There was an error trusting HTTPS developer certificate.

[jozefizso]

I have issue with trusting the HTTPS certificate for .NET Core development.

I tried to trust the certificate from Visual Studio and from dotnet dev-certs tool from the administrator PowerShell. Both fail.

dotnet dev-certs https --trust -v
Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.
Listing 'HTTPS' certificates on 'CurrentUser\My'.
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A67EEAF595CD2AE44B9296F21BC03B8847D18C0F - 24. 4. 2020 14:51:37 - 24. 4. 2021 14:51:37 - True
Checking certificates for validity.
Listing valid certificates
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A67EEAF595CD2AE44B9296F21BC03B8847D18C0F - 24. 4. 2020 14:51:37 - 24. 4. 2021 14:51:37 - True
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing 'HTTPS' certificates on 'LocalMachine\My'.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Checking certificates for validity.
Listing valid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Filtering found certificates to those with a subject equal to 'CN=localhost'
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A67EEAF595CD2AE44B9296F21BC03B8847D18C0F - 24. 4. 2020 14:51:37 - 24. 4. 2021 14:51:37 - True
Listing certificates excluded from consideration.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Found valid certificates present on the machine.
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A67EEAF595CD2AE44B9296F21BC03B8847D18C0F - 24. 4. 2020 14:51:37 - 24. 4. 2021 14:51:37 - True
Selected certificate
'1' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
CN=localhost - A67EEAF595CD2AE44B9296F21BC03B8847D18C0F - 24. 4. 2020 14:51:37 - 24. 4. 2021 14:51:37 - True
Trying to export the certificate.
Trusting the certificate on Windows.
Adding certificate to the store.
There was an error trusting the certificate.
Exception message: Access is denied.
There was an error trusting HTTPS developer certificate.

dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   3.1.103
 Commit:    6f74c4a1dd

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19041
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.1.103\

Host (useful for support):
  Version: 3.1.3
  Commit:  4a9f85e9f8

[javiercn]

@jozefizso thanks for contacting us.

I would suggest you check the certificates in your local store and remove any localhost certificate that has a friendly name ASP.NET Core Https development certificate and try again?

Also check the trusted roots for the current user for the same.

[jozefizso]

I remove the localhost certificates from User and Computer certificate stores and I ran the command again from the admin PowerShell. It still fails.

dotnet dev-certs https --trust -v
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/2.1/troubleshootcertissues
A valid HTTPS certificate with a key accessible across security partitions was not found. The following command will run to fix it:
'sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9'
This command will make the certificate key accessible across security partitions and might prompt you for your password. For more information see: https://aka.ms/aspnetcore/3.1/troubleshootcertissues
Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.
Listing 'HTTPS' certificates on 'CurrentUser\My'.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Checking certificates for validity.
Listing valid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing 'HTTPS' certificates on 'LocalMachine\My'.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Checking certificates for validity.
Listing valid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing invalid certificates
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Filtering found certificates to those with a subject equal to 'CN=localhost'
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
Listing certificates excluded from consideration.
'0' found matching the criteria.
SUBJECT - THUMBPRINT - NOT BEFORE - EXPIRES - HAS PRIVATE KEY
No valid certificates present on this machine. Trying to create one.
Saving the certificate into the certificate store.
Trying to export the certificate.
Trusting the certificate on Windows.
Adding certificate to the store.
There was an error trusting the certificate.
Exception message: Access is denied.
There was an error trusting HTTPS developer certificate.

[javiercn]

@jozefizso are you able to manually install certificates into your current user store and your trusted roots? Are you in an domain joined machine where some IT policy might be preventing you from adding certificates?

[jozefizso]

This is a fresh Windows 10 machine with a newly installed Visual Studio.

It is not joined into domain.

Well, I'm administrator so I expect I can install certificates.

[javiercn]

@jozefizso hmm, that's the first time we see something like this. Does running dotnet dev-certs https work? If so, you can trust the certificate manually by copying into Personal\Trusted Root within the certificate manager UI.

[jozefizso]

It says A valid HTTPS certificate is already present. and I have a certificate issued to localhost with friendly name ASP.NET Core HTTPS development certificate

Yet when I run the project from Visual Studio (16.5.4) I'm asked to trust the certificate and it ends with error and the project does not run.

[jozefizso]

I can change the project to run in IIS Express and I'm presented with similar dialogs:

This way a server is started tough and it is using unknown and untrusted certificate (which is different from the one and only one in the Certificates store)

[javiercn]

@jozefizso thanks for the details.

It seems that you don't have permissions on that machine to add the certificate to the personal user trusted root certificate authorities. I'm not sure why that is, but it clearly seems to be the issue at play here.

Not sure why this is happening on your machine, but you would need to get that fixed, as there's nothing we can do in this regard.

[jozefizso]

I can delete the certificate and when I run the dotnet dev-certs command the certificate is added to the Certificate store so I can clearly add certificates to the store.

[jozefizso]

PS C:\WINDOWS\system32> New-SelfSignedCertificate -DnsName xxx -Subject xxx


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\MY

Thumbprint                                Subject
----------                                -------
A9E464C104F658D978FF70C20AB41C80767383E5  CN=xxx

[jozefizso]

[jozefizso]

PS C:\WINDOWS\system32> New-SelfSignedCertificate -DnsName yyy -Subject yyy -CertStoreLocation "cert:\CurrentUser\My"


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
969DF53189AD579181565307C2A3AD83F4CE0011  CN=yyy

[javiercn]

@jozefizso Yes, but you are dding it to the personal store, not the trusted root certification authorities. Try to copy the certificate there and it will either fail (in which case that's why the tool can't add it) or succeed, in which case your problem will be solved. (Although for some reason the account running VS or something similar doesn't have permission to do so)

[jozefizso]

I have permission to add certificate to the Trusted Root Certification Authorities

[javiercn]

@jozefizso then the issue here is with the account under which both, the tool and VS are running. That's not something we can do anything about.

That said, you should be unblocked now.

[jozefizso]

This is the same account.

When I can make it manually, why Visual Studio nor dotnet tools cannot do it?

[javiercn]

@jozefizso I have no answer for that, it's not something that I've ever seen before.

[jozefizso]

Well, thanks, I have only paid 2000 EUR for the license of Visual Studio and it cannot even run simple website.

[hutstep]

I had a similar issue with my private computer (no domain) and solved it with the solution from here:
https://serverfault.com/questions/1008035/unable-to-import-certificate-into-user-trusted-root-certificate-store

I also removed all previous added ASP certificates in Personal.

dotnet dev-certs https --clean

After setting the group policy and restarting my computer I could add the dev certificate with dotnet dev-certs to the Trusted Root Certification Authorities. Now starting the project in Visual Studio is working without any issues.

dotnet dev-certs https --trust

Maybe this will help you also.

[mkArtakMSFT]

Thanks for sharing your resolution here, @hutstep
@jozefizso please try out the suggestion above and let us know if that worked.

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.