cert.ps1 that matches the
$thumbprint = $args
$cert = gci "cert:\CurrentUser\my\$thumbprint"
$exportedCertBinary = $cert.Export("Pfx")
$stdout = [System.Console]::OpenStandardOutput()
$stdout.Write($exportedCertBinary, 0, $exportedCertBinary.Length)
In all secure configurations, the
ServerUrl must contain the same domain name that is used in the certificate (under the CN or ASN properties).