Due to changes in macOS and the .NET SDK, every new ASP.NET Core application created must be granted access to the Keychain where the HTTPS developer certificate is stored so that Kestrel can successfully bind an HTTPS address using the dev cert when launched via the AppHost (e.g. dotnet run):
To avoid this issue, we should consider changing the behavior of dotnet dev-certs https and Kestrel on macOS to not put the certificate with the private key in the Keychain, but rather store them in a well-known location in the user directory and load it from there when starting Kestrel in development with an HTTPS localhost address. The certificate without the private key must still be put in the Keychain to ensure web browsers and other client apps verify the certificate as trusted (see #41878 for more details).
The Data Protection APIs already store keys in the user directory at ~/.aspnet/DataProtection-Keys, so a suggested location for the dev-cert files could be ~/.aspnet/dev-certs/https/, e.g.:
$ ls ~/.aspnet/dev-certs/https
localhost.cer
localhost.key
$
Kestrel's macOS logic would be updated to load the dev cert by using the cer and key files from this location.
Due to changes in macOS and the .NET SDK, every new ASP.NET Core application created must be granted access to the Keychain where the HTTPS developer certificate is stored so that Kestrel can successfully bind an HTTPS address using the dev cert when launched via the AppHost (e.g.
dotnet run):To avoid this issue, we should consider changing the behavior of
dotnet dev-certs httpsand Kestrel on macOS to not put the certificate with the private key in the Keychain, but rather store them in a well-known location in the user directory and load it from there when starting Kestrel in development with an HTTPS localhost address. The certificate without the private key must still be put in the Keychain to ensure web browsers and other client apps verify the certificate as trusted (see #41878 for more details).The Data Protection APIs already store keys in the user directory at
~/.aspnet/DataProtection-Keys, so a suggested location for the dev-cert files could be~/.aspnet/dev-certs/https/, e.g.:Kestrel's macOS logic would be updated to load the dev cert by using the cer and key files from this location.