Search code examples
sslhttpstls1.2kestrel-http-serverdesktop-bridge

How to configure https for a UWP Desktop Bridge app hosting a PWA via a Kestrel Server

I have a desktop bridge app which uses a worker service to host a PWA and WebAPI with Kestrel over https

User runs the worker, and browses to the service from ff/chrome/edge

This works fine in development as the development machine has a trusted certificate installed

However, when I package it up and deploy to test machine, there is no cert and the app crashes

So, how what is the best way to do this?

Options

  • Bundle a cert with the app, install it in the containers local store? How would this work with the browser, which wouldn't trust the cert as its not installed in the browser users context
  • Buy a cert from a CA. How would I distribute it?
  • Magic UWP trusted certs I can add to kestrel?
Solution

  • So, it seems you can't

    In 2015 certs can not be issued to IPv4 or IPv6 address and must be a FQDN with a public top level domain

    TLS is not just about encryption, but also identification, private ips can't be publicly identified

    And PWA's need https to work, so options..

    1. Self-signed certificate, which won't be trusted and show the user a nasty message
    2. Publicly host the PWA and certify that domain, then call back to the loopback address 127.0.0.1 over http to communicate with the running worker, this is considered secure. I have done this and it does work, but means my app can only communicate with the user on the same machine

    There are other options that need you to have control of the network dns - which I won't have