How to run ‘dotnet dev-certs https –trust’?

On Ubuntu the standard mechanism would be:

• dotnet dev-certs https -v to generate a self-signed cert
• convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
• copy localhost.crt to /usr/local/share/ca-certificates
• trust the certificate using sudo update-ca-certificates
• verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
• verify if it’s trusted using openssl verify localhost.crt

Unfortunately this does not work:

• dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:

$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed

• due to that it’s impossible to have a dotnet client trust the certificate

Workaround: (tested on Openssl 1.1.1c)

1. manually generate self-signed cert
2. trust this cert
3. force your application to use this cert

In detail:

1. manually generate self-signed cert:

   • create localhost.conf file with the following content:

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1

• generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
• convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
• (optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
• as it’s not trusted yet using openssl verify localhost.crt should fail with

CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed

2. trust this cert:

   • copy localhost.crt to /usr/local/share/ca-certificates
   • trust the certificate using sudo update-ca-certificates
   • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
   • verifying the cert without the CAfile option should work now

$ openssl verify localhost.crt 
localhost.crt: OK

3. force your application to use this cert

   • update your appsettings.json with the following settings:

"Kestrel": {
  "Certificates": {
    "Default": {
      "Path": "localhost.pfx",
      "Password": ""
    }
  }
}