I’ve done some digging into this. I actually recreated the CertificateLoader class used by ASP.NET in PowerShell. This is the class that is internally being used to look up the cert.
Here’s that script.
$allowInvalid = $true
$subject = 'localhost'
$store = [System.Security.Cryptography.X509Certificates.X509Store]::new('My', 'LocalMachine')
$store.Open('ReadOnly')
$storeCertificates = $store.Certificates;
$foundCertificates = $storeCertificates.Find('FindBySubjectName', $Subject, $allowInvalid);
function Test-IsCertificateAllowedForServerAuth
{
param($Cert)
$ServerAuthenticationOid = "1.3.6.1.5.5.7.3.1";
$result = $false
foreach($cert in $foundCertificates)
{
if ($cert.Extensions)
{
foreach($extension in $cert.Extensions | Where-Object { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] })
{
$result = $true
foreach ($oid in $extension.EnhancedKeyUsages)
{
if ($oid.Value -eq $ServerAuthenticationOid)
{
return $true;
}
}
}
}
}
-not $result
}
$foundCertificates | Where-Object { (Test-IsCertificateAllowedForServerAuth $_) -and $_.HasPrivateKey }
What I found is that I needed to avoid including the CN= in the subject name. So for my CN=localhost cert, I had to use localhost in the appsettings.json.
PS C:\Users\adamr\Desktop> c:\Users\adamr\Desktop\findcert.ps1
Thumbprint Subject EnhancedKeyUsageList
---------- ------- --------------------
F1F2CC29D68E05E3561293BA3955286A7AF751C3 CN=localhost Server Authentication
PS C:\Users\adamr\Desktop> dir Cert:\LocalMachine\my
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\my
Thumbprint Subject EnhancedKeyUsageList
---------- ------- --------------------
F1F2CC29D68E05E3561293BA3955286A7AF751C3 CN=localhost Server Authentication
You should be able to run that script to experiment faster than trying to start the PSU server over and over again.