Why is no certificate found when I run `dotnet dev-certs -c`, but when I run `dotnet dev-certs --trust` it says there is already a valid certifcate

Question

I'm on a Mac and I cannot get dotnet to recognize my dev-cert, preventing me from running https on localhost.

When I run dotnet dev-certs https -c -v, I get back No valid certificate found.

But when I run dotnet dev-certs https --trust, I get back A valid HTTPS certificate is already present. Or after I've deleted my certs in the keychaining I get The HTTPS developer certificate was generated successfully.

What would give these two commands different responses, why can one find it, and the other can't?

I've tried deleting the localhost certs in my keychain and regenerating them. I've tried that with 3 different major versions of the dotnet SDK. They generate just fine, but I always get the same result when running the aforementioned commands. I've tried running the dotnet certs https --clean command, but that doesn't actually work. I have to go into the keychain and delete them manually. I've tried uninstalling and reinstalling the dotnet-dev-certs tool with dotnet tool uninstall --global dotnet-dev-certs, but haven't had any luck. And I've tried running all the commands mentioned with sudo, just in case.

Why would the https --trust command say there's already a valid cert, but nothing else can find it? Even though it's in the keychain?

Alternatively, is there another way to run https with kestrel? Like a way to generate a self-signed cert in the root of a project and then point to that?

Upvoting the question. This is exactly what I am facing right now. Were you able to resolve this problem by any chance? — Prasannjeet Singh, Sep 05 '22 at 09:21

score 0 · Answer 1 · answered Sep 05 '22 at 10:31

Could be a few reasons for this issue. I found three while trying to fix mine.

1. Something wrong with dotnet.

When you run the command:

dotnet dev-certs https

The usual response must be something like that:

% dotnet dev-certs https
The HTTPS developer certificate was generated successfully.

And when you run the command

dotnet dev-certs https --trust

You must get a response which looks like:

% dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. If the certificate is not already trusted we will run the following command:
'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <<certificate>>'
This command might prompt you for your password to install the certificate on the system keychain.
A valid HTTPS certificate is already present.

Here, the last line could either say A valid HTTPS certificate is already present. or it could say that the certificate was trusted successfully, depending on whether you executed the command once or more than that.

However, if running these commands give a result that look like this: It means that there is definitely something wrong with your version of dotnet. I suggest to uninstall dotnet from your mac, and try to reinstall it from the official website.

Here is a quick and effective way to uninstall dotnet: https://stackoverflow.com/a/44089766/1928149

Now try adding the certificates again.

2. Dotnet may not be able to access the keychain.

In this case, run the following two commands:

dotnet dev-certs https --check
dotnet dev-certs https --clean

Now, just go to your Keychain Access app in macbook, search for certificates with the name localhost and delete them. (You can also drag and drop it to one of your folders before deleting, in case you need a backup.)

Once you have removed all certificates, run the following:

dotnet dev-certs https
dotnet dev-certs https --trust

Now, when you run the following:

dotnet dev-certs https --check --trust

You should find a certificate which is available as well as trusted.

3. CryptographicException while reading the certificates.

Run the following command:

dotnet dev-certs https -v

This should display some debug information about your certificates. If the output gives an exception which is something like:

System.Security.Cryptography.CryptographicException certificate 'certificate-name` is corrupted

or

System.Security.Cryptography.CryptographicException: ASN1 corrupted data

This is how it looked for me:

This means dotnet is having issues in reading certificates from your keychain because of a particular unrelated certificate. Go to your Keychain Access app and look for the certificate certificate-name as shown in the logs above. Keep a backup of this certificate and delete it from your Keychain Access app. Try to run the following command again:

dotnet dev-certs https -v

Hopefully, it lists certificates without any exceptions now.

Now, follow Point #2 above and hopefully things should now work.

Why is no certificate found when I run `dotnet dev-certs -c`, but when I run `dotnet dev-certs --trust` it says there is already a valid certifcate

1 Answers1

1. Something wrong with dotnet.

2. Dotnet may not be able to access the keychain.

3. CryptographicException while reading the certificates.