Oren Eini

aka Ayende Rahien

Oren Eini

CEO of RavenDB

a NoSQL Open Source Document Database

Get in touch with me:

oren@ravendb.net

+972 52-548-6969

Posts: 7,546

Comments: 51,167

filter by tags archive

architecture (599) rss
bugs (447) rss
challanges (123) rss
community (372) rss
databases (480) rss
design (892) rss
development (628) rss
hibernating-practices (69) rss
miscellaneous (592) rss
performance (390) rss
programming (1074) rss
raven (1420) rss
ravendb.net (501) rss
reviews (184) rss

2025
- February (5)
- January (12)
2024
- December (3)
- November (2)
- October (1)
- September (3)
- August (5)
- July (10)
- June (4)
- May (6)
- April (2)
- March (8)
- February (2)
- January (14)
2023
- December (4)
- October (4)
- September (6)
- August (12)
- July (5)
- June (15)
- May (3)
- April (11)
- March (5)
- February (5)
- January (8)
2022
- December (5)
- November (7)
- October (7)
- September (9)
- August (10)
- July (15)
- June (12)
- May (9)
- April (14)
- March (15)
- February (13)
- January (16)
2021
- December (23)
- November (20)
- October (16)
- September (6)
- August (16)
- July (11)
- June (16)
- May (4)
- April (10)
- March (11)
- February (15)
- January (14)
2020
- December (10)
- November (13)
- October (15)
- September (6)
- August (9)
- July (9)
- June (17)
- May (15)
- April (14)
- March (21)
- February (16)
- January (13)
2019
- December (17)
- November (14)
- October (16)
- September (10)
- August (8)
- July (16)
- June (11)
- May (13)
- April (18)
- March (12)
- February (19)
- January (23)
2018
- December (15)
- November (14)
- October (19)
- September (18)
- August (23)
- July (20)
- June (20)
- May (23)
- April (15)
- March (23)
- February (19)
- January (23)
2017
- December (21)
- November (24)
- October (22)
- September (21)
- August (23)
- July (21)
- June (24)
- May (21)
- April (21)
- March (23)
- February (20)
- January (23)
2016
- December (17)
- November (18)
- October (22)
- September (18)
- August (23)
- July (22)
- June (17)
- May (24)
- April (16)
- March (16)
- February (21)
- January (21)
2015
- December (5)
- November (10)
- October (9)
- September (17)
- August (20)
- July (17)
- June (4)
- May (12)
- April (9)
- March (8)
- February (25)
- January (17)
2014
- December (22)
- November (19)
- October (21)
- September (37)
- August (24)
- July (23)
- June (13)
- May (19)
- April (24)
- March (23)
- February (21)
- January (24)
2013
- December (23)
- November (29)
- October (27)
- September (26)
- August (24)
- July (24)
- June (23)
- May (25)
- April (26)
- March (24)
- February (24)
- January (21)
2012
- December (19)
- November (22)
- October (27)
- September (24)
- August (30)
- July (23)
- June (25)
- May (23)
- April (25)
- March (25)
- February (28)
- January (24)
2011
- December (17)
- November (14)
- October (24)
- September (28)
- August (27)
- July (30)
- June (19)
- May (16)
- April (30)
- March (23)
- February (11)
- January (26)
2010
- December (29)
- November (28)
- October (35)
- September (33)
- August (44)
- July (17)
- June (20)
- May (53)
- April (29)
- March (35)
- February (33)
- January (36)
2009
- December (37)
- November (35)
- October (53)
- September (60)
- August (66)
- July (29)
- June (24)
- May (52)
- April (63)
- March (35)
- February (53)
- January (50)
2008
- December (58)
- November (65)
- October (46)
- September (48)
- August (96)
- July (87)
- June (45)
- May (51)
- April (52)
- March (70)
- February (43)
- January (49)
2007
- December (100)
- November (52)
- October (109)
- September (68)
- August (80)
- July (56)
- June (150)
- May (115)
- April (73)
- March (124)
- February (102)
- January (68)
2006
- December (95)
- November (53)
- October (120)
- September (57)
- August (88)
- July (54)
- June (103)
- May (89)
- April (84)
- March (143)
- February (78)
- January (64)
2005
- December (70)
- November (97)
- October (91)
- September (61)
- August (74)
- July (92)
- June (100)
- May (53)
- April (42)
- March (41)
- February (84)
- January (31)
2004
- December (49)
- November (26)
- October (26)
- September (6)
- April (10)

RavenDB Workshops - Deep dive into practical use of Document Data Modeling

Apr 09 2019

X509 Certificates vs. API Keys in RavenDB

time to read 1 min | 148 words

RavenDB 4.x is using X509 Certificates for authentication. We got a feedback question from a customer about that, they much rather to use API Keys, instead.

We actually considered this as part of the design process for 4.x and we concluded that we can make this work in just the same manner as API Keys. Here is how you can make it work.

You have the certificate file (usually PFX) and convert that to a Base64 string, like so:

[System.Convert]::ToBase64String( (gc "cert.pfx" -Encoding byte ) )

You can take the resulting string and store it like an API key, because that is effectively how it is treated. In your application startup, you can use:

And this is it. For all intents and purposes, you can now use the certificate as an API key.

Tweet Share Share 2 comments

Tags:

Comments

09 Apr 2019
10:16 AM

Johannes Rudolph

If only it were that simple... I love the idea of using client-certs. In theory. In practice X.509 is a hot mess of more or less broken/non-compliant/standard-interpreted-in-a-slightly-different-way kind of implementations as well as a ton of user confusion (which PKCS#x is my file here? what parts of it have encryption at rest applied? which password for what etc.)

We tried using client certs from the bundles generated by RavenDB Server 4.1.5-patch-41012 and had the following problems:

Chromium & Firefox would not import the cert on some linux boxes (Fedora 29) while they would work on others
We have JVM clients and they would fail spectactularly trying to load a KeyStore instance from the .pfx files (i.e. sometimes explode directly on load, sometimes only under debugger, sometimes only when actually attempting to use the certificate/key)

In the end, we didn't have the time to properly trace this down though we saw some work being done in that area on RavenDB's that sounded scary enough not to dig in deeper https://github.com/ravendb/ravendb-jvm-client/commit/2631abf0acb8e10fd3c89281930d3cba67b6e7a7 At that point we already spent almost half a day of engineering time on this.

The only workaround that did the trick for us was to generate the cert with a password in RavenDB Server and the "roundtrip" the cert through openssl, stripping the password in the process. The "passwordless" files from RavenDB server didn't work (either with null or "" password when trying to load into a KeyStore). It appears the roundtrip through openssl fixes something important that makes the pfx file more amenable to a JVM running on linux...

~~~

enter "password" on all prompts

openssl pkcs12 -in rvn0.pfx -out rvn0.1.pfx

enter "password" on all prompts, EXCEPT when asking for "Export Password"

openssl pkcs12 -export -in rvn0.1.pfx -out rvn0.2.pfx

When imporing to Chrome or Firefox, leave password empty when prompted

```

10 Apr 2019
06:27 AM

Oren Eini

Johannes , I found that PFX files work great on Windows, but on Linux, it seems that PEM files are have far better support.

If you can send us reproduction steps, we can look into that.

Comment preview

Comments have been closed on this topic.

Markdown turns plain text formatting into fancy HTML formatting.

Phrase Emphasis

*italic*   **bold**
_italic_   __bold__

Links

Inline:

An [example](http://url.com/ "Title")

Reference-style labels (titles are optional):

An [example][id]. Then, anywhere
else in the doc, define the link:
  [id]: http://example.com/  "Title"

Images

Inline (titles are optional):

![alt text](/path/img.jpg "Title")

Reference-style:

![alt text][id]
[id]: /url/to/img.jpg "Title"

Headers

Setext-style:

Header 1
========
Header 2
--------

atx-style (closing #'s are optional):

# Header 1 #
## Header 2 ##
###### Header 6

Lists

Ordered, without paragraphs:

1.  Foo
2.  Bar

Unordered, with paragraphs:

*   A list item.
    With multiple paragraphs.
*   Bar

You can nest them:

*   Abacus
    * answer
*   Bubbles
    1.  bunk
    2.  bupkis
        * BELITTLER
    3. burper
*   Cunning

Blockquotes

> Email-style angle brackets
> are used for blockquotes.
> > And, they can be nested.
> #### Headers in blockquotes
> 
> * You can quote a list.
> * Etc.

Horizontal Rules

Three or more dashes or asterisks:

---
* * *
- - - -

Manual Line Breaks

End a line with two or more spaces:

Roses are red,   
Violets are blue.

Fenced Code Blocks

Code blocks delimited by 3 or more backticks or tildas:

```
This is a preformatted
code block
```

Header IDs

Set the id of headings with {#<id>} at end of heading line:

## My Heading {#myheading}

Tables

Fruit    |Color
---------|----------
Apples   |Red
Pears	 |Green
Bananas  |Yellow

Definition Lists

Term 1
: Definition 1
Term 2
: Definition 2

Footnotes

Body text with a footnote [^1]
[^1]: Footnote text here

Abbreviations

MDD <- will have title
*[MDD]: MarkdownDeep

FUTURE POSTS

RavenDB 7.1: Next-Gen Pagers - 5 days from now
RavenDB 7.1: Write modes - 7 days from now
RavenDB 7.1: Reclaiming disk space - 9 days from now
RavenDB 7.1: Shared Journals - 12 days from now

There are posts all the way to Feb 17, 2025

RECENT SERIES

Challenge (77):
03 Feb 2025 - Giving file system developer ulcer
Answer (13):
22 Jan 2025 - What does this code do?
Production post-mortem (2):
17 Jan 2025 - Inspecting ourselves to death
Performance discovery (2):
10 Jan 2025 - IOPS vs. IOPS

View all series

Syndication

Main feed
Comments feed

}

Oren Eini

CEO of RavenDB

Comments

enter "password" on all prompts

enter "password" on all prompts, EXCEPT when asking for "Export Password"

When imporing to Chrome or Firefox, leave password empty when prompted

Comment preview

Markdown formatting

Phrase Emphasis

Links

Images

Headers

Lists

Blockquotes

Horizontal Rules

Manual Line Breaks

Fenced Code Blocks

Header IDs

Tables

Definition Lists

Footnotes

Abbreviations

FUTURE POSTS

RECENT SERIES

RECENT COMMENTS

Syndication