0

My IIS application is unable to connect to my standalone ASP.net Core application because my IIS is failing to validate the SSL certificate of the ASP.net Core. I have a very basic knowledge with certificates but it seems that the app pool doesn't have access to the dev certificate that ASP.net Core uses which is only stored in the current users. Is this the cause of the issue? If yes, how do I give the app pool access to the certificatee? Is there an alternative way to fix this?

The certificate was generated by the dotnet dev-cert tool.

LostInComputer
  • 15,188
  • 4
  • 41
  • 49
  • What kind of "IIS application"? The application framework (ASP.NET or PHP) usually performs strict certificate verification by default, which won't accept self-signed certificates like the ones generated for Kestrel, so you should either switch to a real certificate, or bypass the verification steps. – Lex Li Mar 10 '21 at 16:23
  • It's ASP.net. ASP.net accepts the certificate if I change the app pool identity to the current user (where the certificate is stored) but I want to make it work without changing the identity. – LostInComputer Mar 10 '21 at 19:12
  • https://docs.jexusmanager.com/tutorials/self-signed.html#to-trust-self-signed-certificate You have to export the certificate and import it to the "Trusted Certificate Authorities" store of the application pool identity. – Lex Li Mar 10 '21 at 19:25

1 Answers1

0

If you are above IIS 7, you can try this method.

1.Make sure your certificate has a private key.

2.Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"

3.Based upon which, IIS 7.5 Application Pool's identity use one of the following.

  • Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add IIS AppPool\AppPoolName and grant it Full control. Replace "AppPoolName" with the name of your application pool (sometimes IIS_IUSRS)

  • IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".

  • IIS 7.5 Website is running under "MyIISUser" local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".

Beware, if you're on a domain, your domain will be selected by default in the 'from location box'. Make sure to change that to "Local Computer". Change the location to "Local Computer" to view the app pool identities.

Here is the reference:How to give ASP.NET access to a private key in a certificate in the certificate store?

Theobald Du
  • 824
  • 4
  • 7