localhost

localhost

关注
发信
关注(28)粉丝(399)

如何运行'dotnet dev-certs https --trust'?

本文介绍了如何运行'dotnet dev-certs https --trust'?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我是ASP.NET的新手.

I'm new in ASP.NET.

环境:

  • Ubuntu 18.04

  • Ubuntu 18.04

Visual Studio代码

Visual Studio Code

.NET SDK 2.2.105

.NET SDK 2.2.105

我在运行某些命令时遇到了麻烦.

I'm in trouble with some command running.

我正在

https://docs.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-工作室代码

并运行以下命令:

dotnet dev-certs https --trust

我希望 https://localhost 应该受到信任.但我发现了错误消息;

I expect https://localhost should be trusted.but I found the error message;

$ Specify --help for a list of available options and commands.

似乎"dotnet dev-certs https"命令没有--trust选项.如何解决这个问题?

It seems that the command "dotnet dev-certs https" has no --trust options.How to resolve this problem?

推荐答案

在Ubuntu上,标准机制为:

On Ubuntu the standard mechanism would be:

  • dotnet dev-certs https -v生成自签名证书
  • 使用openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
    • 将〜/.dotnet/corefx/cryptography/x509stores/my中生成的证书从pfx转换为pem
  • localhost.crt复制到/usr/local/share/ca-certificates
  • 使用sudo update-ca-certificates
    • 信任证书
  • 验证证书是否已复制到/etc/ssl/certs/localhost.pem(扩展名更改)
  • 使用openssl verify localhost.crt
    • 验证是否受信任
  • dotnet dev-certs https -v to generate a self-signed cert
  • convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
  • copy localhost.crt to /usr/local/share/ca-certificates
  • trust the certificate using sudo update-ca-certificates
  • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
  • verify if it's trusted using openssl verify localhost.crt

不幸的是,这不起作用:

  • dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed

  • 由于无法让dotnet客户端信任证书

    • 解决方法:(在Openssl 1.1.1c上测试)

    Workaround: (tested on Openssl 1.1.1c)

    1. 手动生成自签名证书
    2. 信任此证书
    3. 强制您的应用程序使用此证书

    详细信息:

    1. 手动生成自签名证书:

    1. manually generate self-signed cert:

    • 创建具有以下内容的localhost.conf文件:
    [req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1

    • 使用openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
      • 生成证书
    • 使用openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
      • 将证书转换为pfx
    • (可选)使用openssl verify -CAfile localhost.crt localhost.crt验证证书,该证书应产生localhost.crt: OK
    • 因为尚未被信任,因此使用openssl verify localhost.crt应该会失败

      • generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
      • convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
      • (optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
      • as it's not trusted yet using openssl verify localhost.crt should fail with

        • CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed

        1. 信任此证书:

        1. trust this cert:

        • 将localhost.crt复制到/usr/local/share/ca-certificates
        • 使用sudo update-ca-certificates
          • 信任证书
        • 验证证书是否已复制到/etc/ssl/certs/localhost.pem(扩展名更改)
        • 在不使用CAfile选项的情况下验证证书现在应该可以使用
        • copy localhost.crt to /usr/local/share/ca-certificates
        • trust the certificate using sudo update-ca-certificates
        • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
        • verifying the cert without the CAfile option should work now
        $ openssl verify localhost.crt 
localhost.crt: OK

        1. 强制您的应用程序使用此证书

        1. force your application to use this cert

        • 使用以下设置更新您的appsettings.json:
        "Kestrel": {
  "Certificates": {
    "Default": {
      "Path": "localhost.pfx",
      "Password": ""
    }
  }
}

        这篇关于如何运行'dotnet dev-certs https --trust'?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-25 00:30
Powered by LMLPHP ©2024 localhost 0.001669