How to run 'dotnet dev-certs https --trust'?

Question

I\'m new in ASP.NET.

Environment:

• Ubuntu 18.04

• Visual Studio Code

• .NET SDK 2.2.105

I\'m in troubl

Answer 1

For Chrome:

1. Click "Not Secure" in address bar.
2. Click Certificate.
3. Click Details.
4. Click Export.

Run: certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n {FILE_NAME} -i {FILE_NAME}

Restart Chrome.

Answer 2

On Ubuntu the standard mechanism would be:

• dotnet dev-certs https -v to generate a self-signed cert
• convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
• copy localhost.crt to /usr/local/share/ca-certificates
• trust the certificate using sudo update-ca-certificates
• verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
• verify if it's trusted using openssl verify localhost.crt

Unfortunately this does not work:

• dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:

$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed

• due to that it's impossible to have a dotnet client trust the certificate

Workaround: (tested on Openssl 1.1.1c)

1. manually generate self-signed cert
2. trust this cert
3. force your application to use this cert

In detail:

1. manually generate self-signed cert:

   • create localhost.conf file with the following content:

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1

• generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
• convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
• (optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
• as it's not trusted yet using openssl verify localhost.crt should fail with

CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed

2. trust this cert:

   • copy localhost.crt to /usr/local/share/ca-certificates
   • trust the certificate using sudo update-ca-certificates
   • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
   • verifying the cert without the CAfile option should work now

$ openssl verify localhost.crt 
localhost.crt: OK

3. force your application to use this cert

   • update your appsettings.json with the following settings:

"Kestrel": {
  "Certificates": {
    "Default": {
      "Path": "localhost.pfx",
      "Password": ""
    }
  }
}

Answer 3

Looks like this is a known issue with dotnet global tools and that specific command is only available for MacOS and Windows. See this issue on github: Issue 6066.

It seems like there may be a work around for Linux users based on this SO post: ASP.Net Core application service only listening to Port 5000 on Ubuntu.