Scott Hanselman

Developing locally with ASP.NET Core under HTTPS, SSL, and Self-Signed Certs

August 2, '18 Comments [10] Posted in ASP.NET | DotNetCore
Sponsored By

Last week on Twitter @getify started an excellent thread pointing out that we should be using HTTPS even on our local machines. Why?

You want your local web development set up to reflect your production reality as much as possible. URL parsing, routing, redirects, avoiding mixed-content warnings, etc. It's very easy to accidentally find oneself on http:// when everything in 2018 should be under https://.

I'm using ASP.NET Core 2.1 which makes local SSL super easy. After installing from http://dot.net I'll "dotnet new razor" in an empty folder to make a quick web app.

Then, when I "dotnet run" I see two URLs serving pages:

C:\Users\scott\Desktop\localsslweb> dotnet run
Hosting environment: Development
Content root path: C:\Users\scott\Desktop\localsslweb
Now listening on: https://localhost:5001
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.

One is HTTP over port 5000 and the other is HTTPS over 5001. However, if I hit https://localhost:5001, I may see an error:

Your connection to this site is not secure

That's because this is an untrusted SSL cert that was generated locally:

Untrusted cert

There's a dotnet global tool built into .NET Core 2.1 to help with certs at dev time, called "dev-certs."

C:\Users\scott> dotnet dev-certs https --help

Usage: dotnet dev-certs https [options]

Options:
-ep|--export-path Full path to the exported certificate
-p|--password Password to use when exporting the certificate with the private key into a pfx file
-c|--check Check for the existence of the certificate but do not perform any action
--clean Cleans all HTTPS development certificates from the machine.
-t|--trust Trust the certificate on the current platform
-v|--verbose Display more debug information.
-q|--quiet Display warnings and errors only.
-h|--help Show help information

I just need to run "dotnet dev-certs https --trust" and I'll get a pop up asking if I want to trust this localhost cert..

You want to trust this local cert?

On Windows it'll get added to the certificate store and on Mac it'll get added to the keychain. On Linux there isn't a standard way across distros to trust the certificate, so you'll need to perform the distro specific guidance for trusting the development certificate.

Close your browser and open up again at https://localhost:5001 and you'll see a trusted "Secure" badge in your browser.

Secure

Note also that by default HTTPS redirection is included in ASP.NET Core, and in Production it'll use HTTP Strict Transport Security (HSTS) as well, avoiding any initial insecure calls.

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();

app.UseMvc();
}

That's it. What's historically been a huge hassle for local development is essentially handled for you. Given that Chrome is marking http:// sites as "Not Secure" as of Chrome 68 you'll want to consider making ALL your sites Secure by Default. I wrote up how to get certs for free with Azure and Let's Encrypt.


Sponsor: Preview the latest JetBrains Rider with its built-in spell checking, initial Blazor support, partial C# 7.3 support, enhanced debugger, C# Interactive, and a redesigned Solution Explorer.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Sunday, 05 August 2018 13:52:38 UTC
Wait...C# 7.3? I didn't even realize there was a C# 7.2. Damn, where have I been? Oh, right, I'm a manager now. God, it's happening already... I'M BECOMING OBSOLETE :-P
Mike Loux
Monday, 06 August 2018 05:48:23 UTC
Hey Scott, can you demonstrate the same on an Ubuntu machine for instance? I am having troubles running the Website with SSL on Ubuntu. I always need to "Add Exception", especially on FireFox, to make it work! Even with Chrome, I have to "Allow".

Thanks
Bilal
Monday, 06 August 2018 06:51:01 UTC
I always run real IIS when running code that way I can be sure I'm as close to production as it is possible to be.

I'd rather have to click continue on Edge/Chrome knowing it's self-cert than believe it's secure. The apps I work on use Http modules + response headers + MVC framework to ensure HTTPS by default.
Peter
Monday, 06 August 2018 13:33:40 UTC
"avoiding any initial insecure calls"

I just want to clarify that HSTS is not for securing the very first call to a site!
That's only guaranteed if you also preload HSTS!
Ralph
Monday, 06 August 2018 17:50:42 UTC
If you want to run it in docker container, I created a PoC: https://github.com/krzyhook/https-aspnetcore-in-docker

Maybe someone will find it helpful.
Wednesday, 08 August 2018 20:48:38 UTC
You might also want to check out mkcert: https://github.com/FiloSottile/mkcert
Philipp Gillé
Sunday, 12 August 2018 17:04:17 UTC
Thanks for the info! The fact that you can add the dev cert to the certificate store had passed me by. Will every project you create locally use the same dev cert?
Sunday, 12 August 2018 17:23:58 UTC
After struggling with developing locally with https using Chrome I created a small tool to generate self-signed certificate. https://selfsignedcertificate.net
It also enables a locally defined domain name scenario (via hosts file).
Ldarcy
Tuesday, 14 August 2018 15:26:13 UTC
Hi,

Do you know where are stored the certificates after have generated by "dotnet dev-certs https --trust"?

I m using Angular, it seems necessary to indicate where are stored the certificate when I launch it on local.

Thanks for your help.
Cedric Arnould
Thursday, 16 August 2018 20:52:41 UTC
love this feature of Azure, but I wish it allowed me to filter out failed 404 get requests for files that don't and won't exist on my site, but that someone is incorrectly trying to request.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.