Kestrel should select best dev cert and warn if dev cert is out of date

[analogrelay]

After #9810 we now have a new "version" field in the dev certificate. Kestrel needs to ensure it always picks the highest version that it supports when loading dev certificates, just in case multiple versions are available. Also, Kestrel should warn if the highest version it finds is earlier than the version Kestrel expects (as defined by a LatestDevCertVersion constant somewhere, likely in the shared certificate manager code)

[jkotalik]

I actually think we don't need to do anything for this issue. Today, kestrel calls EnsureDefaultCert to get a dev cert, which will call CertificateManager.ListCertificates. This function already verifies the version matches, meaning the dev cert will not be present if it isn't up to date.

Kestrel needs to ensure it always picks the highest version that it supports when loading dev certificates, just in case multiple versions are available.

From what I can tell, Kestrel will only select one certificate when finding the dev cert: https://github.com/aspnet/AspNetCore/blob/master/src/Servers/Kestrel/Core/src/KestrelServerOptions.cs. Also, the tool itself doesn't support multiple certificates (if you call dotnet dev-certs https and already have a cert, it will say a cert is already available).

The only thing I'd consider is changing the log to suggest running dotnet dev-certs https --clean and dotnet dev-certs https --trust

[analogrelay]

Sure, the biggest thing I want to know as part of this is what does a user who has the old cert but somehow didn't get migrated during the first-run or VS experiences sees when they start up a 3.0 app using Kestrel.

[analogrelay]

Let's close this out this week.

[analogrelay]

This should be verified on a fresh machine running Windows 10 1903 (check the "About" screen in Windows Settings) and Google Chrome with a process like the following

1. Install 2.2 SDK
2. Create a 2.2 app. Do not include a global.json file
3. dotnet run the app
4. You should get an ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error. If you don't, stop here, the issue isn't reproing properly.
5. Install 3.0 SDK. Do not run dotnet CLI
6. Open the app in Visual Studio 2019
7. Launch the app
8. Verify that at some point in that process, VS prompted you to trust the dev cert.

[analogrelay]

@mikaelm12 can you do this validation for preview 7?

[mikaelm12]

Yup, got it