问题描述
我如何才能将自己的证书配置为默认"证书?Kestrel 在 Linux 上运行本地 ASP.NET 核心应用程序时使用?
我知道我可以运行 dotnet dev-certs https
命令来生成一个新的开发证书,但这会生成一个新的自签名证书.我不想信任此证书 - 我已经拥有自己的本地 CA 用于开发,并希望签署一份证书以供 ASP.NET 核心使用.
我还知道您可以在我的应用程序代码中配置 Kestrel 使用的证书 (https://devblogs.microsoft.com/aspnet/configuring-https-in-asp-net-core-across-different-platforms/),但我不要相信这应该是应用程序的一部分.在本地使用我自己的 CA 签名证书是我个人的偏好,如果其他开发人员乐于信任自动生成的证书,我不想强迫他们管理他们自己的证书.
我曾尝试将证书放入本地My"创建自签名开发证书的证书存储 (~/.dotnet/corefx/cryptography/x509stores/my/
),但它没有被使用 - 我得到当你发生时发生的错误根本没有证书:
暴击:Microsoft.AspNetCore.Server.Kestrel[0]无法启动 Kestrel.System.InvalidOperationException:无法配置 HTTPS 终结点.未指定服务器证书,默认开发者证书找不到或已过期.
是否可以配置我自己的证书,还是我必须使用 dotnet core 生成的证书?
简答:
事实证明,ASP.NET Core 在配置 Kestrel 时会在它使用的默认证书上查找特定扩展.如果您想要获取证书,则需要扩展名1.3.6.1.4.1.311.84.1.1";设置,并且这个扩展的原始字节值应该是 >= 2 (阅读源代码).
将带有此扩展(以及其他一些基本扩展)的证书放入My"store 允许默认使用证书.
长答案:
(先阅读简答)
您不能使用现有证书.由于 ASP.NET 核心需要对其使用的证书进行特定扩展,因此您需要创建一个新证书才能使用.但是,您仍然可以使用由 CA 签署的证书,只要您正确生成请求即可.
假设使用 openssl,您可以在生成证书请求时通过配置文件来简化此操作:
asp_config.conf
[ 请求 ]default_bits = 2048专有名称 = dnreq_extensions = aspnet[DN]CN = 本地主机[aspnet]basicConstraints = 关键,CA:FALSEkeyUsage = 关键,digitalSignature,keyEnciphermentextendedKeyUsage = 关键,serverAuthsubjectAltName = 关键,DNS:本地主机1.3.6.1.4.1.311.84.1.1 = DER:02
然后您可以运行 openssl 命令以使用此配置生成签名请求:
openssl req -new -config asp_config.conf -keyout local_asp_dev.key -out local_asp_dev.csr -nodes
生成请求后,用您的 CA 签名.
openssl x509 -req -in local_asp_dev.csr -CA/path/to/CA.pem -CAkey/path/to/CA.key -CAcreateserial -out local_asp_dev.crt -days 365 -sha256 -extensions aspnet-extfile asp_config.conf
您需要使用 -extensions
选项指定要授予证书的扩展名.此选项查看引用文件中的指定配置部分.
一旦签名,您需要将您的证书打包成一个 pfx 文件:
openssl pkcs12 -in local_asp_dev.crt -inkey local_asp_dev.key -export -out local_asp_dev.pfx
打包证书后,只需将其放入我的"文件夹中即可.store - ASP.NET 会选择它并使用它来为您的 HTTPS 端点提供服务.(您可能需要删除在此商店中自动创建的任何其他开发证书).
mv local_asp_dev.pfx ~/.dotnet/corefx/cryptography/x509stores/my/
请注意,此商店在 Linux 上的位置被视为内部实施细节,可能会发生变化.ASP.NET Core 的未来版本也完全有可能需要不同的扩展值.
此解决方案是针对 ASP.NET Core 3.1 开发和测试的
其他参考资料:
- 我的"商店:https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography#the-my-store
- openssl 配置:https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
- 使用 CA 签名时授予扩展名:https://access.redhat.com/solutions/28965
How would I be able to configure my own certificate as the "default" used by Kestrel when running local ASP.NET core apps on Linux?
I know that I can run the dotnet dev-certs https
command to generate a new development certificate, but that will generate a new self-signed certificate. I don't want to have to trust this certificate - I already have my own local CA for development and would like to sign a cert for use by ASP.NET core.
I also know that you can configure the cert Kestrel uses within my app code (https://devblogs.microsoft.com/aspnet/configuring-https-in-asp-net-core-across-different-platforms/), but I don't believe this should be part of the application. It's my personal preference to use my own CA-signed cert locally, and I don't want to force other developers to manage their own certificates if they're happy trusting the auto-generated cert.
I have tried dropping a certificate into the local "My" certificate store where the self-signed development cert gets created (~/.dotnet/corefx/cryptography/x509stores/my/
), but it doesn't get used - I get the error that happens when you don't have a cert at all:
Is it possible to configure my own certificate, or am I forced to use the one generated by dotnet core?
Short answer:
It turns out ASP.NET core looks for specific extensions on the default certificate it uses when configuring Kestrel. If you want a certificate to be picked up, it needs the extension "1.3.6.1.4.1.311.84.1.1" set, and the raw byte value of this extension should be >= 2 (from reading the source code).
Dropping a certificate with this extension (and some other basic extensions) into the "My" store allows the cert to be used by default.
Long answer:
(Read the short answer first)
You can't use an existing certificate. Because ASP.NET core requires specific extensions on the certificate it uses, you will need to create a new certificate to be used. However, you still can use a certificate signed by a CA, as long as you generate your request correctly.
Assuming use of openssl, you can facilitate this through a configuration file when generating your certificate request:
asp_config.conf
[ req ]
default_bits = 2048
distinguished_name = dn
req_extensions = aspnet
[ dn ]
CN = localhost
[ aspnet ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth
subjectAltName = critical, DNS:localhost
1.3.6.1.4.1.311.84.1.1 = DER:02
You can then run the openssl command to generate a signing request using this config:
openssl req -new -config asp_config.conf -keyout local_asp_dev.key -out local_asp_dev.csr -nodes
After generating the request, sign it with your CA.
openssl x509 -req -in local_asp_dev.csr -CA /path/to/CA.pem -CAkey /path/to/CA.key -CAcreateserial -out local_asp_dev.crt -days 365 -sha256 -extensions aspnet -extfile asp_config.conf
Once signed, you need to pack your certificate into a pfx file:
openssl pkcs12 -in local_asp_dev.crt -inkey local_asp_dev.key -export -out local_asp_dev.pfx
After packing your certificate, simply drop it into your "My" store - ASP.NET will pick it up and use it to serve your HTTPS endpoints. (You may need to remove any other development certificates that were automatically created in this store).
mv local_asp_dev.pfx ~/.dotnet/corefx/cryptography/x509stores/my/
Note that the location of this store on Linux is considered an internal implementation detail and is subject to change. It's also entirely possible that future versions of ASP.NET core will require different extension values.
This solution was developed and tested against ASP.NET Core 3.1
Additional References:
- "My" store: https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography#the-my-store
- openssl config: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
- Extension granting when signing with a CA: https://access.redhat.com/solutions/28965
这篇关于如何在 ASP.NET Core 中更改本地开发的默认 SSL 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!