Configure certificate by thumbprint

[natemcmaster]

Would be nice if we could configure server certificates via thumbprint + store name.

Example usage in appsettings.json:

{
  "Kestrel": {
    "Endpoints": {
      "Myendpoint2": {
        "Url": "https://+:443",
        "Certificate": {
          "Store": "CurrentUser/My",
          "Thumbprint": "52A477BBEDE8DFDEB699106D5FFB8FE89F9BF790"
        }
      }
    }
  }
}

[Tratcher]

And mirror that in UseHttps. We'll see what the preview1 feedback is.

[kyschouv]

I'd like to request this as well. We had a difficult-to-debug situation recently where Kestrel was loading the wrong certificate because the subject name matched the one we wanted (because Fiddler had generated one with the same subject).

[thomasmktong]

May I know if there is any update on this issue?

[blowdart]

The problem with thumbprints is it'll allow you to choose an expired certificate. Using subject names is better because it will pull a valid one (assuming it exists), with the longest validity period. Thumbprint selection should die.

[natemcmaster]

So, close as wontfix?

[blowdart]

I wouldn't go that far, but I wouldn't view this as blocking as you can always resolve the cert yourself before binding kestrel. Maybe address by docs?

[Looooooka]

ok this really should be added. configuring with subject is a pain especially in azure scenarios where again thumbprint is shown...
in fact add Thumbprint and certificateserialnumber because having these options in code and config files has pretty much been "normal" in all net framework options.

[davidfowl]

It's @blowdart's call. This is bad practice within Microsoft and you can already do this today with code. The question is should we make it easier via configuration and currently, that answer is no.