Breaking Change: Removal of ASP.NET Core Developer Certificate

[mthalman]

Breaking Change: Removal of ASP.NET Core Developer Certificate

The ASP.NET Core self-signed developer certificate will no longer be included in sdk Docker images, starting with the next servicing release on August 10, 2021. This applies to all supported sdk images because they contain an installation of .NET 5.0.

This should be considered a breaking change but is unlikely to affect many people. If you're dependent on this certificate existing in the sdk image, you should follow the steps below to avoid being affected by the upcoming release.

Details

The inclusion of this certificate is an oversight as it is against our policy to distribute self-signed certificates. Distributing a certificate in this manner allows it to be misused by malicious actors, potentially allowing users who have trusted the self-signed certificate to fall victim to spoofing attacks. However, given that the certificate is signed as localhost, the likelihood of this occurring in a real-world situation is low.

Recommended Action

Rather than relying on a self-signed certificate already existing in the container, the recommended pattern is to generate the certificate on the host machine and volume mount the certificate into the container. Please read through the existing documentation on how to do this.

Cleanup of Trusted Certificate

If you installed the ASP.NET Core developer certificate described above as a trusted certificate on another machine (outside of the container), it is recommended that you remove this certificate. The PowerShell script provided below, compatible with Windows and MacOS, can be executed to remove the certificate:

function DeleteCert { 
    param ( 
        [System.Security.Cryptography.X509Certificates.StoreName] $storeName, 
        [System.Security.Cryptography.X509Certificates.StoreLocation] $storeLocation 
    )  

    if ($IsWindows -or $PSVersionTable.PSVersion.Major -eq 5) { 
        DeleteCert_Windows $storeName $storeLocation 
    } 
    elseif ($IsMacOS) { 
        DeleteCert_MacOS $storeName $storeLocation 
    } 
    else { 
        throw "Unsupported OS" 
    } 
} 

function DeleteCert_MacOS { 
    param ( 
        [System.Security.Cryptography.X509Certificates.StoreName] $storeName, 
        [System.Security.Cryptography.X509Certificates.StoreLocation] $storeLocation 
    )  

    $store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList @($storeName, $storeLocation) 
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly) 

    $foundCerts = $store.Certificates | Where { $_.Extensions | Where { $_.Oid.Value -eq "1.3.6.1.4.1.311.84.1.1" } } 
    if (-not $foundCerts) { 
        Write-Host "No ASP.NET Core development certificate found in $storeLocation\$storeName"  
    } 
    else { 
        foreach ($foundCert in $foundCerts) { 
            $thumbprint = $foundCert.Thumbprint 
            Write-Host "Found certificate with thumbprint $thumbprint in $storeLocation\$storeName" 

            # Remove trust rule 
            $certPath = [System.IO.Path]::GetTempFileName() 
            $certBytes = $foundCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) 
            [System.IO.File]::WriteAllBytes($certPath, $certBytes) 
            RemoveTrustRule $thumbprint $certPath 
            Remove-Item $certPath 
            if ($storeLocation -eq [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser) { 
                $keyChain = "$env:HOME/Library/Keychains/login.keychain-db" 
            } 
            else { 
                $keyChain = "/Library/Keychains/System.keychain" 
            } 

            DeleteCertFromKeychain $thumbprint 
        }       
    } 
}   

function RemoveTrustRule { 
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact='High')] 
    param( 
        [string]$thumbprint, 
        [string]$certPath 
    ) 

    if ($PSCmdlet.ShouldProcess($thumbprint)) { 
        $(& sudo security remove-trusted-cert -d $certPath) 2>&1 | Out-Null 
    } 
}  

function DeleteCertFromKeychain { 
    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact='High')] 
    param( 
        [string]$thumbprint
    )   

    if ($PSCmdlet.ShouldProcess($thumbprint)) { 
       & sudo security delete-certificate -Z $thumbprint $keyChain 
    } 
} 

function DeleteCert_Windows { 
    param ( 
        [System.Security.Cryptography.X509Certificates.StoreName] $storeName, 
        [System.Security.Cryptography.X509Certificates.StoreLocation] $storeLocation 
    )   

    $foundCerts = Get-ChildItem Cert:\$storeLocation\$storeName | Where { $_.Extensions | Where { $_.Oid.Value -eq "1.3.6.1.4.1.311.84.1.1" } }   

    if (-not $foundCerts) {  
        Write-Host "No ASP.NET Core development certificate found in $storeLocation\$storeName"  
    }  
    else {  
      $foundCerts | Remove-Item -Confirm  
    }  
} 

DeleteCert My LocalMachine 
DeleteCert My CurrentUser