You are currently viewing Certificates and Limits for ASP .NET Core Kestrel Web Server

Certificates and Limits for ASP .NET Core Kestrel Web Server

Kestrel web server, like any other web server, has some configuration settings. For HTTPS, we can specify SSL certificates, or we can allow only TLS protocol via some settings, or we can also set the request size.

In this article, let’s have a look at some certificate relate settings that can be applied to Kestrel server.


There are multiple ways to specify the SSL certificates. Easiest way is via Kestrel configuration section in appsettings.json. In appsettings.json file, a certificate can be specified using 3 ways:

  • File system path and password to load .pfx files
  • PathKeyPath and Password to load .pem/.crt and .key files
  • Subject and Store to load from the certificate store.

Below configuration section shows multiple ways to configure the certificates. The whole setting file is taken from documentation. It specifies multiple endpoint and every endpoint is loading different certificates, using different technique.

There are two important sections:

  • Kestrel:Endpoints section to configure different endpoints. Every endpoint has Url attribute and Certificate attribute. Certificate section can load certificate from either file path or from the store.
  • Kestrel:Certificates:Default section to configure the default certificate. This certificate would be used for any endpoint which does not have a certificate specified.

There is an attribute for certificate configuration, AllowInvalid, which by default is set to false. If this is true, then invalid certificate is allowed. This might be worth knowing for development environments.


The ConfigureWebHostDefaults call on HostBuilder, can be used to configure this setting. KeepAliveTimeout gets or sets the keep-alive timeout for the server. The default value is 2 minutes.

Max Connections

MaxConcurrentConnections is the maximum number simultaneous open connections. The default value is NULL, which means unlimited open connections are allowed.

MaxConcurrentUpgradedConnections is the maximum number of open and upgraded connections. An upgraded connection is a connection which is upgraded from HTTP to some other protocol, like web sockets. The default value for this also is NULL, which means unlimited number of upgraded connections are allowed.

Request Body Size

MaxRequestBodySize is the maximum number of bytes allowed in the request body. The default value is 30,000,000 bytes which is approximately 28 MB. When set to null, the maximum request body size is unlimited.

During bootstrapping, this can limit can be set for all requests. If this value needs to be overridden for only a couple of actions, the recommended way is to use method attribute RequestSizeLimit which accepts the number of bytes as input.

Data Rate

Kestrel always checks the rate at which data is arrived or being sent. If the data rate drops below the minimum value configured, then the connection times out.

There is also a grace period associated. If the data rate is below the expected minimum rate, then a grace period is the time for which Kestrel waits for data rate to rise upto the allowed minimum level. If it does not reach the minimum allowed data rate then the connection times out.

There are two properties MinRequestBodyDataRate and MinResponseDataRate, and both of them have the same default minimum rate. The default minimum rate is 240 bytes/second with a 5-second grace period.

These two values can also be customized for specific requests using  HttpContext.Features. There are two interfaces – IHttpMinRequestBodyDataRateFeature and IHttpMinResponseDataRateFeature, which have minimum data rate property. This property can be set to the allowed data rates

Request Headers Timeout

RequestHeadersTimeout gets or sets the maximum amount of time server waits to receive the request headers. Default value is 30 seconds.

Below is a code snippet showing how to set these settings via code:

Have you applied any other settings to Kestrel server ? Let me know your thoughts.

Leave a Reply