Short answer:
It turns out ASP.NET core looks for specific extensions on the default certificate it uses when configuring Kestrel. If you want a certificate to be picked up, it needs the extension "1.3.6.1.4.1.311.84.1.1" set, and the raw byte value of this extension should be >= 2 (from reading the source code).
Dropping a certificate with this extension (and some other basic extensions) into the "My" store allows the cert to be used by default.
Long answer:
(Read the short answer first)
You can't use an existing certificate. Because ASP.NET core requires specific extensions on the certificate it uses, you will need to create a new certificate to be used. However, you still can use a certificate signed by a CA, as long as you generate your request correctly.
Assuming use of openssl, you can facilitate this through a configuration file when generating your certificate request:
asp_config.conf
[ req ]
default_bits = 2048
distinguished_name = dn
req_extensions = aspnet
[ dn ]
CN = localhost
[ aspnet ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
subjectAltName = critical, DNS:localhost
1.3.6.1.4.1.311.84.1.1 = DER:02
You can then run the openssl command to generate a signing request using this config:
openssl req -new -config asp_config.conf -keyout local_asp_dev.key -out local_asp_dev.csr -nodes
After generating the request, sign it with your CA.
openssl x509 -req -in local_asp_dev.csr -CA /path/to/CA.pem -CAkey /path/to/CA.key -CAcreateserial -out local_asp_dev.crt -days 365 -sha256 -extensions aspnet -extfile asp_config.conf
You need to specify the extensions to grant to the certificate using the -extensions
option. This options looks at the specified configuration section in the referenced file.
Once signed, you need to pack your certificate into a pfx file:
openssl pkcs12 -in local_asp_dev.crt -inkey local_asp_dev.key -export -out local_asp_dev.pfx
After packing your certificate, simply drop it into your "My" store - ASP.NET will pick it up and use it to serve your HTTPS endpoints. (You may need to remove any other development certificates that were automatically created in this store).
mv local_asp_dev.pfx ~/.dotnet/corefx/cryptography/x509stores/my/
Note that the location of this store on Linux is considered an internal implementation detail and is subject to change. It's also entirely possible that future versions of ASP.NET core will require different extension values.
This solution was developed and tested against ASP.NET Core 3.1
Additional References: