Add certificate chain handling for certificate specified in the default

section

Author: John Judge

src/Servers/Kestrel/Core/src/IHttpsConfigurationService.cs

@@ -90,11 +90,19 @@ void ApplyHttpsConfiguration(
 internal readonly struct CertificateAndConfig
 {
     public readonly X509Certificate2 Certificate;
+    public readonly X509Certificate2Collection CertificateChain;
     public readonly CertificateConfig CertificateConfig;
 
     public CertificateAndConfig(X509Certificate2 certificate, CertificateConfig certificateConfig)
     {
         Certificate = certificate;
         CertificateConfig = certificateConfig;
+        CertificateChain = [];
+    }
+
+    public CertificateAndConfig(X509Certificate2 certificate, CertificateConfig certificateConfig, X509Certificate2Collection certificateChain){
+        Certificate = certificate;
+        CertificateConfig = certificateConfig;
+        CertificateChain = certificateChain;
     }
 }

src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs

@@ -77,6 +77,7 @@ internal KestrelConfigurationLoader(
     private CertificateConfig? DefaultCertificateConfig { get; set; }
     internal X509Certificate2? DefaultCertificate { get; set; }
 
+    internal X509Certificate2Collection? DefaultCertificateChain {get; set;}
     /// <summary>
     /// Specifies a configuration Action to run when an endpoint with the given name is loaded from configuration.
     /// </summary>
@@ -345,12 +346,14 @@ internal void ProcessEndpointsToAdd()
 
         DefaultCertificateConfig = null;
         DefaultCertificate = null;
+        DefaultCertificateChain = null;
 
         ConfigurationReader = new ConfigurationReader(Configuration);
 
         if (_httpsConfigurationService.IsInitialized && _httpsConfigurationService.LoadDefaultCertificate(ConfigurationReader) is CertificateAndConfig certPair)
         {
             DefaultCertificate = certPair.Certificate;
+            DefaultCertificateChain = certPair.CertificateChain;
             DefaultCertificateConfig = certPair.CertificateConfig;
         }
 

src/Servers/Kestrel/Core/src/KestrelServerOptions.cs

@@ -303,6 +303,9 @@ internal void ApplyDefaultCertificate(HttpsConnectionAdapterOptions httpsOptions
         if (ConfigurationLoader?.DefaultCertificate is X509Certificate2 certificateFromLoader)
         {
             httpsOptions.ServerCertificate = certificateFromLoader;
+            if (ConfigurationLoader?.DefaultCertificateChain is X509Certificate2Collection certificateChainFromLoader){
+                httpsOptions.ServerCertificateChain = certificateChainFromLoader;
+            }
             return;
         }
 

src/Servers/Kestrel/Core/src/TlsConfigurationLoader.cs

@@ -128,9 +128,12 @@ public ListenOptions UseHttpsWithSni(
     {
         if (configurationReader.Certificates.TryGetValue("Default", out var defaultCertConfig))
         {
-            var (defaultCert, _ /* cert chain */) = _certificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
+            var (defaultCert, defaultCertChain) = _certificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
             if (defaultCert != null)
             {
+                if(defaultCertChain != null){
+                    return new CertificateAndConfig(defaultCert,defaultCertConfig,defaultCertChain);
+                }
                 return new CertificateAndConfig(defaultCert, defaultCertConfig);
             }
         }