Finding expired ssl certificate used by my website in local development

Question

I have a set of web application and projects which I used to test OAuth2 login flows by using Identity Server 4. This is about 2 years old project and I update it regularly to use latest .Net Core or IdentityServer4 packages.

When I tried to open it yesterday, I got the warning message saying my ssl certificate is expired on 21st Dec 2021.

It makes sense and I opened Certificate Management Stores for both Local Machine and Current User. I found the expired certificate and I removed them from both Personal and Trusted Root Certification Authorities.

Then, I executed "dotnet dev-certs https --trust" command to execute a new cert and install it to my stores. The new certificate with expiry date 07/01/2023 is added and I copied to Trusted Root Certification Authorities too.

I tried to open my Idsrv and Web Application again for testing.

My Web Application is using the newly added certificate correctly.

But my Idsrv4 project is still using the expired certificate which I already deleted. I couldn't find anywhere in the Certificate Store. I used Find feature in MMC Consoles and I found only the new certificate with 2023 Expiry Date.

I cleaned my solution multiple time. Deleted both bin and obj folders. Tried different browsers and the certificate error is still there.

My set up for Idsrv is simple and standard:

services.AddIdentityServer()
                    .AddDeveloperSigningCredential()
                    .AddTestUsers(Config.GetUsers())
                    .AddInMemoryIdentityResources(Config.GetIdentityResources())
                    .AddInMemoryApiResources(Config.GetApiResources())
                    .AddInMemoryApiScopes(Config.GetApiScopes())
                    .AddInMemoryClients(Config.GetClients())            
                    .AddProfileService<ProfileService>();

Here is Configure method:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseIdentityServer();

            var localizationOptions = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>().Value;
            app.UseRequestLocalization(localizationOptions);

            app.UseStaticFiles();
            app.UseRouting();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapDefaultControllerRoute();
            });
        }

Could you please help me how I can force my Identity Server 4 project to use the newly generated certificate? Or where I can find and remove that old expired certificate?

Answer 1

I found the root cause of the problem. I'm using Kestrel to run the app and it's due to the Kestrel:Certificates:DevelopmentPassword value in the secrets file.

Because of that setting, it's still linked to the expired certificate which must be somewhere in my machine. Just by deleting this line and my web app starts using the correct ssl certificate.

Updating HTTPS Certificate IIS Express or using Jexus Manager also helps the problem (does not solve completely). But it solves the issue only when you are using IISExpress. If you start your web app with Project setting, IISExpress ssl configs are not used.