How to implement SSL on Kestrel/.net core

Question

Problem:

Trying to use implement SSL on Kestrel/.net core

Error Message:

Managed Debugging Assistant 'FatalExecutionEngineError' has detected a problem in 'C:\my.exe'. Additional information: The runtime has encountered a fatal error. The address of the error was at 0x053150a3, on thread 0x1c44. The error code is 0xc0000005. This error may be a bug in the CLR or in the unsafe or non-verifiable portions of user code. Common sources of this bug include user marshaling errors for COM-interop or PInvoke, which may corrupt the stack.

Requested Answer:

I suspect my problem is my certificate as explained below. If this is in fact true I would appreciate a step-by-step description on how to create the .pfx file. Also, I don't understand how the cert is stored: Do IIS and IIS Express each require a distinct cert, or do they look in the registry and use a common cert?

Code:

    public static void Main(string[] args)
    {
        string env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
        var config = new ConfigurationBuilder()
            .SetBasePath(Directory.GetCurrentDirectory())
            .AddJsonFile("hosting.json", optional: true)
            .AddJsonFile($"appsettings.{env}.json", optional: false)
            .AddCommandLine(args)  // will get server.urls from command line
            .Build();

        X509Certificate2 xCert = new X509Certificate2("localhostSSLCert.pfx", config["Data:SSLPassword"]);

        var host = new WebHostBuilder()
            .UseKestrel(x => x.UseHttps(xCert))
            .UseConfiguration(config)
            .UseContentRoot(Directory.GetCurrentDirectory())
            //.UseUrls("http://localhost:53389/")
            .UseIISIntegration()
            .UseStartup<Startup>()
            .Build();

        try
        {
            host.Run();
        }
        catch (Exception ex)
        {
            string y = ex.Message;
        }
    }

What I've done to debug:

When I step through my code and look at the cert (xCert in my code) it appears to be a valid object meaning .net has read the file correctly (I see my domain name etc).
However I still suspect my problem is the cert. I've found numerous articles that attempt to explain how to generate the .pfx file. The primary article I used to generate the .pfx file I am using is this: https://blogs.msdn.microsoft.com/robert_mcmurray/2013/11/15/how-to-trust-the-iis-express-self-signed-certificate/

Other articles I've researched:

creating valid test SSL certificates for IIS http://dotnetthoughts.net/how-to-setup-https-on-kestrel/ http://rainabba.blogspot.com/2014/03/ssl-certs-for-iis-with-pfx-once-and-for.html

I am unable to export a cert using the Certificate MMC snap-in. The .pfx option is always disabled.

project.json

{
  "version": "1.0.0-*",
  "userSecretsId": "aspnet-WebApp1-c23d27a4-eb88-4b18-9b77-2a93u3b15119",
  "dependencies": {
    "Microsoft.Extensions.Logging": "1.0.0",
    "Blog.Core": "1.0.0-*",
    "Blog.Domain": "1.0.0-*",
    "Blog.Model": "1.0.0-*",
    "Blog.Services": "1.0.0-*",
    "Microsoft.Extensions.Caching.Memory": "1.0.0",
    "Microsoft.Extensions.Caching.Abstractions": "1.0.0",
    "Microsoft.AspNetCore.Server.IISIntegration": "1.0.0",
    "Microsoft.AspNetCore.Session": "1.0.0",
    "Microsoft.Extensions.Configuration.EnvironmentVariables": "1.0.0",
    "Microsoft.Extensions.Configuration.FileExtensions": "1.0.0",
    "Microsoft.Extensions.Configuration.Json": "1.0.0",
    "Microsoft.Extensions.Logging.Console": "1.0.0",
    "Microsoft.Extensions.Logging.Debug": "1.0.0",
    "NETStandard.Library": "1.6.0",
    "Autofac.Extensions.DependencyInjection": "4.0.0",
    "Microsoft.Extensions.Configuration.CommandLine": "1.0.0",
    "Microsoft.AspNetCore.Mvc": "1.0.1",
    "Microsoft.AspNetCore.Server.Kestrel": "1.0.1",
    "Autofac": "4.1.1",
    "Microsoft.ApplicationInsights.AspNetCore": "1.0.2",
    "Microsoft.AspNetCore.Server.Kestrel.Https": "1.0.1"
  },

  "tools": {
    "Microsoft.AspNetCore.Server.IISIntegration.Tools": "1.0.0-preview2-final"
  },

  "frameworks": {
    "net462": {
      "frameworkAssemblies": {
        "System.Drawing": "4.0.0.0"
      }
    }
  },
  "buildOptions": {
    "emitEntryPoint": true,
    "preserveCompilationContext": true
  },
  "runtimeOptions": {
    "gcServer": true
  },
  "publishOptions": {
    "include": [
      "wwwroot",
      "Views",
      "appsettings.json",
      "appsettings.prod.json",
      "appsettings.development.json",
      "logs",
      "web.config"
    ]
  },

  "scripts": {
    "postpublish": [ "dotnet publish-iis --publish-folder %publish:OutputPath% --framework %publish:FullTargetFramework%" ]
  }
}

Answer 1

To be sure that problem is only with your certificate, try to use test certificate from Kestrel sample.

1. As certificate needs a password (testPassword), use second version of KestrelServerOptions.UseHttps(). Example from github sample:

   var host = new WebHostBuilder()
     .UseKestrel(options =>
     {
       // options.ThreadCount = 4;
       options.NoDelay = true;
       options.UseHttps("testCert.pfx", "testPassword");
       options.UseConnectionLogging();
     })
     .UseUrls("http://localhost:5000", "https://localhost:5001")
   

2. Don't forget to include certificate to publish process (include in publishOptions in project.json).

   "publishOptions": {
       "include": [
             ...,
              "testCert.pfx"
              ]
    }