On Windows, for .NET Framework classes we can specify sslkeyrepository as *SYSTEM/*USER.On linux where does the .NET Core classes search for the certificates by default and what could be the values for sslkeyrepository.
Where does .net core search for certificates on linux platform
Asked Answered
blogs.msdn.microsoft.com/webdev/2018/02/27/… "On Linux there isn't a standard way across distros to trust the certificate, so you'll need to perform the distro specific guidance for trusting the development certificate." That should give you some hints to get started. –
Unpopular
@LexLi: Thank you,i did go through it before posting the question.But the problem is how do we specify the location of the certificates –
Chitterlings
Ask Google what is "the distro specific guidance", and the location would be obvious. –
Unpopular
.NET Core uses OpenSSL on Linux, as a result, you need to set up your Linux environment in the container so that OpenSSL will pick up the certificate.
You can do this by two ways:
Copying the certificate
.crtfile to a location thatupdate-ca-certificateswill scan for trusted certificates - e.g./usr/local/share/ca-certificates/oron RHEL/etc/pki/ca-trust/source/anchors/:COPY myca.crt /usr/local/share/ca-certificates/Invoking
update-ca-certificates:RUN update-ca-certificates
What is the content inside or the format of the certificate inside the directory /usr/local/share/ca-certificates/? –
Irrevocable
For Linux and Mac .NET CORE will use OpenSSL.
command to generate a private key and a certificate signing request:
openssl req -config https.config -new -out csr.pem
command to create a self-signed certificate:
openssl x509 -req -days 365 -extfile https.config -extensions v3_req -in csr.pem -signkey key.pem -out https.crt
command to generate a pfx file containing the certificate and the private key that you can use with Kestrel:
openssl pkcs12 -export -out https.pfx -inkey key.pem -in https.crt -password pass:<password>
After that Trust the certificate
This step is optional, but without it the browser will warn you about your site being potentially unsafe. You will see something like the following if you browser doesn’t trust your certificate:
There is no centralized way of trusting the a certificate on Linux so you can do one of the following:
Exclude the URL you are using in your browsers exclude list
Trust all self-signed certificates on localhost
Add the https.crt to the list of trusted certificates in your browser.
How exactly to achieve this depends on your browser/distro.
You can also reference the complete Kestrel HTTPS sample app
or Follow this Blog Configuring HTTPS in ASP.NET Core across different platforms
The short answer is that on Linux, the LocalMachine/Root store can be opened in ReadOnly mode, and the certificates returned from that store come from the standard Linux system-global certificate directories. @barr-j's answer provides some info on how to you can copy certificates into system directories using Linux commands. However the normal use for these system-global certificates is to specify trusted certificate authorities, NOT as a secure place to store an https certificate (which contains a private key, which shouldn't be accessible by all users on the host).
On Linux with .NET, you can't write to the LocalMachine/Root X509Store directly, and LocalMachine/My isn't supported.
If you want your certificate access limited to a specific user (a good idea for https certs), on Linux with .NET you can write to and read from a user-local cert store using new X509Store(StoreName.My, StoreLocation.CurrentUser).
Updated link: learn.microsoft.com/en-us/dotnet/standard/security/… –
Necolenecro
© 2022 - 2024 — McMap. All rights reserved.