Self Signed Cert - Local Testing With ASP.NET Core WEB API

Scenario: Test ToDoAPI locally by creating self signed cert and containerizing the application (Microsoft Link to create ToDoAPI).

Tech stack: OpenSSL, WSL Debian on Windows, Visual Studio 2022, Docker Desktop.

Requirements:

(1) Create self signed certificate using OpenSSL.

(2) Build Docker image. Deploy image on local Docker desktop.

(3) Test using Postman.

Outcome:

Step 1: Prerequisites

• Clone ToDoAPI.
• Install WSL (eg Debian) on Windows.

Step 2: Create self signed certificate

• Type “debian” on windows command line (note: install WSL debian prior to typing below command).

> debian

• Check if openssl is present in debian WSL (root@DESKTOP:/home/dev#).

> openssl version

• If above returns an error then execute below steps in debian (else skip to create folder “todocerts”).

> sudo apt update
> sudo apt-get install openssl libssl-dev
> openssl version

• Create folder “todocerts”.

> mkdir todocerts

• To view folder from windows file explorer enter “\\wsl$” on URL bar.
• “todocerts” folder location \\wsl.localhost\Debian\home\dev

\\wsl$

• From WSL command line cd into “todocerts” folder.
• Generate private key to become a local certificate authority.

//Enter phrase key on prompt. eg “testtodo”
> openssl genrsa -des3 -out localCA.key 2048

• Output from above command creates private key: “localCA.key”.
• Generate root certificate using above private key.

> openssl req -x509 -new -nodes -key localCA.key -sha256 -days 365 -out localCA.pem

• Keep all information blank except for FQDN: testtodoapi.com.

• Output from above command creates root certificate: “localCA.pem”.
• Add this root certificate to microsoft management console on your local desktop. Reason: This allows for any SSL certs generated using localCA.pem to be trusted on the local machine.
• Steps to add cert in Microsoft Management Console.

// enter "windows key - R"
// type "mmc"

• Microsoft Management console opened.

// file >> Add/Remove Snap-in >> Certificates >> Add

// Select option "Computer account" >> Local Computer and Finish
// Click OK on the Add or Remove Snap.. (above screen)
// (below screen) double click on "Certificates (Local Computer). 

// Select "Certificates" in Trusted Root Certification Authority

// From => Action >> All Tasks >> Import... 
// Import the localCA.pem root certificate
//close out of mmc (skip saving as console1)

• Create a private key for development.

> openssl genrsa -out todoapi.test.key 2048

• Output from above command creates private key: “todoapi.test.key”.
• Create a CSR (Certificate Signing Request) for private key “todoapi.test.key”.

> openssl req -new -key todoapi.test.key -out todoapi.test.csr

• Enter blank for all fields except for Common Name. Enter todotest.com for common name.

• Using notepad create a cert extension file todoapi.test.ext. Include below information in the file.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = todoapi.test

• Below files should exist in “todocerts” folder.

• Create a self signed SSL cert using “todoapi.test.csr”, local root certificate “localCA.pem”, local certificate authority private key “localCA.key”.

> openssl x509 -req -in todoapi.test.csr -CA localCA.pem -CAkey localCA.key -CAcreateserial -out todoapi.test.crt -days 365 -sha256 -extfile todoapi.test.ext

• Output from above command creates self signed SSL cert: “todoapi.test.crt”.
• Note: Step 2 alternative — SSL cert can also be created using dotnet dev-certs command.

Step 3: Add Docker setup for ToDoAPI

• Open ToDoAPI in Visual Studio.
• In Solution Explorer under Solution, right Click on Project “ToDoAPI” >> Add >> Docker Support …
• Docker File created as below.

• Right Click on “Dockerfile” >> Build Docker Image.
• After successful build the image will display in local Docker Desktop.

• To check image from command line.

> docker ps -a

• To run in container from command line (note: Can also run from Docker Desktop. Include Option Port as 8000:80 for tcp/80).

> docker run --rm -it -p 8000:80 todoapi --name todoapi-app

• Check docker desktop for container running app.
• From browser enter url “http://localhost:8000/api/todoitems”
• To post items use tool like Postman.

Step 4: Setup Secure HTTPS

• To create a PFX file that has both private and public key (required for SSL Cert setup of ASP.NET CORE application inside Docker container).
• Type “debian” on windows command line.

//WSL2 Linus
> debian

//use root emv
> sudo su

• Create PFX file (for passphrase prompt enter “testtodo”)

> openssl pkcs12 -export -name “todoapi.test” -out todoapi.pfx -inkey todoapi.test.keyxs -in todoapi.test.crt

• Output from above command creates todoapi.pfx file.
• Copy the file to C:\Users\<user>\.aspnet\https
• If file cannot be copied from WSL Linux to Windows drive then change permission of file (eg chmod 666 todoapi.pfx).
• In windows command window…Build docker image

> docker build -t todoapi:v1 .
//to run in HTTPS
> docker run -p 8000:80 -p 8001:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=8001 -e ASPNETCORE_Kestrel__Certificates__Default__Password="testtodo" -e ASPNETCORE_Kestrel__Certificates__Default__Path=/https/todoapi.pfx -v %USERPROFILE%\.aspnet\https:/https/ todoapi:v1

• Command params:
• ASPNETCORE_URLS environment variable is used to specify the URL for the app like ASPNETCORE_URLS=”https://+;http://+".
• ASPNETCORE_Kestrel__Certificates__Default__Password specifies the password for the SSL certificate.
• ASPNETCORE_Kestrel__Certificates__Default__Path=/https/todoapi.pfx specifies the default path of the https certificate. It is set to be inside the ‘https’ directory of the container. Into this path the certificate should load.
• The volume “-v” is specified to look for the ssl certificate on the Windows drive.
• Check docker desktop for container running app.
• From browser enter url “https://localhost:8001/api/todoitems”
• To post items use Postman.