Skip to content

Document X509 trusted root store fallback behavior on Linux #50901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Document X509 trusted root store fallback behavior on Linux #50901

Copilot wants to merge 5 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 6, 2026
edited by github-actions bot
Loading

The documentation didn't explain how .NET locates trusted root certificates on Linux or the /etc/ssl/certs fallback behavior implemented in dotnet/runtime#52925.

Changes

Added new subsection "Trusted root certificate locations on Linux" under "The Root store" section:

  • OpenSSL environment variables: Documents SSL_CERT_FILE (bundle file path) and SSL_CERT_DIR (hashed certificate directory)
  • Fallback behavior: Explains the /etc/ssl/certs fallback when the configured root store directory is empty and SSL_CERT_DIR isn't explicitly set
  • SLES context: Clarifies why the fallback matters for distributions where SSL_CERT_DIR contains only BEGIN TRUSTED CERTIFICATE format certificates (unsupported by .NET for root certificates)
  • Troubleshooting: Lists verification steps for certificate loading issues (PEM format, environment variables, file permissions)

This addresses scenarios where SSL/TLS connections fail on distributions like SLES despite working in other runtimes (curl, Python, Go) that explicitly check /etc/ssl/certs.

Original prompt

This section details on the original issue you should resolve

<issue_title>Mention the fallback behaviour for the X509 trusted root store</issue_title>
<issue_description>### Type of issue

Missing information

Description

When the root store configured for libssl (openssl) doesn't contain any certificates, dotnet falls back to checking "/etc/ssl/certs".

dotnet/runtime#52925

It would be great if this fallback, along with a small amount of explanation about how libssl decides where (e.g. SSL_CERT_DIR), could be included in this page (or in an appropriate ASP.NET Core page?)

Page URL

https://learn.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography

Content source URL

https://github.com/dotnet/docs/blob/main/docs/standard/security/cross-platform-cryptography.md

Document Version Independent Id

95e31f6e-9a36-913e-6a02-7fb1606e5a52

Platform Id

430f5f98-c25b-cffd-3f7c-adc3493ca4a4

Article author

@IEvangelist

Metadata

  • ID: 7dba5d39-737f-cfa3-b1e4-c997e55312a8
  • PlatformId: 430f5f98-c25b-cffd-3f7c-adc3493ca4a4
  • Service: dotnet
  • Sub-service: standard-library

Related Issues</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Internal previews

📄 File 🔗 Preview link
docs/standard/security/cross-platform-cryptography.md Cross-platform cryptography in .NET

Copilot AI changed the title [WIP] Add fallback behaviour for X509 trusted root store Document X509 trusted root store fallback behavior on Linux Jan 6, 2026
Copilot AI requested a review from gewarren January 6, 2026 01:58
@gewarren gewarren requested a review from vcsjones January 6, 2026 19:08
@gewarren gewarren marked this pull request as ready for review January 6, 2026 19:08
@gewarren gewarren requested review from a team and BillWagner as code owners January 6, 2026 19:08
Copilot AI review requested due to automatic review settings January 6, 2026 19:08
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR documents how .NET locates trusted root certificates on Linux systems, addressing a gap in the cross-platform cryptography documentation. The changes explain the OpenSSL-based certificate discovery mechanism and the /etc/ssl/certs fallback behavior that was implemented but never documented.

Key changes:

  • Added new subsection explaining Linux certificate location resolution using OpenSSL environment variables
  • Documented the fallback behavior to /etc/ssl/certs when configured directories are empty
  • Included troubleshooting guidance for certificate loading issues

@gewarren
Respond to feedback
9ff195f
@gewarren
Add AI usage metadata to documentation
3fda6e5 
Added AI usage metadata to the cross-platform cryptography documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gewarren gewarren Awaiting requested review from gewarren

@vcsjones vcsjones Awaiting requested review from vcsjones

@BillWagner BillWagner Awaiting requested review from BillWagner BillWagner is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@gewarren gewarren

Copilot code review Copilot

Labels

dotnet/svc dotnet-fundamentals/svc security-practices/subsvc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Mention the fallback behaviour for the X509 trusted root store

2 participants

@gewarren