Home > Mobile >  ASP Net Core Kestrel WebServer loads self-signed root certificate from file but still needs to be in
ASP Net Core Kestrel WebServer loads self-signed root certificate from file but still needs to be in

Time:12-02

I have an ASP Net Core 6 application with Kestrel Web Server, that requires mTLS between client applications and server. I created self-signed root and child certificates for the clients, using the New-SelfSignedCertificate cmdlet in powershell. Here is how the root certificate is explicitly loaded to Kestrel:

var rootCertFile ="xxx.pfx";
var rootCertPw = "abc";
X509Certificate2 rootCert = new X509Certificate2( rootCertFile,  rootCertPw);

webBuilder.ConfigureKestrel(o =>
{
    o.ConfigureHttpsDefaults(o =>
    {
        o.ServerCertificate = rootCert;
        o.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
    });
});

webBuilder.UseKestrel(o =>
{
    o.Listen(IPAddress.Parse(myHttpsEndPointIpAddr), myHttpsEndPointPort,
        listenOptions =>
        {
            listenOptions.UseHttps();
        });
    o.Listen(IPAddress.Parse(myHttpEndPointIpAddr), myHttpEndPointPort);
});

If some client (for instance curl or postman) calls (using a child certificate signed by the root) some https endpoint, the client gets an error and the call is rejected, if the root certificate is not present in the Trusted Root Certification Authorities Certificate Store of the Local machine. Here is the error that the client sees:

* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, unknown CA (560):
* OpenSSL SSL_read: error:0A000418:SSL routines::tlsv1 alert unknown ca, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data

As soon as the root certificate is added to the Trusted Root Certification Authorities Certificate Store of the Local machine, the rest api call succeeds. Why does the root self-signed certificate need to be installed into Trusted Root Certification Authorities Certificate Store, if Kestrel directly loads the root certificate?

CodePudding user response:

From this we can see there are two ways Recognizing client certificates .

Firstly, the server was not recognizing the self-signed client certificates as valid certificates. This can be solved by either 1. adding all of the client certificates (or a root CA that signs them all) to the trusted certificate store of the operating system or 2. adding a ClientCertificateValidation callback to kestrel to determine whether or not a certificate is accepted or rejected.

From Install in the trusted root

The root certificate needs to be trusted on your host system. A root certificate which was not created by a certificate authority won't be trusted by default. For information on how to trust the root certificate on Windows, see this question.

This is an example : Correct way of loading SSL certificate signed by Intermediate CA in Kestrel .NET Core

Read Installing the trusted root certificate and Trusted Root Certification Authorities Certificate Store to know more .

  • Related