ASP.NET Core + IIS Express how to setup SSL Certificate

Question

We are running a web API with ASP.NET Core on IIS Express locally. We are using a custom domain name configured in the hosts-file.

This works fine, but we have to manually trust the site in Chrome every now and then, so we would like to set IIS Express up to use our SSL-certificate.

IIS Express is configured in launchSettings.json:

"iisExpress": {
  "applicationUrl": "http://applocal.ourdomain.com:5000",
  "sslPort": 44300
}

How can we configure IIS Express to use our SSL Certificate?

Most likely, it is using the localhost certificate not one created for your actual fake domain — Worthy7, Jun 23 '20 at 04:36

score 16 · Accepted Answer · answered Aug 15 '16 at 10:40

16

Install the certificate on the machine, then run in cmd:

"C:\Program Files (x86)\IIS Express\IisExpressAdminCmd.exe" setupSslUrl -url:https://my.domain.name:<port> -CertHash:<Certificate thumbprint>

answered Aug 15 '16 at 10:40

severin

5,203
9
35
48

score 7 · Answer 2 · answered Jun 23 '20 at 04:34

First make a new certificate with the hostname replaced, ensure its made on the local machine.

Powershell: New-SelfSignedCertificate -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(1) -Subject "YOUR.DOMAIN.NAME" -KeyAlgorithm "RSA" -KeyLength 2048 -HashAlgorithm "SHA256" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage KeyEncipherment -FriendlyName "HTTPS PROJECTNAME development certificate" -TextExtension @("2.5.29.19={critical}{text}","2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.1","2.5.29.17={critical}{text}DNS=YOUR.DOMAIN.NAME")

Now we need to copy it into the trusted certificates for the local machine: open "mmc" Add snapin for the certificate manager for the local machine (not personal user) find the certificate and copy it over to "Trusted Root Certificate Authorities"

Open up the certificate and copy the 'thumbprint' detail.

Next you need to tell IIS to use this certificate. Open an admin cmd prompt and navigate to the IIS express folder at C:\Program Files (x86)\IIS Express then run:

IisExpressAdminCmd.exe setupSslUrl -url:https://YOUR.DOMAIN.NAME:PORTNUMBER -CertHash:THUMBPRINT

Thanks to: https://improveandrepeat.com/2020/05/how-to-change-the-https-certificate-in-iis-express/
https://www.sonicwall.com/support/knowledge-base/how-can-i-import-certificates-into-the-ms-windows-local-machine-certificate-store/170504615105398/
https://stackoverflow.com/a/38953547/1079267
https://devblogs.microsoft.com/aspnet/configuring-https-in-asp-net-core-across-different-platforms/

Creating the certificate with the provided command breaks on windows 11 for me. Chrome throws ERR_SSL_KEY_USAGE_INCOMPATIBLE. ( See this SO post https://stackoverflow.com/questions/70278265/windows-11-err-ssl-key-usage-incompatible) To fix this is ran New-SelfSignedCertificate -DnsName "localhost" -Subject "localhost" -CertStoreLocation "Cert:\LocalMachine\My" -FriendlyName "Https Development" to create the certificate and following the other steps like described. — Dylan Meivis, Jun 28 '22 at 07:43

score 2 · Answer 3 · answered Aug 11 '16 at 12:41

2

Jexus Manager provides you the user interface to add server certificates and change site bindings.

http://jexusmanager.com

answered Aug 11 '16 at 12:41

Lex Li

60,503
9
116
147

Thanks, seems like a good program but my .NET Core apps don't show up. Maybe it is not supported yet? – severin Aug 11 '16 at 12:48
@fiskeboss you need to run this project at least once so that VS can generate the applicationHost.config file. Then you can add the solution to Jexus Manager as a new server, https://jexus.lextudio.com/en/latest/getting-started/features.html#add-new-servers – Lex Li Aug 14 '16 at 08:04

score 0 · Answer 4 · answered Aug 11 '16 at 11:21

0

You should import this certificate to Trusted Root Certification Authorities on each machine you run this App. Easiest way to do this is open this certificate directly from browser. Not sure about Chrome and Firefox, but it works for IE for sure.

answered Aug 11 '16 at 11:21

vzayko

337
2
11

The problem is that that IIS Express launches the app with the localhost-certificate. I want to configure it to use my own certificate. Trusting the localhost-cert won't help because I'm running with a custom hostname. – severin Aug 11 '16 at 11:22
Here is what I found. Hope this helps http://www.lansweeper.com/kb/54/How-to-configure-SSL-in-IIS-Express.html – vzayko Aug 11 '16 at 11:29
1

@vzayko The linked info is specific to configuring "Lansweeper". It doesn't generalize to other use cases with IIS. – HappyNomad Nov 07 '18 at 00:34

ASP.NET Core + IIS Express how to setup SSL Certificate

4 Answers4

Linked