Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
813 views
in Technique[技术] by (71.8m points)

asp.net - How to run 'dotnet dev-certs https --trust'?

I'm new in ASP.NET.

Environment:

  • Ubuntu 18.04

  • Visual Studio Code

  • .NET SDK 2.2.105

I'm in trouble with some command running.

I was reading tutorial at

https://docs.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-studio-code

and ran this command:

dotnet dev-certs https --trust

I expect https://localhost should be trusted. but I found the error message;

$ Specify --help for a list of available options and commands.

It seems that the command "dotnet dev-certs https" has no --trust options. How to resolve this problem?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

On Ubuntu the standard mechanism would be:

  • dotnet dev-certs https -v to generate a self-signed cert
  • convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
  • copy localhost.crt to /usr/local/share/ca-certificates
  • trust the certificate using sudo update-ca-certificates
  • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
  • verify if it's trusted using openssl verify localhost.crt

Unfortunately this does not work:

$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed
  • due to that it's impossible to have a dotnet client trust the certificate

Workaround: (tested on Openssl 1.1.1c)

  1. manually generate self-signed cert
  2. trust this cert
  3. force your application to use this cert

In detail:

  1. manually generate self-signed cert:

    • create localhost.conf file with the following content:
[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1
  • generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
  • convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
  • (optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
  • as it's not trusted yet using openssl verify localhost.crt should fail with
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
  1. trust this cert:

    • copy localhost.crt to /usr/local/share/ca-certificates
    • trust the certificate using sudo update-ca-certificates
    • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
    • verifying the cert without the CAfile option should work now
$ openssl verify localhost.crt 
localhost.crt: OK
  1. force your application to use this cert

    • update your appsettings.json with the following settings:
"Kestrel": {
  "Certificates": {
    "Default": {
      "Path": "localhost.pfx",
      "Password": ""
    }
  }
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...