How to Run ‘dotnet dev-certs https –trust’?

Home Q&A How to Run ‘dotnet dev-certs https –trust’?

On Ubuntu the standard mechanism would be:

dotnet dev-certs https -v to generate a self-signed cert
convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in .pfx -nokeys -out localhost.crt -nodes
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verify if it’s trusted using openssl verify localhost.crt

Unfortunately this does not work:

-> dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:

$ openssl verify localhost.crt CN = localhost error 20 at 0 depth lookup: unable to get local issuer certificate error localhost.crt: verification failed

-> due to that it’s impossible to have a dotnet client trust the certificate

Workaround: (tested on Openssl 1.1.1c)

manually generate self-signed cert
trust this cert
force your application to use this cert

In detail:

manually generate self-signed cert:
- create localhost.conf file with the following content:

[req] default_bits = 2048 default_keyfile = localhost.key distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_ca [req_distinguished_name] commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = localhost commonName_max = 64 [req_ext] subjectAltName = @alt_names [v3_ca] subjectAltName = @alt_names basicConstraints = critical, CA:false keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment [alt_names] DNS.1 = localhost DNS.2

CN = localhost error 18 at 0 depth lookup: self signed certificate error localhost.crt: verification failed
1. trust this cert:
  - copy localhost.crt to /usr/local/share/ca-certificates
  - trust the certificate using sudo update-ca-certificates
  - verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
  - verifying the cert without the CAfile option should work now
$ openssl verify localhost.crt localhost.crt: OK
1. force your application to use this cert
  - update your appsettings.json with the following settings: