Add Subject Key Identifier and Authority Key Identifier extensions to the generated dev cert #64263

danegsta · 2025-11-06T21:17:13Z

Add Subject Key Identifier and Authority Key Identifier extensions to the generated dev cert

Add Subject Key Identifier and Authority Key Identifier extensions to the dev cert

Description

Adds the Subject Key Identifier (SKID) and Authority Key Identifier (AKID) extensions to the dev cert to resolve issues with OpenSSL. Additionally increases the certificate version from 4 to 5 to ensure the certificate will be refreshed after a user updates.

OpenSSL uses the SKID and AKID extensions to identify the correct trust chain for a private key (even for a single trusted root certificate like the dev cert). If multiple certificates have the same SKID (or don't have an SKID value) and share the same subject, then the incorrect public certificate may be selected to verify the key, resulting in OpenSSL verification failures.

Fixes #64261

… the generated dev cert

danegsta · 2025-11-06T21:18:20Z

Example certificate extensions with this change:

X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: critical
        TLS Web Server Authentication
    X509v3 Subject Alternative Name: critical
        DNS:localhost, DNS:*.dev.localhost, DNS:*.dev.internal, DNS:host.docker.internal, DNS:host.containers.internal
    1.3.6.1.4.1.311.84.1.1:
        .
    X509v3 Subject Key Identifier:
        DC:33:2D:DE:22:DF:46:46:9C:B4:8B:98:73:44:55:44:57:AA:2D:22
    X509v3 Authority Key Identifier:
        DC:33:2D:DE:22:DF:46:46:9C:B4:8B:98:73:44:55:44:57:AA:2D:22

DamianEdwards · 2025-11-06T21:25:50Z

src/Shared/CertificateGeneration/CertificateManager.cs

+    internal const int CurrentAspNetCoreCertificateVersion = 5;
+    internal const int CurrentMinimumAspNetCoreCertificateVersion = 5;


Just to state this out loud so we're all clear, I believe this means that after getting this change in a patch on a dev machine, ASP.NET Core apps will now require version 5 of the cert to be present. However it won't be created/installed until something forces the SDK first-run experience to run (e.g. running a dotnet command) or dotnet dev-certs https is run explicitly. I think this is what we want TBC, but want to ensure we're all on the same page.

src/Shared/CertificateGeneration/CertificateManager.cs

Copilot

Pull Request Overview

This PR enhances ASP.NET Core's HTTPS development certificate generation by adding Subject Key Identifier (SKI) and Authority Key Identifier (AKI) extensions to self-signed certificates, bringing them into compliance with RFC 5280 recommendations. The certificate version is bumped from 4 to 5 to reflect this structural change.

Key changes:

Adds SKI and AKI extensions to generated self-signed certificates per RFC 5280 sections 4.2.1.2 and 4.2.1.1
Increments certificate version constants from 4 to 5
Minor whitespace cleanup

src/Shared/CertificateGeneration/CertificateManager.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

src/Shared/CertificateGeneration/CertificateManager.cs

…anegsta/skid

bartonjs

Tests are always welcome, but the technical change LGTM.

danegsta · 2025-11-07T01:00:57Z

/backport to release/10.0

github-actions · 2025-11-07T01:01:06Z

Started backporting to release/10.0 (link to workflow run)

Add Subject Key Identifier and Authority Key Identifier extensions to…

55212a4

… the generated dev cert

danegsta requested review from DamianEdwards and Copilot November 6, 2025 21:17

github-actions bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Nov 6, 2025

DamianEdwards requested review from blowdart and joperezr November 6, 2025 21:19

Add more detail to the comment

ee8f30b

DamianEdwards reviewed Nov 6, 2025

View reviewed changes