Skip to main content

Creating a Developer Certificate for IIS, and having it trusted by the computer, not just you.

 

There's a few different ways to do this, but for me, with a Blazor Server application and backend API, this seemed to work the best. 

Step 1 - Create Certificate 


It's fairly well documented, but there's a few things to note: 
- Change Subject and Dnsname to your preferred name 
- Note the certifcate store location, in your personal store
- Note the hard coded password YourSecurePassword
- I don't know what the TextExtension field does, need to research that
- Note that the created cer file is deleted at the last step 

However, this process didn't get me in a position where the server itself trusted the certificate, which is what I needed for Blazor, see Step 2 below.

# setup certificate properties including the commonName (DNSName) property for Chrome 58+
$certificate = New-SelfSignedCertificate `
    -Subject localhost `
    -DnsName localhost `
    -KeyAlgorithm RSA `
    -KeyLength 2048 `
    -NotBefore (Get-Date) `
    -NotAfter (Get-Date).AddYears(2) `
    -CertStoreLocation "cert:CurrentUser\My" `
    -FriendlyName "Localhost Certificate for .NET Core" `
    -HashAlgorithm SHA256 `
    -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") 
$certificatePath = 'Cert:\CurrentUser\My\' + ($certificate.ThumbPrint)  

# create temporary certificate path
$tmpPath = "C:\tmp"
If(!(test-path $tmpPath))
{
New-Item -ItemType Directory -Force -Path $tmpPath
}

# set certificate password here
$pfxPassword = ConvertTo-SecureString -String "YourSecurePassword" -Force -AsPlainText
$pfxFilePath = "c:\tmp\localhost.pfx"
$cerFilePath = "c:\tmp\localhost.cer"

# create pfx certificate
Export-PfxCertificate -Cert $certificatePath -FilePath $pfxFilePath -Password $pfxPassword
Export-Certificate -Cert $certificatePath -FilePath $cerFilePath

# import the pfx certificate
Import-PfxCertificate -FilePath $pfxFilePath Cert:\LocalMachine\My -Password $pfxPassword -Exportable

# trust the certificate by importing the pfx certificate into your trusted root
Import-Certificate -FilePath $cerFilePath -CertStoreLocation Cert:\CurrentUser\Root

# optionally delete the physical certificates (don’t delete the pfx file as you need to copy this to your app directory)
# Remove-Item $pfxFilePath
Remove-Item $cerFilePath

Step 2 - Get the Server to trust the certificate 

To get the server to trust the cerficate,  I used information from Robert McMurray - How to trust the IIS Express Self-Signed Certificate, namely the part under  "Resolution Number #2 - Configure your computer to trust the IIS Express Certificate"

Using these steps below, may allow other options for creating certifcates in Step 1 

Steps are: 

  • Open the Computers Certifcate's MMC.  Number of different ways to get there, control panel, Admin Tools, Manage Computer Certificates works 
  • The trick here, is that you're going to the computer account , local computer certificates.
  • Export the certificate created in Step 1, depnding on how you did it, it may be in Personal or Web Hosting
    • Only need to export the public key - no private key export needed
    • Export as DER X 509 
  • Once exported, Import it back in under " Trusted Root Certification Authorities"

That's it, you should be good.

Comments

Popular posts from this blog

Javascript Form Validation

It's real simple. All you need to do is call a javascript function in a html  " onsubmit " in the form tag as a javascript return, like this       <form method="post" action="dosomething.php" onsubmit="return validateForm();"> If the code completes ok, the form is then sent to the page listed in "action" http://www.w3schools.com/js/js_form_validation.asp If the function specified in the onsubmit returns false, then the form is not sent to the page mentioned in action.