Self-Hosted Blazor and Custom Certificates

Jeff Bowman 101 Reputation points
2022-02-11T15:06:41.97+00:00

I'm investigating the idea of using Blazor WASM to build a retail application that would run on an office Intranet. The application would be installed on a given machine, to be accessed via browser from any of several machines on the LAN.

The biggest stumbling block I'm running into is the question of how to go about securing the channel.

The app itself would run as a Windows Service, listening on port 443 on one of the workstations, e.g. https://reception/. But how do we tell Blazor to use a self-signed TLS cert for that hostname?

If there's a better way to go about this, I'm all ears. I can't use Let's Encrypt certs, because neither the application nor its hostname will be exposed to the public Internet.

There is a glut of information on working with Blazor to build such an app, but most if not all demos run on localhost. That works fine for dev, but not for production (in a self-hosting scenario, anyway). There doesn't seem to be much discussion at all of this aspect of things.

How can we use a custom certificate for browser requests from the client to a Blazor WASM app?

Any ideas?

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,379 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. AgaveJoe 26,186 Reputation points
    2022-02-11T16:49:41.273+00:00

    The app itself would run as a Windows Service, listening on port 443 on one of the workstations

    In my opinion, IIS is much easier to configure and deploy to. Plus, IIS comes with Windows. I'm pretty sure you'll need to tweak Windows Defender or your virus checker to allow access to port 443 regardless of the service you decide to use.

    But how do we tell Blazor to use a self-signed TLS cert for that hostname?

    This is straight forward configuration in IIS.

    173539-capture.png

    I would use the computer name to create the certificate. DNS is required to register domains otherwise you must update all the client's hosts file if you want to use https://reception. If you go with the DNS or hosts file route then use "reception" when creating the certificate. The domain and the certificate must match otherwise the browser will report a warning.

    Generate self-signed certificates with the .NET CLI
    Host ASP.NET Core in a Windows Service


  2. Bruce (SqlWork.com) 55,196 Reputation points
    2022-02-11T16:58:36.543+00:00

    note, all you users will need to trust the self signed certificate (if their security setting allow this). Check your networking group. They may have created and installed a self signing authority that you can use to generate the certificate. You can also buy a valid certificate.


  3. Bruce (SqlWork.com) 55,196 Reputation points
    2022-02-11T21:56:09.403+00:00

    reading your question closer, Blazor WASM works like any web page. the WASM is just a resource loaded into the browser via an ajax call from the index.html. so the link to the index page should be https. blazor WASM just uses the javascript's ajax support for WebClient, so the ajax urls just need to be https. typically you set the base url in the index.html, and use relative links. The browser supplies all the https support, and you configure the browser to support your blazor hosting website.

    if you are using a separate webapi site, then be sure to enable CORS, and use https:

    in short you configure the blazor hosting website as https, just as if it was a regular website.

    note: blazor wasm is in a sandbox and can not directly access the internet, filesystems or the browser dom. it uses javascript interop to do this. to the browser, a blazor app is just a html/javascript app that loads a WebAssembly.