public Task <IEnumerable <X509Certificate2> > GetCertificatesAsync(CancellationToken cancellationToken)
{
var domainNames = new HashSet <string>(_options.Value.DomainNames);
var result = new List <X509Certificate2>();
var certs = _store.Certificates.Find(X509FindType.FindByTimeValid,
DateTime.Now,
validOnly: !AllowInvalidCerts);
foreach (var cert in certs)
{
if (!cert.HasPrivateKey)
{
continue;
}
foreach (var dnsName in X509CertificateHelpers.GetAllDnsNames(cert))
{
if (domainNames.Contains(dnsName))
{
result.Add(cert);
break;
}
}
}
return(Task.FromResult(result.AsEnumerable()));
}
public void AddChallengeCert(X509Certificate2 certificate)
{
foreach (var dnsName in X509CertificateHelpers.GetAllDnsNames(certificate))
{
AddWithDomainName(_challengeCerts, dnsName, certificate);
}
}
private void PreloadIntermediateCertificates(X509Certificate2 certificate)
{
if (certificate.IsSelfSigned())
{
return;
}
// workaround for https://github.com/dotnet/aspnetcore/issues/21183
using var chain = new X509Chain
{
ChainPolicy =
{
RevocationMode = X509RevocationMode.NoCheck
}
};
var commonName = X509CertificateHelpers.GetCommonName(certificate);
try
{
if (chain.Build(certificate))
{
_logger.LogTrace("Successfully tested certificate chain for {commonName}", commonName);
return;
}
}
catch (CryptographicException ex)
{
_logger.LogDebug(ex, "Failed to validate certificate chain for {commonName}", commonName);
}
_logger.LogWarning(
"Failed to validate certificate for {commonName} ({thumbprint}). This could cause an outage of your app.",
commonName, certificate.Thumbprint);
}
public virtual void Add(X509Certificate2 certificate)
{
PreloadIntermediateCertificates(certificate);
foreach (var dnsName in X509CertificateHelpers.GetAllDnsNames(certificate))
{
AddWithDomainName(_certs, dnsName, certificate);
}
}
