Adjusting the default Kestrel development certificate to support WebTransport

[Daniel-Genkin-MS-2]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Currently we need to use a custom certificate for the WebTransport connection. It would be great to have the default Kestrel certificate work with WebTransport to avoid this. It would make development easier and smoother.

Current setup

var builder = WebApplication.CreateBuilder(args);

// generate a certificate and hash to be shared with the client
var certificate = GenerateManualCertificate();
var hash = SHA256.HashData(certificate.RawData);
var certStr = Convert.ToBase64String(hash);

// configure the ports
builder.WebHost.ConfigureKestrel((context, options) =>
{
    // webtransport configured port
    options.Listen(IPAddress.Any, 5002, listenOptions =>
    {
        listenOptions.UseHttps(certificate);
        listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
    });
});

// Adapted from: https://github.com/wegylexy/webtransport
// We will need to eventually merge this with existing Kestrel certificate generation
// tracked in issue #41762
static X509Certificate2 GenerateManualCertificate()
{
    X509Certificate2 cert;
    var store = new X509Store("KestrelWebTransportCertificates", StoreLocation.CurrentUser);
    store.Open(OpenFlags.ReadWrite);
    if (store.Certificates.Count > 0)
    {
        cert = store.Certificates[^1];

        // rotate key after it expires
        if (DateTime.Parse(cert.GetExpirationDateString(), null) >= DateTimeOffset.UtcNow)
        {
            store.Close();
            return cert;
        }
    }
    // generate a new cert
    var now = DateTimeOffset.UtcNow;
    SubjectAlternativeNameBuilder sanBuilder = new();
    sanBuilder.AddDnsName("localhost");
    using var ec = ECDsa.Create(ECCurve.NamedCurves.nistP256);
    CertificateRequest req = new("CN=localhost", ec, HashAlgorithmName.SHA256);
    // Adds purpose
    req.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection
    {
        new("1.3.6.1.5.5.7.3.1") // serverAuth
    }, false));
    // Adds usage
    req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, false));
    // Adds subject alternate names
    req.CertificateExtensions.Add(sanBuilder.Build());
    // Sign
    using var crt = req.CreateSelfSigned(now, now.AddDays(14)); // 14 days is the max duration of a certificate for this
    cert = new(crt.Export(X509ContentType.Pfx));

    // Save
    store.Add(cert);
    store.Close();
    return cert;
}

Describe the solution you'd like

var builder = WebApplication.CreateBuilder(args);

// configure the ports
builder.WebHost.ConfigureKestrel((context, options) =>
{
    // webtransport configured port
    options.Listen(IPAddress.Any, 5002, listenOptions =>
    {
        listenOptions.UseHttps();
        listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
        listenOptions.IsWebTransportPort = true; // switches to the webtransport-compatible cert (Could be cool if this wasn't even necessary).
        Console.WriteLine(listenOptions.certHash); // prints the hash so that the user can paste it into the JS API or inject into their client side code.
    });
});

Additional context

No response

[blowdart]

What errors are you seeing? HTTP3 doesn't require ECC and switching to ECC would require some investigation wrt iot and more.

[davidfowl]

Currently we need to use a custom certificate for the WebTransport connection.

Why is this?

[Daniel-Genkin-MS-2]

Chromium will just straight up reject the cert

[Daniel-Genkin-MS-2]

You can see this if you run the interactive sample app in the webtransport pr (#42097) and replace line 17 which is this:
var certificate = GenerateManualCertificate();
with:
var certificate = CertificateLoader.LoadFromStoreCert("localhost", StoreName.My.ToString(), StoreLocation.CurrentUser, false);

[davidfowl]

I think we need to figure out why. Is it ECC (Elliptic Curve Cryptography) that's making the big difference?

[Tratcher]

Duplicate of #41762?

[amcasey]

Let's track this via #41762.