Bacancy Technology

Bacancy Technology represents the connected world, offering innovative and customer-centric information technology experiences, enabling Enterprises, Associates and the Society to Rise™.

12+

Countries where we have happy customers

1050+

Agile enabled employees

06

World wide offices

12+

Years of Experience

05

Agile Coaches

14

Certified Scrum Masters

1000+

Clients projects

1458

Happy customers

On Ubuntu the standard mechanism would be:

  • dotnet dev-certs https -v to generate a self-signed cert
  • convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in .pfx -nokeys -out localhost.crt -nodes
  • copy localhost.crt to /usr/local/share/ca-certificates
  • trust the certificate using sudo update-ca-certificates
  • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
  • verify if it’s trusted using openssl verify localhost.crt

Unfortunately this does not work:

-> dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:

$ openssl verify localhost.crt CN = localhost error 20 at 0 depth lookup: unable to get local issuer certificate error localhost.crt: verification failed

-> due to that it’s impossible to have a dotnet client trust the certificate

Workaround: (tested on Openssl 1.1.1c)

  1. manually generate self-signed cert
  2. trust this cert
  3. force your application to use this cert

In detail:

  1. manually generate self-signed cert:
    • create localhost.conf file with the following content:
[req] default_bits = 2048 default_keyfile = localhost.key distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_ca [req_distinguished_name] commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = localhost commonName_max = 64 [req_ext] subjectAltName = @alt_names [v3_ca] subjectAltName = @alt_names basicConstraints = critical, CA:false keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment [alt_names] DNS.1 = localhost DNS.2

CN = localhost error 18 at 0 depth lookup: self signed certificate error localhost.crt: verification failed

  1. trust this cert:
    • copy localhost.crt to /usr/local/share/ca-certificates
    • trust the certificate using sudo update-ca-certificates
    • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
    • verifying the cert without the CAfile option should work now

$ openssl verify localhost.crt localhost.crt: OK

  1. force your application to use this cert
    • update your appsettings.json with the following settings:

"Kestrel": { "Certificates": { "Default": { "Path": "localhost.pfx", "Password": "" } } }

Need Help With .Net Development?

Work with our skilled .Net developers to accelerate your project and boost its performance.

Hire .Net Developers

Support On Demand!

Related Q&A

Cannot Import Name PyDotnet

ImportError: Cannot Import Name ‘PyDotnet’

Read More

Run Specific Tests Using Dotnet Test

How Do I Run Specific Tests Using Dotnet Test?

Read More

dotnet restore vs. nuget restore with TeamCity

‘dotnet restore’ vs. ‘nuget restore’ with TeamCity

Read More

Enable CORS in ASP.NET Core

How to Enable CORS in ASP.NET Core

Read More

Azure Pipeline Task DotNetCoreCLI@2

Azure Pipeline Task DotNetCoreCLI@2 – Output Folder of Artifact

Read More

Dotnet lambda Package-CI for ARM64

How Do You “dotnet lambda package-ci” for arm64?

Read More