Setting up self-signed SSL certificates for local development in WSL2

olieman.eth

So you’ve setup a nice WSL2 environment, and now you want to use “https” for your local web development work. You need to set up a self-signed certificate, but getting it to trust is the issue. In order to get this working you need to configure a local CA on your windows host. Let’s get on with it.

I’m assuming you already have chocolatey installed on Windows. If not head over to https://chocolatey.org/install#individual. Chocolatey is a fantastic package manager for Windows.

With chocolatey setup, let’s install mkcert. mkcert is a zero-configuration tool for making locally trusted development certificates.

$ choco install mkcert

And let’s run mkcert with the -install flag

$ mkcert -install
The local CA is now installed in the system trust store! ⚡️

Boom, a local CA is now installed. You should get a ‘Security Warning’ pop-up confirming you to install the root CA certificate that we just generated. Click ‘Yes’ to proceed.

Now if you run,

$ mkcert -CAROOT

You can see the location of the CA certificate and it’s key in .pem format.

Now open up a terminal window into your WSL2 distribution.

And let’s install mkcert in WSL2 as well. I’m using brew for this.

brew install mkcert

Now let’s see the path of the CA root certificates by running,

$ mkcert -CAROOT
/home/<username>/.local/share/mkcert

Let’s explore into it using Windows Explorer

$ cd /home/<username>/.local/share/mkcert
$ explorer.exe .

You should see two files,

1. rootCA-key.pem
2. rootCA.pem

Delete these two.

Open a Windows Terminal or a Powershell window and let’s cd into the CAROOT location on the Windows side.

$ mkcert -CAROOT
C:\Users\<username>\AppData\Local\mkcert

Let’s copy the CA Root certificate and key from windows into the WSL2 CAROOT location. In my case from ‘C:\Users\<username>\AppData\Local\mkcert’ to ‘\\wsl$\Ubuntu-20.04\home\<username>\.local\share\mkcert’

Cool! Now let’s run mkcert with the ‘install’ flag.

$ mkcert -install
The local CA is now installed in the system trust store! ⚡️

Nice, we’ve setup a local CA now. Let’s generate a certificate for localhost. In your WSL2 terminal window, run the following. $ mkcert localhost 127.0.0.1 ::1 Note this will be generated at your present working directory. Run ‘pwd’ to check.

To check that we’ve succeeded, let’s check this with a basic ASP.NET Core Web API template project.

Let’s create a boilerplate webapi project.

dotnet new webapi -n test

Open up the launchSettings.json file, and under “profiles”, “test” (because we chose ‘test’ as our project name), set the applicationURL to something like this…

"applicationUrl": "https://localhost:5000"

Or just leave it as it is but make sure to copy the url.

In the appsettings.json file, add the following block of configuration for Kestrel.

"Kestrel": {
  "Endpoints": {
    "HttpsFromPem": {
      "Url": "https://localhost:5000",
      "Certificate": {
        "Path": "/home/<username>/certs/localhost+2.pem",
        "KeyPath": "/home/<username>/certs/localhost+2-key.pem"
      }
    }
  }
}

Make sure that ‘Path’, and ‘KeyPath’ points to the location where you generated your certificates.

And that’s it! Let’s run our web api

dotnet run

And using your browser, head over to “https://localhost:5000/weatherforecast”

Voila!

Trusted self signed certificate for ASP.NET Core Kestrel

If you’ve found this helpful leave a clap, if you’ve got problems, leave a comment! See ya!