daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ra rhel/djgalvan (#28428) 

* Provide RHEL developer certificate instructions.

* RHEL for certs /8

* RHEL for certs /8

---------

Co-authored-by: David J Galvan Jr <djgalvan01@outlook.com>
pull/28429/head
Rick Anderson 2023-02-16 15:05:35 -10:00 committed by GitHub
parent 9d92fa855e
commit 59d1872c9c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 94 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
aspnetcore/security/enforcing-ssl.md
View File

@ -5,12 +5,12 @@ description: Learn how to require HTTPS/TLS in an ASP.NET Core web app.
ms.author: riande
monikerRange: '>= aspnetcore-3.0'
ms.custom: mvc
ms.date: 01/04/2023
ms.date: 2/14/2023
uid: security/enforcing-ssl
---
# Enforce HTTPS in ASP.NET Core
By [Rick Anderson](https://twitter.com/RickAndMSFT)
By [David Galvan](https://github.com/djgalvan) and [Rick Anderson](https://twitter.com/RickAndMSFT)
This document shows how to:
@ -306,6 +306,8 @@ The path in the preceding command is specific for Ubuntu. For other distribution
### Trust HTTPS certificate on Linux using Edge or Chrome
# [Ubuntu](#tab/linux-ubuntu)
For chromium browsers on Linux:
* Install the `libnss3-tools` for your distribution.
@ -330,7 +332,7 @@ For chromium browsers on Linux:
<a name="trust-ff-linux"></a>
### Trust the certificate with Firefox on Linux
#### Trust the certificate with Firefox on Linux
* Export the certificate with the following command:
@ -359,6 +361,95 @@ EOF
See [Configure trust of HTTPS certificate using Firefox browser](#trust-ff-ba) in this document for an alternative way to configure the policy file using the browser.
# [Red Hat Enterprise Linux](#tab/linux-rhel)
> [!WARNING]
> The following instructions are intended for development purposes only. Do not use the certificates generated in these instructions for a production environment.
These instructions use Mozilla's *legacy* tool [certutil](https://firefox-source-docs.mozilla.org/security/nss/legacy/tools/nss_tools_certutil/index.html). Instructions may be updated as modern utilities and practices are discovered.
> [!CAUTION]
> Improper use of TLS certificates could lead to spoofing.
> [!TIP]
> Instructions for valid production certificates can be found in the RHEL Documentation.
> [RHEL8 TLS Certificates](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/securing_networks/index#creating-and-managing-tls-keys-and-certificates_securing-networks)
> [RHEL9 TLS Certificates](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/securing_networks/index#creating-and-managing-tls-keys-and-certificates_securing-networks)
> [RHEL9 Certificate System](https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9)
### Install Dependencies
```sh
dnf install nss-tools
```
### Export The ASP.NET Core Development Certificate:
> [!IMPORTANT]
> Replace `${ProjectDirectory}` with your projects directory.
> Replace `${CertificateName}` with a name you'll be able to identify in the future.
```sh
cd ${ProjectDirectory}
dotnet dev-certs https -ep ${ProjectDirectory}/${CertificateName}.crt --format PEM
```
> [!CAUTION]
> If using git, add your certificate to your `${ProjectDirectory}/.gitignore` or `${ProjectDirectory}/.git/info/exclude`.
> View the [git documentation](https://git-scm.com/docs/gitignore) for information about these files.
> [!TIP]
> You can move your exported certificate outside of your Git repository and replace the occurrences of `${ProjectDirectory}`, in the following instructions, with the new location.
### Import The ASP.NET Core Development Certificate
> [!IMPORTANT]
> Replace `${UserProfile}` with the profile you intend to use.
> Do not replace `$HOME`, it is the environment variable to your user directory.
#### Chromium-based Browsers
```sh
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt
```
#### Mozilla Firefox
```sh
certutil -d sql:$HOME/.mozilla/firefox/${UserProfile}/ -A -t "P,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt
certutil -d sql:$HOME/.mozilla/firefox/${UserProfile}/ -A -t "C,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt
```
#### Create An Alias To Test With Curl
> [!IMPORTANT]
>
> Don't delete the exported certificate if you plan to test with curl.
> You'll need to create an alias referencing it in your `$SHELL`'s profile
```sh
alias curl="curl --cacert ${ProjectDirectory}/${CertificateName}.crt"
```
### Cleaning up the Development Certificates
```sh
certutil -d sql:$HOME/.pki/nssdb -D -n ${CertificateName}
certutil -d sql:$HOME/.mozilla/firefox/${UserProfile}/ -D -n ${CertificateName}
rm ${ProjectDirectory}/${CertificateName}.crt
dotnet dev-certs https --clean
```
>[!NOTE]
> Remove the curl alias you created earlier
# [SUSE Linux Enterprise Server](#tab/linux-sles)
See [this GitHub issue](https://github.com/dotnet/AspNetCore.Docs/issues/28292)
---
<a name="wsl"></a>
### Trust the certificate with Fedora 34