aherrick
aherrick

Reputation: 20179

Windows not accepting Self Signed SSL Certificate

Locally I've created and exported a Self Signed certificate using IIS. The result is a PFX file.

I've loaded that into my ASP.NET Core solution and am spinning up Kestrel like the following:

var certificatePath = Path.GetFullPath(Path.Combine(Directory.GetCurrentDirectory(), "cert.pfx"));
var certificate = new X509Certificate2(certificatePath, "certpass");

HostWeb = builder
    .UseKestrel(options =>
    {
        options.Listen(IPAddress.Loopback, 44321, listenOptions =>
        {
            listenOptions.UseHttps(certificate);
        });
    })
    .UseUrls("https://localhost:44321")
    .UseEnvironment("Test").Build();
HostWeb.Start();

When I run Chrome against this Web server it's still showing not secure.

What am I missing here? Is there anything else I need to configure?

enter image description here

Upvotes: 0

Views: 2811

Answers (2)

Daboul
Daboul

Reputation: 2743

I believe you need to register this certificate on the OS level so that it is seen as a valid one. A self-signed certificate won't be by default. I used that link to do it: https://www.humankode.com/asp-net-core/develop-locally-with-https-self-signed-certificates-and-asp-net-core

Particularly that part:

# import the pfx certificate
Import-PfxCertificate -FilePath $pfxFilePath Cert:\LocalMachine\My -Password $pfxPassword -Exportable

# trust the certificate by importing the pfx certificate into your trusted root
Import-Certificate -FilePath $cerFilePath -CertStoreLocation Cert:\CurrentUser\Root

# optionally delete the physical certificates (don’t delete the pfx file as you need to copy this to your app directory)
# Remove-Item $pfxFilePath
Remove-Item $cerFilePath

UPDATE: Your code is setting the certificate your server will present to the client during the secured connection initialization, the handshake. But then, your client has to be able to recognize this certificate as a valid one, he needs to trust it, to trust the authority that has emitted this certificate. For instance, you trust stackoverflow because you trust the authority DigiCert that delivered the certificate their server is presenting to your client.

enter image description here

UPDATE 2: new article on the topic: https://www.hanselman.com/blog/DevelopingLocallyWithASPNETCoreUnderHTTPSSSLAndSelfSignedCerts.aspx

Upvotes: 0

PKI Guy
PKI Guy

Reputation: 43

Export the certificate from Chrome, by clicking on "Not Secure", then "Certificate", "Details" tab, and then "Copy to file...", and select a file to write the certificate on your disk.

Then, double-click on the certificate, and click on "Install Certificate...", keep "Store location" as "Current User", select "Place all certificates in the following store", select "Trusted Root Certification Authorities", and then finish the wizard.

The warning that you get will disappear.

Attention: this should be applied only on a development environment.

Upvotes: 1

Related Questions