Reputation: 1758
How to setup a custom SSL certificate for a local ASP.NET Core Web API on Windows?
I'm developing an ASP.NET Core Web API and running it locally from a docker container using a self-signed certificate generated with OpenSSL. Everything works as expected when SSL certificate validation is disabled in Postman, but requests fail with SSL validation enabled. The browser also shows a "Your connection is not private" error.
Here's how I generated the certificate:
Generated a private key:
openssl genrsa -out localhost.key 2048
Created a Certificate Signing Request (CSR):
openssl req -new -key localhost.key -out localhost.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=localhost"
Generated a self-signed certificate:
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
Converted the .crt and .key files to a .pfx file for Kestrel:
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt -password pass:yourpassword
I've configured Kestrel in Program.cs to use the .pfx file:
builder.WebHost.ConfigureKestrel(options =>
{
options.ListenAnyIP(32769, listenOptions =>
{
listenOptions.UseHttps("localhost.pfx", "yourpassword");
});
});
I've also imported the .crt file into the Trusted Root Certification Authorities store using certlm.msc.
Despite this, Postman fails when SSL certificate validation is enabled, and the browser still warns that the connection is not private.
Questions
- How can I fix the issue in Postman with SSL certificate validation enabled?
- Why does the browser still display a privacy error after importing the
.crtfile?
Any help or suggestions would be greatly appreciated!
What I've tried
- Verified the Common Name (CN) in the certificate matches localhost
- Imported the
.crtfile into the trusted root store
Upvotes: 0
Views: 62
Answers (1)
Reputation: 8335
The browser show "Your connection is not private" is because of "SAN"(Subject Alternative Names) isn't set, which need to the same as CN and a litte tricky to be configured. This is my step:
At begining, openssl.cnf needn't be configured, you could use default
1.openssl genrsa -out ca.key 2048
2.Openssl req -new -key ca.key -out ca.csr -config openssl.cnf
3.openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
4.openssl genrsa -out server.key 2048
5.openssl req -new -out server.csr -key server.key -config openssl.cnf
Now you need configure openssl.cnf to add SAN to continue https://easyengine.io/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/:
6.openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req -config openssl.cnf
7.openssl pkcs12 -export -in server.crt -inkey server.key -out private_certificate.pfx
Finially use the private_certificate.pfx is server certificate and make sure ca.crt is in the trust root, then there will be no warning.
Upvotes: 1
Related Questions
- How can I develop for iPhone using a Windows development machine?
- Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
- curl: (60) SSL certificate problem: unable to get local issuer certificate
- How to install SSL certificate in Azure purchased from GoDaddy
- Trust Store vs Key Store - creating with keytool
- Unable to Generate .pfx File For Azure App
- SSL Certificate for Azure
- thin rails server/eventmachine on windows does not work with custom certificate