Asp Net Core HTTPS Certificate

Support Third-party Applications
1

Hi! I’d like to do Asp Net Core Development on Manjaro but I can’t find a way to trust a self-signed certificate system-wide. openssl-verify always fail, I have been trying the following:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf

openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt

and after that:

  • sudo trust anchor --store localhost.crt and do sudo update-ca-trust
  • manually moving localhost.crt to /etc/ca-certificates/trust-source/anchors/ and doing sudo update-ca-trust
  • The first two things but I also added sudo trust extract-compat

No matter what I do, openssl-verify always fail. Chrome says the site is insecure. I also tried to directly import the .crt and a .pfx in chrome. Does not work. Also, my project has Kestrel configured with the proper pfx and password.

Please someone help me with this, I’m desperate for answers.

My localhost.conf:

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1
2

For anyone having the same problem, I ended up succeeding with this script

#!/usr/bin/env bash

openssl genpkey -algorithm RSA -out localhost.key
openssl req -x509 -key localhost.key -out localhost.crt \
    -subj "/CN=localhost/O=localhost" \
    -config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:localhost
END
    ) -extensions x509_ext

sudo trust anchor localhost.crt

Then I used this command to convert it to PFX for Kestrel:
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt

Voilà! Just took me 3 hours and a lot of searching in old forums posts. Hopefully this is will be useful for someone else!

3

I’ve marked this answer as the solution to your question as it is by far the best answer you’ll get.

However, if you disagree with my choice, please feel free to take any other answer as the solution to your question or even remove the solution altogether: You are in control! (If you disagree with my choice, just send me a personal message and explain why I shouldn’t have done this or :heart: or :+1: if you agree)

:innocent:
P.S. In the future, please don’t forget to come back and click the 3 dots below the answer to mark a solution like this below the answer that helped you most:
Solution
so that the next person that has the exact same problem you just had will benefit from your post as well as your question will now be in the “solved” status.

4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.