问题
On Windows, for .NET Framework classes we can specify sslkeyrepository
as *SYSTEM/*USER.On linux
where does the .NET Core classes search for the certificates
by default and what could be the values for sslkeyrepository
.
回答1:
.Net Core
uses OpenSSL
on Linux, as a result, you need to set up your Linux environment
in the container so that OpenSSL
will pick up the certificate.
You can do this by two ways:
Copying the the certificate
.crt
file to a location thatupdate-ca-certificates
will scan for trusted certificates - e.g./usr/local/share/ca-certificates/
oron RHEL/etc/pki/ca-trust/source/anchors/
:COPY myca.crt /usr/local/share/ca-certificates/
Invoking
update-ca-certificates
:RUN update-ca-certificates
回答2:
For Linux and Mac .NET CORE
will use OpenSSL
.
command to generate a private key and a certificate signing request:
openssl req -config https.config -new -out csr.pem
command to create a self-signed certificate:
openssl x509 -req -days 365 -extfile https.config -extensions v3_req -in csr.pem -signkey key.pem -out https.crt
command to generate a pfx file containing the certificate and the private key that you can use with Kestrel:
openssl pkcs12 -export -out https.pfx -inkey key.pem -in https.crt -password pass:<password>
After that Trust the certificate
This step is optional, but without it the browser will warn you about your site being potentially unsafe. You will see something like the following if you browser doesn’t trust your certificate
:
There is no centralized way of trusting the a certificate on Linux so you can do one of the following:
Exclude the URL you are using in your browsers exclude list
Trust all self-signed certificates on localhost
Add the https.crt to the list of trusted certificates in your browser.
How exactly to achieve this depends on your browser/distro.
You can also reference the complete Kestrel HTTPS sample app
or Follow this Blog Configuring HTTPS in ASP.NET Core across different platforms
回答3:
This page provides a good (and official) summary of the X509Store locations on Linux (and all platforms) for .NET Core.
The short answer is that on Linux, the LocalMachine/Root
store can be opened in ReadOnly mode, and the certificates returned from that store come from the standard Linux system-global certificate directories. @barr-j's answer provides some info on how to you can copy certificates into system directories using Linux commands. However the normal use for these system-global certificates is to specify trusted certificate authorities, NOT as a secure place to store an https certificate (which contains a private key, which shouldn't be accessible by all users on the host).
On Linux with .NET, you can't write to the LocalMachine/Root X509Store
directly, and LocalMachine/My
isn't supported.
If you want your certificate access limited to a specific user (a good idea for https certs), on Linux with .NET you can write to and read from a user-local cert store using new X509Store(StoreName.My, StoreLocation.CurrentUser)
.
来源:https://stackoverflow.com/questions/51745559/where-does-net-core-search-for-certificates-on-linux-platform