Exclude localhost certificates without a subject key identifier extension#12736
Merged
danegsta merged 3 commits intodotnet:mainfrom Nov 6, 2025
Merged
Exclude localhost certificates without a subject key identifier extension#12736danegsta merged 3 commits intodotnet:mainfrom
danegsta merged 3 commits intodotnet:mainfrom
Conversation
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 12736Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 12736" |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enables Python apps to trust system root certificates in addition to custom certificates by setting CertificateTrustScope.System as the default, and filters out legacy localhost certificates to prevent OpenSSL conflicts.
Key Changes:
- Python apps now default to
CertificateTrustScope.Systeminstead ofAppendmode - Added filtering logic to exclude legacy localhost certificates without Subject Key Identifier when loading system root certificates
- Minor whitespace cleanup in XML documentation
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/Aspire.Hosting/Utils/X509Certificate2Extensions.cs |
Added HasSubjectKeyIdentifier() method and filtering logic in AddRootCertificates() to exclude legacy localhost certificates that could conflict with ASP.NET Core dev certs in OpenSSL |
src/Aspire.Hosting.Python/PythonAppResourceBuilderExtensions.cs |
Changed default certificate trust scope from Append to System for Python apps, removed TODO comment, and fixed trailing whitespace in XML doc |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
davidfowl
approved these changes
Nov 6, 2025
Member
Author
|
/backport to release/13.0 |
Contributor
|
Started backporting to release/13.0: https://github.com/dotnet/aspire/actions/runs/19126133137 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
OpenSSL considers the subject name and the subject/authority key identifier extensions when considering what trusted certificates to validate a TLS connection against. The ASP.NET dev cert doesn't include a subject key identifier extension, but neither do the legacy IIS certificates. This can lead to conflicts when adding multiple certificates into an OpenSSL trust bundle.
This PR filters out
localhostcertificates without a subject key identifier from the store when adding system trust to a child resource. This ensures the ASP.NET developer certificate works, but does have the trade-off of prevent resources from trusting local IIS development endpoints.