Skip to content

Instantly share code, notes, and snippets.

@activebiz

activebiz/howto.md

Forked from ckpearson/howto.md
Last active January 13, 2021 15:47
Show Gist options
  • Save activebiz/3914dec69b792dd6cf949c04495131c5 to your computer and use it in GitHub Desktop.
Save activebiz/3914dec69b792dd6cf949c04495131c5 to your computer and use it in GitHub Desktop.
Download ZIP
Configuring ASP.NET Core HTTPS with a self-signed CA root & cert for iOS development on OSX
Raw
howto.md

The Problem

ASP.NET core has a very useful dev-certs utility capable of producing self-signed certificates for local https development work.

This works for the most-part, but as soon as you start wanting to do local development of a native app, iOS refuses to trust the certificate, or indeed, to even let you tell it to trust it.

You can see This Issue for some more context.

The Solution

This is what worked for me, I make no guarantees as to its efficiency or ongoing efficacy.

Most of the steps here I found here and here, I've recreated the barebones instructions here for brevity and to retain the knowledge.

IMPORTANT Be sure to use a password for the certificates for security, and keep them somewhere safe, the command line will prompt you for passwords when needed

1. Generate a key for the root CA

openssl genrsa -des3 -out rootCA.key 4096

2. Create and self-sign the root CA cert

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

3. Create the certificate key

openssl genrsa -out localhost.key 2048

4. Create the signing request

openssl req -new -key localhost.key -out localhost.csr

This will prompt you for some details, feel free to leave them blank except for the fully qualified domain name, be sure to set that to localhost

5. Create the certificate

create v3.ext file as follows:

basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

openssl x509 -req -in localhost.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out localhost.crt -days 500 -sha256 -extfile v3.ext

6. Create the pfx bundle

openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt

7. Add the certificates to the KeyChain and trust them

Just import the root CA certificate and the localhost certificate as you would usually, and be sure to tweak their trust settings to "always trust" if need be.

I also imported the pfx for good measure, though I'm not sure if this is necessary.

8. Create a profile for iOS

Using the Apple Configurator app, do the following:

  1. Create a new profile and name it
  2. Add the CA and localhost certificate in the certs section
  3. Sign the profile (File > Sign)
  4. Save the profile

9. Add the profile to iOS

You can drag and drop the profile file into the simulator, or e-mail / airdrop it to a test device.

10. Trust the profile in iOS

Go into About > Certificate Trust Settings and trust the "localhost" certificate.

11. Configure Kestrel to use the certificate

In your Startup.cs configure it as follows:

WebHost.CreateDefaultBuilder(args)
  .UseStartup<Startup>()
  .UseKestrel(options =>
  {
    options.ConfigureHttpsDefaults(httpsOptions =>
    {
      httpsOptions.ServerCertificateSelector = null;
      httpsOptions.ServerCertificate = new X509Certificate2("/path/to/pfx, "password for pfx");
    });
  })

Result!

With these steps followed you should now be able to browse the https endpoints locally and on-device 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment