How to run 'dotnet dev-certs https --trust'?
Solution 1:
On Ubuntu the standard mechanism would be:
-
dotnet dev-certs https -v
to generate a self-signed cert - convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using
openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
- copy
localhost.crt
to/usr/local/share/ca-certificates
- trust the certificate using
sudo update-ca-certificates
- verify if the cert is copied to
/etc/ssl/certs/localhost.pem
(extension changes) - verify if it's trusted using
openssl verify localhost.crt
Unfortunately this does not work:
-
dotnet dev-certs https
generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed
- due to that it's impossible to have a dotnet client trust the certificate
Workaround: (tested on Openssl 1.1.1c)
- manually generate self-signed cert
- trust this cert
- force your application to use this cert
In detail:
-
manually generate self-signed cert:
- create localhost.conf file with the following content:
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
- generate cert using
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
- convert cert to pfx using
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
- (optionally) verify cert using
openssl verify -CAfile localhost.crt localhost.crt
which should yieldlocalhost.crt: OK
- as it's not trusted yet using
openssl verify localhost.crt
should fail with
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
-
trust this cert:
- copy localhost.crt to
/usr/local/share/ca-certificates
- trust the certificate using
sudo update-ca-certificates
- verify if the cert is copied to
/etc/ssl/certs/localhost.pem
(extension changes) - verifying the cert without the CAfile option should work now
- copy localhost.crt to
$ openssl verify localhost.crt
localhost.crt: OK
-
force your application to use this cert
- update your appsettings.json with the following settings:
"Kestrel": {
"Certificates": {
"Default": {
"Path": "localhost.pfx",
"Password": ""
}
}
}
Solution 2:
While the answer provided by @chrsvdb is helpful it does not solve all problems. I still had issue with service-to-service communication (HttpClient - PartialChain error) and also you must reconfigure Kestrel to use your own certificate. It is possible to create a self-signed certificate and import it to the .NET SDK. All you need is to specify the 1.3.6.1.4.1.311.84.1.1
extension in the certificate.
After that the cert can be imported into .NET Core SDK and trusted. Trusting in Linux is a bit hard as each application can have it's own certificate store. E.g. Chromium and Edge use nssdb which can be configured with certutil
as described John Duffy. Unfortunately the location to the nssdb maybe different when you install application as snap. Then each application has its own database. E.g. for Chromium Snap the path will be $HOME/snap/chromium/current/.pki/nssdb
, for Postman Snap the will be $HOME/snap/postman/current/.pki/nssdb and so on.
Therefor I have created a script which generates the cert, trusts it for Postman Snap, Chmromium Snap, current user nssdb and on system level. It also imports the script into the .NET SDK so it will be used by ASP.NET Core without changing the configuration. You can find more informations about the script in my blog post https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu