-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CertificateManager.ListCertificates impacting ASP.NET startup #29650
Comments
However, in the typical use case, an ASP.NET certificate will be found in the user store (since that's where it's generally added) Are we sure about that? For IIS the typical approach was to put it into local machine so all app pools could see it, and ACL appropriately there. The dotnet cert tooling installs the self signed cert into the user store, because it's a testing cert. I'm not sure you can say that the typical, real life use case does the same. |
Test cert is "real life use case" when focused on developer inner loop performance. And, regardless, it doesn't really matter. Today both costs are paid up-front: we fetch all certs from both stores, and then process the user certs, and then process the local machine certs. We may as well just fetch one, and only fetch the other if necessary. aspnetcore/src/Shared/CertificateGeneration/CertificateManager.cs Lines 178 to 180 in 7c0c74b
|
If a certificate gets found in the current user store location, should we skip the call to find certificates from the local machine store? Or vice versa? |
That is what I was suggesting. |
Thanks for contacting us. |
After the changes made to CertificateManager recently (e.g. #27956), ListCertificates has dropped to only ~2% of startup. On top of that, the path Kestrel takes already only checks the user store:
It's not clear why
So, we can close this, unless someone would like to keep it open for tracking improvements to dotnet-dev-certs. |
In an app created from the Blazor server template, CertificateManager.ListCertificates is consuming ~5% of startup time. Within ListCertificates, a significant portion of normal processing time is spent opening the certificate stores and enumerating/validating every certificate. However, in the typical developer use case, an ASP.NET certificate will be found in the user store (since that's where it's generally added), but we still open and enumerate the local machine store, anyway. It could be beneficial to first check the user store and only look at the local machine store if a valid cert can't be found in the user store.
cc: @halter73
The text was updated successfully, but these errors were encountered: