CODEWITHSUNDEEP
asp.netssl-certificatekestrel-http-servercertificate-store
M.M
M.M

Reputation: 141534

How to use SSL certificate from store with appsettings.json and Kestrel

I am trying to use a SSL cerver certificate from the Local Computer store with a Blazor application (Kestrel webserver). It works correctly to use a local PFX with key, but I would like to improve security by using a certificate from the store instead.

The documentation only says:

   "Certificate": {
      "Subject": "<subject; required>",
      "Store": "<certificate store; required>",
      "Location": "<location; defaults to CurrentUser>",
      "AllowInvalid": "<true or false; defaults to false>"
    }

but offers no advice on what values to put in for "Subject", "Store", and "Location".

My certificate is under "Certificates - Local Computer" > "Personal" > "Certificates".

Image of certificate location

The subject has 5 parts (CN, O, L, S, C). I have tried in appsettings.json:

"Certificate": {
  "Subject": "*.foo.com",
  "Store": "Local Computer/Personal/Certificates",
  "AllowInvalid": true
}

and various other attempts for these values, but on launching the app , it always throws an exception System.InvalidOperationException: The requested certificate *.foo.com could not be found in CurrentUser/Local Computer/Personal/Certificates with AllowInvalid setting: True.

Similar question on github , that person's solution used "My" for "Store", but that didn't work for me either (same error).

Upvotes: 2

Views: 1275

Answers (1)

M.M
M.M

Reputation: 141534

After some further trial and error, the following worked:

"Certificate": {
  "Subject": "*.foo.com",
  "Location": "LocalMachine",
  "AllowInvalid": true
}

Leaving out "Store" entirely. (please comment or edit this answer if you can explain why leaving out Store works)

The exception generated when the certificate was not found, suggested that it internally calls a function CertificateLoader.LoadFromStoreCert . This function's documentation is not great either but slightly better than the Kestrel documentation page; it said:

  • "Location" has two possible valid values, CurrentUser and LocalMachine.
  • Exact subject match is loaded if present, otherwise best matching certificate with the subject name that contains supplied subject. Subject comparison is case-insensitive.

suggesting the "Subject" parameter could be any unique substring of the certificate's Subject perhaps.

Upvotes: 2

Related Questions