[Breaking change]: dev cert export no longer creates folder

[amcasey]

Description

When you export the ASP.NET Core development certificate (used to enable https in local development), it will no longer create the directory into which the certificate is being exported, if that directory doesn’t already exist.

This change first appears in 8.0.10 and 9.0 RC1.

Version

.NET 8 GA

Previous behavior

dotnet dev-certs https -ep C:\NonExistent\cert.pfx

If C:\NonExistent\ did not exist when the command was run, it would be created (with permissions inherited from the containing directory).

New behavior

The target directory must exist or the export will fail with a message like There was an error exporting the HTTPS developer certificate to a file.

Type of breaking change

• Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
• Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code may require source changes to compile successfully.
• Behavioral change: Existing binaries may behave differently at run time.

Reason for change

The development certificate is exported with its private key, so unauthorized access can be very problematic. It may, nevertheless, be necessary to make it readable to multiple accounts - e.g. if the consuming process will not be run as the current user. Rather than attempting to determine (and securely establish) permissions for the target directory, dotnet dev-certs require that it already exist.

Recommended action

Create the target directory (with appropriate permissions) before invoking dotnet dev-certs.

Affected APIs

This functionality is not presently exposed via an API - it is invoked from the command line.

[amcasey]

For discussion, please use dotnet/aspnetcore#58330