security - How can I change the default SSL certificate for local development in ASP.NET core?

Question

How would I be able to configure my own certificate as the "default" used by Kestrel when running local ASP.NET core apps on Linux?

I know that I can run the dotnet dev-certs https command to generate a new development certificate, but that will generate a new self-signed certificate. I don't want to have to trust this certificate - I already have my own local CA for development and would like to sign a cert for use by ASP.NET core.

I also know that you can configure the cert Kestrel uses within my app code (https://devblogs.microsoft.com/aspnet/configuring-https-in-asp-net-core-across-different-platforms/), but I don't believe this should be part of the application. It's my personal preference to use my own CA-signed cert locally, and I don't want to force other developers to manage their own certificates if they're happy trusting the auto-generated cert.

I have tried dropping a certificate into the local "My" certificate store where the self-signed development cert gets created (~/.dotnet/corefx/cryptography/x509stores/my/), but it doesn't get used - I get the error that happens when you don't have a cert at all:

crit: Microsoft.AspNetCore.Server.Kestrel[0] Unable to start Kestrel. System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.

Is it possible to configure my own certificate, or am I forced to use the one generated by dotnet core?

Answer 1

Short answer:

It turns out ASP.NET core looks for specific extensions on the default certificate it uses when configuring Kestrel. If you want a certificate to be picked up, it needs the extension "1.3.6.1.4.1.311.84.1.1" set, and the raw byte value of this extension should be >= 2 (from reading the source code).

Dropping a certificate with this extension (and some other basic extensions) into the "My" store allows the cert to be used by default.

Long answer:

(Read the short answer first)

You can't use an existing certificate. Because ASP.NET core requires specific extensions on the certificate it uses, you will need to create a new certificate to be used. However, you still can use a certificate signed by a CA, as long as you generate your request correctly.

Assuming use of openssl, you can facilitate this through a configuration file when generating your certificate request:

asp_config.conf

[ req ]
default_bits = 2048
distinguished_name = dn
req_extensions = aspnet

[ dn ]
CN = localhost

[ aspnet ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
subjectAltName = critical, DNS:localhost
1.3.6.1.4.1.311.84.1.1 = DER:02

You can then run the openssl command to generate a signing request using this config:

openssl req -new -config asp_config.conf -keyout local_asp_dev.key -out local_asp_dev.csr -nodes

After generating the request, sign it with your CA.

openssl x509 -req -in local_asp_dev.csr -CA /path/to/CA.pem -CAkey /path/to/CA.key -CAcreateserial -out local_asp_dev.crt -days 365 -sha256 -extensions aspnet -extfile asp_config.conf

You need to specify the extensions to grant to the certificate using the -extensions option. This options looks at the specified configuration section in the referenced file.

Once signed, you need to pack your certificate into a pfx file:

openssl pkcs12 -in local_asp_dev.crt -inkey local_asp_dev.key -export -out local_asp_dev.pfx

After packing your certificate, simply drop it into your "My" store - ASP.NET will pick it up and use it to serve your HTTPS endpoints. (You may need to remove any other development certificates that were automatically created in this store).

mv local_asp_dev.pfx ~/.dotnet/corefx/cryptography/x509stores/my/

Note that the location of this store on Linux is considered an internal implementation detail and is subject to change. It's also entirely possible that future versions of ASP.NET core will require different extension values.

This solution was developed and tested against ASP.NET Core 3.1

Additional References:

• "My" store: https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography#the-my-store
• openssl config: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
• Extension granting when signing with a CA: https://access.redhat.com/solutions/28965