Where does .net core search for certificates on linux platform

For Linux and Mac .NET CORE will use OpenSSL.

command to generate a private key and a certificate signing request:

openssl req -config https.config -new -out csr.pem

command to create a self-signed certificate:

openssl x509 -req -days 365 -extfile https.config -extensions v3_req -in csr.pem -signkey key.pem -out https.crt

command to generate a pfx file containing the certificate and the private key that you can use with Kestrel:

openssl pkcs12 -export -out https.pfx -inkey key.pem -in https.crt -password pass:<password>

After that Trust the certificate

This step is optional, but without it the browser will warn you about your site being potentially unsafe. You will see something like the following if you browser doesn’t trust your certificate:

There is no centralized way of trusting the a certificate on Linux so you can do one of the following:

  1. Exclude the URL you are using in your browsers exclude list

  2. Trust all self-signed certificates on localhost

  3. Add the https.crt to the list of trusted certificates in your browser.

How exactly to achieve this depends on your browser/distro.

You can also reference the complete Kestrel HTTPS sample app

or Follow this Blog Configuring HTTPS in ASP.NET Core across different platforms


.Net Core uses OpenSSL on Linux, as a result, you need to set up your Linux environment in the container so that OpenSSL will pick up the certificate.

You can do this by two ways:

  1. Copying the certificate .crt file to a location that update-ca-certificates will scan for trusted certificates - e.g. /usr/local/share/ca-certificates/ oron RHEL /etc/pki/ca-trust/source/anchors/:

     COPY myca.crt /usr/local/share/ca-certificates/
    
  2. Invoking update-ca-certificates:

     RUN update-ca-certificates
    

This page provides a good (and official) summary of the X509Store locations on Linux (and all platforms) for .NET Core.

The short answer is that on Linux, the LocalMachine/Root store can be opened in ReadOnly mode, and the certificates returned from that store come from the standard Linux system-global certificate directories. @barr-j's answer provides some info on how to you can copy certificates into system directories using Linux commands. However the normal use for these system-global certificates is to specify trusted certificate authorities, NOT as a secure place to store an https certificate (which contains a private key, which shouldn't be accessible by all users on the host).

On Linux with .NET, you can't write to the LocalMachine/Root X509Store directly, and LocalMachine/My isn't supported.

If you want your certificate access limited to a specific user (a good idea for https certs), on Linux with .NET you can write to and read from a user-local cert store using new X509Store(StoreName.My, StoreLocation.CurrentUser).