Skip to content

Instantly share code, notes, and snippets.

@ckpearson

ckpearson/howto.md

Created January 30, 2019 00:51
Show Gist options
  • Save ckpearson/f96074697c583de0d2599c6009191824 to your computer and use it in GitHub Desktop.
Save ckpearson/f96074697c583de0d2599c6009191824 to your computer and use it in GitHub Desktop.
Download ZIP
Configuring ASP.NET Core HTTPS with a self-signed CA root & cert for iOS development on OSX
Raw
howto.md

The Problem

ASP.NET core has a very useful dev-certs utility capable of producing self-signed certificates for local https development work.

This works for the most-part, but as soon as you start wanting to do local development of a native app, iOS refuses to trust the certificate, or indeed, to even let you tell it to trust it.

You can see This Issue for some more context.

The Solution

This is what worked for me, I make no guarantees as to its efficiency or ongoing efficacy.

Most of the steps here I found here and here, I've recreated the barebones instructions here for brevity and to retain the knowledge.

IMPORTANT Be sure to use a password for the certificates for security, and keep them somewhere safe, the command line will prompt you for passwords when needed

1. Generate a key for the root CA

openssl genrsa -des3 -out rootCA.key 4096

2. Create and self-sign the root CA cert

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

3. Create the certificate key

openssl genrsa -out localhost.key 2048

4. Create the signing request

openssl req -new -key localhost.key -out localhost.csr

This will prompt you for some details, feel free to leave them blank except for the fully qualified domain name, be sure to set that to localhost

5. Create the certificate

openssl x509 -req -in localhost.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out localhost.crt -days 500 -sha256

6. Create the pfx bundle

openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt

7. Add the certificates to the KeyChain and trust them

Just import the root CA certificate and the localhost certificate as you would usually, and be sure to tweak their trust settings to "always trust" if need be.

I also imported the pfx for good measure, though I'm not sure if this is necessary.

8. Create a profile for iOS

Using the Apple Configurator app, do the following:

  1. Create a new profile and name it
  2. Add the CA and localhost certificate in the certs section
  3. Sign the profile (File > Sign)
  4. Save the profile

9. Add the profile to iOS

You can drag and drop the profile file into the simulator, or e-mail / airdrop it to a test device.

10. Trust the profile in iOS

Go into About > Certificate Trust Settings and trust the "localhost" certificate.

11. Configure Kestrel to use the certificate

In your Startup.cs configure it as follows:

WebHost.CreateDefaultBuilder(args)
  .UseStartup<Startup>()
  .UseKestrel(options =>
  {
    options.ConfigureHttpsDefaults(httpsOptions =>
    {
      httpsOptions.ServerCertificateSelector = null;
      httpsOptions.ServerCertificate = new X509Certificate2("/path/to/pfx, "password for pfx");
    });
  })

Result!

With these steps followed you should now be able to browse the https endpoints locally and on-device 👍

@azimuthdeveloper
Copy link

This is awesome. You're awesome. I'll probably jam this into a batch script or something to run these commands.

@essic
Copy link

essic commented May 22, 2020

Hello,

I did make it happen as well by using mkcert to create the CA et Certificate then it from step 7.

Baiscally it goes :

mkcert --install
mkcert -pkcs12 -p12-file <some file>.pfx <list of host separeted by spaces>

Hope it helps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment