2

When I create a starter ASP.NET Core project with HTTPS enabled, I get a "dual-mode" application which I can run as either self-hosted (via the console app) or IIS Express. A localhost certificate gets bound (visible via netsh) to a port on which the app will listen under IIS Express. However, in "self-hosted" mode, it will listen on port 5001, where no certificate appears in netsh. How does the self-hosted mode choose the appropriate certificate? When the time comes to deploy my application to my server, what steps are required to ensure that it all works? Do I simply adjust the "applicationUrl" property in launchSettings.json (assuming I have installed my certificate)? Do I need to bind it using netsh, and if not, why does netsh require the certificate to be uniquely identified (by thumbprint) when launchSettings doesn't?

I have a site certificate which I have installed and bound to port 5001 via netsh (basically what I've done before for an OWIN WebAPI application), sorted out routing and firewalling issues so that I can reference my stub site via https://www.{my-domain}:5001. When I try browsing to my application via my site URL, it does land on my application page, but the browser reports an invalid certificate because the application is presenting the development localhost certificate, not the site certificate. What am I missing?

Zenilogix
  • 1,318
  • 1
  • 15
  • 31
  • HTTPS uses TLS for authentication. There is a TLS certificate block that is sent from the server to client as part of TLS. The certification block contains a list of certificate names that can be used for the authentication. The client then lookup the certificate names in the stores to see if a matching certificate exists. Only the names are passed from server to client, not the actual keys. – jdweng May 24 '21 at 17:11

1 Answers1

0

Found a solution based on this answer: https://stackoverflow.com/a/62847019/2487969

In my case I chose to use an overload which allows the app to select a certificate out of the store, so it requires me to install the certificate, but I don't need to bind to the port; instead I make the following change in the Program.cs file:

    // From this:
    webBuilder.UseStartup<Startup>();

    // To this:
    webBuilder.UseStartup<Startup>()
        .UseKestrel(o =>
        {
            o.Listen(IPAddress.Any, 5001, opt => { opt.UseHttps(StoreName.My, "{my-domain}", false, StoreLocation.LocalMachine); });
        });

Note that it does emit a warning about an address being overridden, but that's just noise.

Zenilogix
  • 1,318
  • 1
  • 15
  • 31