C# / .NETDevOpsMisc
C# / .NET
Debugging on localhost with HSTS
Alexandru Puiu
Alexandru Puiu
October 30, 2018
1 min

Table Of Contents

01
What is the function of HSTS
02
Adding a signed localhost certificate to the Trusted Root Certification Authorities store
03
Generate the certificate
04
Export the certificate
05
Import and trust the certificate
06
Configure your Kestrel to serve the new certificate

What is the function of HSTS

HSTS stands for HTTP Strict Transport Security and it tells your browser that your web content should always be served over HTTPS. See Security Headers for more info

Adding a signed localhost certificate to the Trusted Root Certification Authorities store

Newer versions of chrome require the server’s cert must contain a “subjectAltName” otherwise known as a SAN certificate. If you are using an older signed certificate which only references a commonName, then you might still get rejected by Chrome even if you’re certificate is valid.

https://blogs.msdn.microsoft.com/benjaminperkins/2017/11/15/how-to-create-a-self-signed-san-certificate-wildcard-certificate-vs-san/

Generate the certificate

Open Windows Powershell in Admin mode

Run the following command to generate a SAN certificate that expires in 5 years, saved to your Personal list of certificates

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(5) -DnsName "localhost" -FriendlyName "LocalHost SAN Certificate"

Export the certificate

Open the Certificate Manager (windows key => Manage Computer Certificates) and navigate to Personal => Certificates Right click the certificate we just generated and click All Tasks => Export. Click next on the first screen Click “Yes, export the private key” then click next Make sure the “Export all extended properties” checkbox is checked and click next Set a password Save the file to your location of choice depending on your project (for example Download folder -> Certificates). Save it as ”localhost.pfx”. Click next until the export is finished

Import and trust the certificate

Now we need to import this certificate into our “Trusted Root Certification Authorities”. So with the certificate manager open, expand “Trusted Root Certification Authorities” and right click

Certificates => All tasks => Import

Click next, then browse for the file we just exported (you might need to change the file extension the windows explorer is searching for from .cer,.crt to .pfx). Select localhost.pfx and open. Click next and enter the password we set previously and click next again Make sure it’s placing the certificate in the Trusted Root Certification Authorities store Finish the import.

Configure your Kestrel to serve the new certificate

If you’re using Kestrel to serve your development site, then you’ll have to use the new certificate in your Kestrel config:

new WebHostBuilder()
...
    .UseKestrel(options =>
        {
            options.Listen(IPAddress.Loopback, 5001, listenOptions =>
            {
                listenOptions.NoDelay = true;
                listenOptions.UseHttps("certificates\\localhost.pfx", "mypassword");
            });
        })
...
    .Build();

At this point you should be able to navigate to a localhost web page in chrome and chrome should trust the certificate.


Tags

testing
Alexandru Puiu

Alexandru Puiu

Engineer / Security Architect

Systems Engineering advocate, Software Engineer, Security Architect / Researcher, SQL/NoSQL DBA, and Certified Scrum Master with a passion for Distributed Systems, AI and IoT..

Expertise

.NET
RavenDB
Kubernetes

Social Media

githubtwitterwebsite

Related Posts

RavenDB Integration Testing
Using RavenDB in Integration Testing
December 24, 2022
2 min
Cypress e2e Testing
DevOps
Cypress UI e2e tests in Azure DevOps Server
August 21, 2019
1 min

Subscribe To My Newsletter

I'll only send worthwhile content I think you'll want, less than once a month, and promise to never spam or sell your information!
© 2023, All Rights Reserved.

Quick Links

Get In TouchAbout Me

Social Media