Error when using custom HTTPS certificate from pem file

[Vake93]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I have configured my application to load a custom HTTPS certificate from a PEM file on disk. The server starts up ok but when I navigate to the URL, it throws the following exception:
no credentials are available in the security package

This is a minimal code to reproduce this issue:
custom-certificate-https.zip

However, if I use the same pem file and configure it with appsettings.json it works fine. Also if I export this as a pfx and reimport it works fine as well.

Expected Behavior

The webserver to use the pem files to server HTTPS connections

Steps To Reproduce

No response

Exceptions (if any)

Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HMF9837BOM92.
      System.ComponentModel.Win32Exception (0x8009030E): No credentials are available in the security package
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCH_CREDENTIALS* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCH_CREDENTIALS* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchCredentials(X509Certificate2 certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()

.NET Version

6.0.100

Anything else?

Operating system: Windows 11 - 22000.469

[adityamandaleeka]

You'll want to get an X509Certificate2 using this API: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompemfile?view=net-6.0

and then pass that to Kestrel in UseHttps

[Vake93]

Yes, that is the api I'm using to create the X509Certificate2. If you check the sample project attached, it has the code to recreate this issue.

using System.Security.Cryptography.X509Certificates;

var builder = WebApplication.CreateBuilder(args);

builder.WebHost.ConfigureKestrel(options =>
{
    options.ConfigureHttpsDefaults(httpsOptions =>
    {
        var certPath = Path.Combine(builder.Environment.ContentRootPath, "certificate", "demo-cert.pem");
        var keyPath = Path.Combine(builder.Environment.ContentRootPath, "certificate", "demo-key.pem");

        httpsOptions.ServerCertificate = X509Certificate2.CreateFromPemFile(certPath, keyPath);
    });
});

var app = builder.Build();

app.MapGet("/", () => "Hello World!");

app.Run();

[Vake93]

Since you suggested UseHttps extension method I tried that as well still, the same exception is thrown.

using System.Security.Cryptography.X509Certificates;

var builder = WebApplication.CreateBuilder(args);

builder.WebHost.ConfigureKestrel(options =>
{
    var certPath = Path.Combine(builder.Environment.ContentRootPath, "certificate", "demo-cert.pem");
    var keyPath = Path.Combine(builder.Environment.ContentRootPath, "certificate", "demo-key.pem");

    options.ConfigureEndpointDefaults(l => l.UseHttps(X509Certificate2.CreateFromPemFile(certPath, keyPath)));
});

var app = builder.Build();

app.MapGet("/", () => "Hello World!");

app.Run();

[vader1986]

I've got the same issue when I create a pem certificate with separate key file using mkcert.

[ghost]

Thanks for contacting us.
We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. Because it's not immediately obvious that this is a bug in our framework, we would like to keep this around to collect more feedback, which can later help us determine the impact of it. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[HaoK]

Here's another blog post basically talking about this exact scenario/error: https://www.scottbrady91.com/c-sharp/pem-loading-in-dotnet-core-and-dotnet and why it fails, there's an issue with ephemeral keysets on windows I guess: dotnet/runtime#45680

Looks like this is worked around by using the configuration loader:

{
  "Kestrel": {
    "Endpoints": {
      "HttpsFromPem": {
        "Url": "https://localhost:5001",
        "Certificate": {
          "Path": "../cert.pem",
          "KeyPath": "../ecc.pem"
        }
      }
    }
  }
}

[vader1986]

Interesting workaround. Unfortunately, it doesn't work when you want to load a full certificate chain, as you would manually import the pem file into an X509Certificate2Collection and experience this error, if I'm not mistaken.

[HaoK]

Closing this issue since this is external to us dotnet/runtime#23749 is the root cause