IIS Express using "imaginary" SSL certificate

Question

I've been fighting this for a couple weeks now. I've exhausted my Google-fu and need your help.

I want to delete the certificate that IIS Express is defaulting to (which is about to expire) and use the one that gets created when I "repair" IIS Express.

IIS Express is using an SSL Certificate that I can't find anywhere on my PC. Currently it's NOT using the cert that it creates during the repair. It's using some rando cert that I can't find anywhere on my computer.

I've been through the mmc snap-in 100 times, run dos and powershell commands, searched through my registry, searched through the file system, I even went through 100k lines of process monitor trying to find where it was pulling the certificate from. I can't find the certificate it's using anywhere.

Windows 10. This is a cert dump with the relevant localhost entries:

Location   : CurrentUser

Name : Root

Subject      : CN=localhost
Issuer       : CN=localhost
Thumbprint   : 7019C23346CD99CDE8ED35F2A712410F3E5A03DB
FriendlyName : ASP.NET Core HTTPS development certificate
NotBefore    : 2/28/2020 8:26:43 AM
NotAfter     : 2/27/2021 8:26:43 AM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid...}

Subject      : CN=localhost
Issuer       : CN=localhost
Thumbprint   : 4671C5C7DC49E26F318C30911B4494D2511E665E
FriendlyName : IIS Express Development Certificate
NotBefore    : 2/28/2020 8:26:16 AM
NotAfter     : 2/27/2025 6:00:00 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

Name: My

Subject      : CN=localhost
Issuer       : CN=localhost
Thumbprint   : 7019C23346CD99CDE8ED35F2A712410F3E5A03DB
FriendlyName : ASP.NET Core HTTPS development certificate
NotBefore    : 2/28/2020 8:26:43 AM
NotAfter     : 2/27/2021 8:26:43 AM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid...}

Subject      : CN=localhost
Issuer       : CN=localhost
Thumbprint   : 4671C5C7DC49E26F318C30911B4494D2511E665E
FriendlyName : IIS Express Development Certificate
NotBefore    : 2/28/2020 8:26:16 AM
NotAfter     : 2/27/2025 6:00:00 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

And this is the cert that's being served to Chrome:

Serial number: 00e7573e7ee6f8a315
Signature algorithm: sha256RSA
Issuer: localhost
Subject: localhost
1.3.6.1.4.1.311.84.1.1: ASP.NET Core HTTPS development certificate
Thumbprint: f3b46e7bd1d6a66d150948342ffe00ebb42f33ac

Anyone have any ideas? Let me know if you need any additional information.

Answer 1

Kestrel attempts to find a "default" certificate for the project. That certificate is NOT stored in the computer's key store. It's stored on the file system as a .pfx file. The path is %appData%\\ASP.NET\\https.

I found this out by reading through the Kestrel source code KestrelConfigurationLoader.TryGetCertificatePath():

    var hostingEnvironment = Options.ApplicationServices.GetRequiredService<IHostEnvironment>();
    var appName = hostingEnvironment.ApplicationName;

    // This will go away when we implement
    // https://github.com/aspnet/Hosting/issues/1294
    var appData = Environment.GetEnvironmentVariable("APPDATA");
    var home = Environment.GetEnvironmentVariable("HOME");
    var basePath = appData != null ? Path.Combine(appData, "ASP.NET", "https") : null;
    basePath = basePath ?? (home != null ? Path.Combine(home, ".aspnet", "https") : null);
    path = basePath != null ? Path.Combine(basePath, $"{appName}.pfx") : null;
    return path != null;

I deleted the keys that were in the folder and it resolved my problem. Happy days!